On my mail server:

mail# blacklistctl dump -br | tail 
 218.94.104.180/32:587  OK      3/3     4h12m17s
222.132.167.110/32:587  OK      3/3     1h59m1s
   91.45.76.228/32:587  OK      3/3     5h1m53s
    36.39.140.2/32:587  OK      3/3     5h9m34s
 87.200.232.247/32:587  OK      6/3     4h3m9s
  62.48.165.174/32:587  OK      99/3    8h37m15s
 123.55.175.130/32:587  OK      4/3     8h15m35s
  88.201.163.65/32:587  OK      4/3     4h20m37s
  218.4.214.115/32:587  OK      15/3    58m17s
  70.166.207.76/32:587  OK      13/3    8h21m19s

mail# blacklistctl dump -br | wc -l
     704

mail# pfctl -a blacklistd/587 -t port587 -Ts | wc -l
     609

The blacklisted IPs are in the pf tables.  However, pf is not blocking them.  
Using the next to last address above:

mail# grep 218.4.214.115 /var/log/maillog
Jun  9 10:21:57 mail postfix/postscreen[13719]: CONNECT from 
[218.4.214.115]:55584 to [10.0.1.230]:25
Jun  9 10:22:03 mail postfix/postscreen[13719]: PASS OLD [218.4.214.115]:55584
Jun  9 10:22:03 mail postfix/smtpd[15137]: connect from unknown[218.4.214.115]
Jun  9 10:22:09 mail postfix/smtpd[15137]: warning: unknown[218.4.214.115]: 
SASL PLAIN authentication failed: (reason unavailable), 
sasl_username=and...@lafn.org
Jun  9 10:22:11 mail postfix/smtpd[15137]: NOQUEUE: lost connection after AUTH 
from unknown[218.4.214.115]
Jun  9 10:22:11 mail postfix/smtpd[15137]: disconnect from 
unknown[218.4.214.115] ehlo=1 auth=0/1 commands=1/2

That address was entered into the pf table approximately at 1 pm on Jun 8 
(using the remaining time of approximately 1 hour).  However, at 10 am on 9 
Jun, it got through to postfix.  It should have been blocked.


pfctl shows for the last rule:

@10 anchor "blacklistd/*" in on bge0 all
  [ Evaluations: 102736    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 6053 State Creations: 0     ]
  [ Last Active Time: N/A ]

pf is checking the tables, but not blocking anything.  I suspect the rule 
(taken from the handbook for blacklistd) is the culprit.  However, I have no 
idea how to correct that.

-- Doug

> On Jun 9, 2025, at 06:13, Patrick Proniewski <pat...@patpro.net> wrote:
> 
> Hello,
> 
>> On 9 Jun 2025, at 02:13, Doug Hardie via Postfix-users 
>> <postfix-users@postfix.org> wrote:
>> 
>> I believe that pf is not properly blocking IPs that are supposedly blocked 
>> by blacklistd.  In trying to test this, I am using postfix.  However, I 
>> don't seem to be able to get postfix to call blacklistd.  The approach I am 
>> using is to remove one of my machines from mynetworks using a !IPaddress.  
>> That seems to work properly.  I send using telnet to port 25 and give it 
>> non-local addresses.  Postfix responds with an appropriate snarky message.  
>> However, traces of blacklistd shows no calls for that address.  What are the 
>> conditions when blacklistd is called?  Is it only for authenciation 
>> failures, as indicated in one web page.  How can I test pf with postfix.
> 
> 
> Not sure I have a proper answer to your questions about testing, but you 
> might want to double check /etc/blacklistd.conf. Especially to make sure your 
> network is not «whitelisted».
> 
> Mine looks like this:
> 
> $ cat /etc/blacklistd.conf  
> #
> # Blacklist rule
> # adr/mask:port type proto owner name nfail disable
> [local]
> ssh stream * * * 3 24h
> ftp stream * * * 3 24h
> smtp stream * * * 3 24h
> submission stream * * * 3 24h
> #6161 stream tcp6 christos * 2 10m
> * * * * * 3 60
> 
> # adr/mask:port type proto owner name nfail disable
> [remote]
> #129.168.0.0/16 * * * = * *
> #6161 = = = =/24 = =
> #* stream tcp * = = =
> 
> Obviously the blacklistd service must be started and your pf.conf must have 
> an anchor for rules injection:
> 
> anchor "blacklistd/*" in on $ext_if
> 
> I successfully block offenders, both on ports 25 and 587. Exemple for port 25:
> 
> $ sudo pfctl -a blacklistd/25 -t port25 -T show | wc -l
>       13
> 
> 
> patpro


_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to