On my mail server: mail# blacklistctl dump -br | tail 218.94.104.180/32:587 OK 3/3 4h12m17s 222.132.167.110/32:587 OK 3/3 1h59m1s 91.45.76.228/32:587 OK 3/3 5h1m53s 36.39.140.2/32:587 OK 3/3 5h9m34s 87.200.232.247/32:587 OK 6/3 4h3m9s 62.48.165.174/32:587 OK 99/3 8h37m15s 123.55.175.130/32:587 OK 4/3 8h15m35s 88.201.163.65/32:587 OK 4/3 4h20m37s 218.4.214.115/32:587 OK 15/3 58m17s 70.166.207.76/32:587 OK 13/3 8h21m19s
mail# blacklistctl dump -br | wc -l 704 mail# pfctl -a blacklistd/587 -t port587 -Ts | wc -l 609 The blacklisted IPs are in the pf tables. However, pf is not blocking them. Using the next to last address above: mail# grep 218.4.214.115 /var/log/maillog Jun 9 10:21:57 mail postfix/postscreen[13719]: CONNECT from [218.4.214.115]:55584 to [10.0.1.230]:25 Jun 9 10:22:03 mail postfix/postscreen[13719]: PASS OLD [218.4.214.115]:55584 Jun 9 10:22:03 mail postfix/smtpd[15137]: connect from unknown[218.4.214.115] Jun 9 10:22:09 mail postfix/smtpd[15137]: warning: unknown[218.4.214.115]: SASL PLAIN authentication failed: (reason unavailable), sasl_username=and...@lafn.org Jun 9 10:22:11 mail postfix/smtpd[15137]: NOQUEUE: lost connection after AUTH from unknown[218.4.214.115] Jun 9 10:22:11 mail postfix/smtpd[15137]: disconnect from unknown[218.4.214.115] ehlo=1 auth=0/1 commands=1/2 That address was entered into the pf table approximately at 1 pm on Jun 8 (using the remaining time of approximately 1 hour). However, at 10 am on 9 Jun, it got through to postfix. It should have been blocked. pfctl shows for the last rule: @10 anchor "blacklistd/*" in on bge0 all [ Evaluations: 102736 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 6053 State Creations: 0 ] [ Last Active Time: N/A ] pf is checking the tables, but not blocking anything. I suspect the rule (taken from the handbook for blacklistd) is the culprit. However, I have no idea how to correct that. -- Doug > On Jun 9, 2025, at 06:13, Patrick Proniewski <pat...@patpro.net> wrote: > > Hello, > >> On 9 Jun 2025, at 02:13, Doug Hardie via Postfix-users >> <postfix-users@postfix.org> wrote: >> >> I believe that pf is not properly blocking IPs that are supposedly blocked >> by blacklistd. In trying to test this, I am using postfix. However, I >> don't seem to be able to get postfix to call blacklistd. The approach I am >> using is to remove one of my machines from mynetworks using a !IPaddress. >> That seems to work properly. I send using telnet to port 25 and give it >> non-local addresses. Postfix responds with an appropriate snarky message. >> However, traces of blacklistd shows no calls for that address. What are the >> conditions when blacklistd is called? Is it only for authenciation >> failures, as indicated in one web page. How can I test pf with postfix. > > > Not sure I have a proper answer to your questions about testing, but you > might want to double check /etc/blacklistd.conf. Especially to make sure your > network is not «whitelisted». > > Mine looks like this: > > $ cat /etc/blacklistd.conf > # > # Blacklist rule > # adr/mask:port type proto owner name nfail disable > [local] > ssh stream * * * 3 24h > ftp stream * * * 3 24h > smtp stream * * * 3 24h > submission stream * * * 3 24h > #6161 stream tcp6 christos * 2 10m > * * * * * 3 60 > > # adr/mask:port type proto owner name nfail disable > [remote] > #129.168.0.0/16 * * * = * * > #6161 = = = =/24 = = > #* stream tcp * = = = > > Obviously the blacklistd service must be started and your pf.conf must have > an anchor for rules injection: > > anchor "blacklistd/*" in on $ext_if > > I successfully block offenders, both on ports 25 and 587. Exemple for port 25: > > $ sudo pfctl -a blacklistd/25 -t port25 -T show | wc -l > 13 > > > patpro _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org