Re: Blocking with smtpd_client_restrictions

Tue, 23 Jun 2009 18:03:00 -0700 

Jon wrote:

I have postfix on a debian Linux (lenny, ESXi virtual) machine handling
inbound traffic for a couple domains on Microsoft Exchange 2003. I am using transport_maps and getadsmtp.pl for my recipient list which seem to work fine. The questions I have are related to smtpd_client_restrictions. 


smtp1:/etc/postfix# postconf -n | grep smtpd_client_restrictions
smtpd_client_restrictions =
 check_client_access hash:/etc/postfix/access_hash,
 check_client_access regexp:/etc/postfix/access_regexp,
 reject_unknown_reverse_client_hostname,
 reject_unknown_client_hostname

smtp1:/etc/postfix# cat access_hash
.it REJECT 554 Access denied



Most installations include "smtpd_access_maps" in 
parent_domain_matches_subdomains, so the correct entry would be

it  REJECT comment
see the "HOST NAME/ADDRESS PATTERNS" section of
http://www.postfix.org/access.5.html  and also
http://www.postfix.org/postconf.5.html#parent_domain_matches_subdomains


Note the "554" is redundant, so leave it out.  It's OK to use 
an "enhanced" status code such as 5.7.1.  See RFC1893 for a 
list of what the codes mean, don't just make up your own.



Your comment, "Access denied" is somewhat generic, and looks a 
lot like the default response.  Better to use something so YOU 
can tell what rule rejected a particular message (priceless 
when tracking a problem!!), or a comment explaining to the 
client what they can do to fix the problem.

it REJECT 5.7.1 unwanted client TLD. send a postcard.



smtp1:/etc/postfix# cat access_regexp
/gaoland\.net/


No action/result in this table?

Anyway, a far better expression would be
/\.gaoland\.net$/  REJECT comment

You can also easily add your TLD block to the same table:
/\.it$/  REJECT 5.7.1 unwanted client TLD




My questions:

1) Are two check_client_access statements as I have in 
smtp_client_restrictions legal?



Yes, use as many as you need.  But tables lookups aren't free, 
I expect your OS will run out of ${some critical resource} 
after a ridiculous number of tables - probably hundreds or 
thousands.



If you have postfix 2.6 or newer, for a blacklist I suggest 
using check_reverse_client_hostname_access rather than 
check_client_access, since it is more likely to find a client 
name rather than "unknown".

http://www.postfix.org/postconf.5.html#check_reverse_client_hostname_access


And by the way, I think TLD client blocks are mostly a waste 
of time.  There's usually better ways to block unwanted mail.


  -- Noel Jones






















					Reply via email to