Kai Krakow:
> Hello list!
>
> Is there a way to prevent postfix from offering SASL auth (and
> that includes denying open relaying) to clients based on DNS RBL
> lookups? I've discovered the option smtpd_sasl_exceptions_networks
> which allows to do that by adding static subnet entries or adding
> a hash map.
In theory, one could configure the smtpd_sasl_exceptions_networks
feature to query a daemon that replies "not found" when the client
IP address is blacklisted.
smtpd_sasl_exceptions_networks = tcp:host:port
smtpd_sasl_exceptions_networks = socketmap:inet:host:port:name
smtpd_sasl_exceptions_networks = memcache:/file/name
In practice, almost no-one will do that. But, this would do what
you asked for and more.
Alternatively, you could update the smtpd_sasl_exceptions_networks
lookup table with fail2ban after Postfix logs some number of login
failures from a client IP address.
To add DNSBL lookups to smtpd_sasl_exceptions_networks, one would
have to use maptype:mapname syntax (e.g., dnsbl:site.example.com,
dnsbl:site.example.com=filter, where the dnsbl: lookup table exists
only in the Postfix SMTP daemon). This is because the underlying
mechanism is used by all Postfix programs, and most programs must
not have dependencies on DNSBL support. However, lookup tables that
work in only one program would make Postfix more difficult to use.
Wietse
