On 8/11/2016 1:10 PM, Richard Klingler wrote: > Doesn't work with the blacklisted_prefix file... > > Have: > > smtpd_recipient_restrictions = check_client_access > cidr:/usr/local/etc/postfix/blacklisted_prefixes, permit_sasl_authenticated, > .... > > But I still get connection message that shows that the blacklist is bypassed > although > I have an entry in blacklisted_prefixes: > > 93.152.0.0/17 REJECT > > > Aug 11 20:05:39 <mail.info> marvin postfix/smtpd[19974]: initializing the > server-side TLS engine > Aug 11 20:05:39 <mail.info> marvin postfix/smtpd[19974]: connect from > 93-152-67-113.itlab.managedbroadband.co.uk[93.152.67.113] > Aug 11 20:05:41 <mail.warn> marvin postfix/smtpd[19974]: warning: SASL > authentication failure: no user in db > Aug 11 20:05:41 <mail.warn> marvin postfix/smtpd[19974]: warning: SASL > authentication failure: no user in db > Aug 11 20:05:41 <mail.warn> marvin postfix/smtpd[19974]: warning: > 93-152-67-113.itlab.managedbroadband.co.uk[93.152.67.113]: SASL LOGIN > authentication failed: authentication failure > Aug 11 20:05:41 <mail.info> marvin postfix/smtpd[19974]: disconnect from > 93-152-67-113.itlab.managedbroadband.co.uk[93.152.67.113] > > > cheers > richard >
But it is working. The client sends AUTH long before RCPT TO. Due to the blacklist, the client would not be able to send mail if they happened to get the password right, nor would they get any particular indication that the password was correct. If you want to prevent them from using AUTH, you can use a cidr: table with either of these: http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keyword_address_maps or http://www.postfix.org/postconf.5.html#smtpd_sasl_exceptions_networks -- Noel Jones
