On Thu, 11 Aug 2016 14:06:44 -0500, Noel Jones wrote: > On 8/11/2016 1:10 PM, Richard Klingler wrote: >> Doesn't work with the blacklisted_prefix file... >> >> Have: >> >> smtpd_recipient_restrictions = check_client_access >> cidr:/usr/local/etc/postfix/blacklisted_prefixes, >> permit_sasl_authenticated, .... >> >> But I still get connection message that shows that the blacklist is >> bypassed although >> I have an entry in blacklisted_prefixes: >> >> 93.152.0.0/17 REJECT >> >> >> Aug 11 20:05:39 <mail.info> marvin postfix/smtpd[19974]: >> initializing the server-side TLS engine >> Aug 11 20:05:39 <mail.info> marvin postfix/smtpd[19974]: connect >> from 93-152-67-113.itlab.managedbroadband.co.uk[93.152.67.113] >> Aug 11 20:05:41 <mail.warn> marvin postfix/smtpd[19974]: warning: >> SASL authentication failure: no user in db >> Aug 11 20:05:41 <mail.warn> marvin postfix/smtpd[19974]: warning: >> SASL authentication failure: no user in db >> Aug 11 20:05:41 <mail.warn> marvin postfix/smtpd[19974]: warning: >> 93-152-67-113.itlab.managedbroadband.co.uk[93.152.67.113]: SASL >> LOGIN authentication failed: authentication failure >> Aug 11 20:05:41 <mail.info> marvin postfix/smtpd[19974]: disconnect >> from 93-152-67-113.itlab.managedbroadband.co.uk[93.152.67.113] >> >> >> cheers >> richard >> > > > But it is working. The client sends AUTH long before RCPT TO. > > Due to the blacklist, the client would not be able to send mail if > they happened to get the password right, nor would they get any > particular indication that the password was correct. > > If you want to prevent them from using AUTH, you can use a cidr: > table with either of these: > http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keyword_address_maps > or > http://www.postfix.org/postconf.5.html#smtpd_sasl_exceptions_networks >
Well I would have expected that the first entry in smtpd_recipient_restrictions triggers first when there is a match and doesn't do any further checking... like the 2nd sasl permit check... Maybe that's just me thinking in firewall rules where first match wins (o; cheers richard
