On 26/12/2021 17:51, Wietse Venema wrote:
Depends on what you mean with "accurate".
On 27.12.21 04:03, Lefteris Tsintjelis wrote:
I mean the locally maintained IP RBL. It is critical as this will be
doing most of the rejection.
- With smtpd_delay_reject=yes, Postfix logs the client, helo, sender,
and recipient.
With delays set to yes, it is really good to have that info but when
SASL is used the rejection reason given out is authentication failed
and that is where my concern is.
if the SASL authentication fails, what's the need of other checks?
authenticated clients are to be handled differently than mailservers.
if authentication succeeds, you have no reason for other checks
(well, you CAN check for other signs of abuse, and optionally refuse the
client, but people usually don't do that).
If authentication fails, I see no reason for accepting anything more from
such client.
- With smtpd_delay_reject=no, Postfix will log a DNSBL 'reject' in
smtpd_client_restrictions without any sender or recipient information.
That makes it difficult to answer questions about "missing" email.
And when SASL is used with delays set to no, when the first reject
happens, client is out so the very much wanted authentication info is
delayed and that decreases the guessing possibilities extremely low
and makes the attack close to impossible to ever succeed with proper
RBL updating.
fail2ban can to this. you can fill your local dnsbl with that, although I
prefer blocking connection from those IPs at firewall level.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Depression is merely anger without enthusiasm.
