On Mon, Apr 25, 2022 at 03:26:52PM -0700, Greg Earle wrote:
> All of the sending hostnames are of the form
>
> www-data@vNNN-NNN-NNN-NNN.*.static.cnode.io
That's not a hostname, it is an email address, and not clear whether the
envelope sender or the "From:" message header.
> For example, here are some examples of the sending IPs from the last few
> months:
>
> v163-44-192-240.a001.g.han1.static.cnode.io
> v163-44-207-233.a006.g.han1.static.cnode.io
> v150-95-115-46.a017.g.han1.static.cnode.io
> v150-95-115-69.a017.g.han1.static.cnode.io
> v163-44-155-225.a010.g.sin1.static.cnode.io
> v160-251-100-196.wbeh.static.cnode.io
Presumably SMTP client reverse names (PTR records), but these are again
not necessarily the same as the EHLO names,
> [root@isolar tmp]# cat /etc/postfix/helo.regexp
> /v[0-9]+-[0-9]+-[0-9]+-[0-9]+[.-@]/ REJECT
This pattern is nor properly anchored, possibly matching lots of other
sources. A more conservative pattern would be:
/^v[0-9]+-[0-9]+-[0-9]+-[0-9]+[.].*[.]static[.]cnode[.]io$/ REJECT
> yet it didn't work - I got a spam from this IP today. What am I doing
> wrong?
Posting output of "grep", rather than full "postconf -nf" and "postconf -Mf"
results.
> (I'd be happy if I could just block *.static.cnode.io from connecting,
> but I tried doing that in /etc/postfix/client_access and it didn't work
> there, either.)
The correct lookup keys would be:
static.cnode.io
.static.cnode.io
See also:
http://www.postfix.org/postconf.5.html#parent_domain_matches_subdomains
http://www.postfix.org/access.5.html
--
Viktor.
