Hello, as my submission services experience a lot of AUTH attacks recently, I want to temporarily block access to them from IP addresses other than those from where users are expected to send mail.
1) I created a file specifying allowed addresses, it looks like the following: 127.0.0.0/8 DUNNO ::1 DUNNO x.x.x.x/n DUNNO ... ... (more lines like above) ... 0.0.0.0/0 REJECT ::/0 REJECT The allowed IP ranges are listed with "DUNNO", and then there's 0.0.0.0/0 catchall with "REJECT". 2) I added the following to my main.cf: temp_client_block=check_client_access cidr:/etc/postfix/temp_client_access (/etc/postfix/temp_client_access is the above file). 3) In my master.cf, I changed in both "submission" and "smtps" entries the line -o smtpd_client_restrictions=permit_sasl_authenticated,reject to -o smtpd_client_restrictions=$temp_client_block,permit_sasl_authenticated,reject and did "service postfix reload". However, I still find in my mail.log the entries like: Aug 12 12:31:08 rafa postfix/smtps/smtpd[25866]: connect from unknown[1.221.23.26] Aug 12 12:31:09 rafa postfix/smtps/smtpd[25866]: Anonymous TLS connection established from unknown[1.221.23.26]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Aug 12 12:31:16 rafa dovecot: auth-worker(25873): pam(r...@rafa.eu.org,1.221.23.26): pam_authenticate() failed: Authentication failure (password mismatch?) Aug 12 12:31:18 rafa postfix/smtps/smtpd[25866]: warning: unknown[1.221.23.26]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Aug 12 12:31:19 rafa postfix/smtps/smtpd[25866]: lost connection after AUTH from unknown[1.221.23.26] Aug 12 12:31:19 rafa postfix/smtps/smtpd[25866]: disconnect from unknown[1.221.23.26] It looks the same as before I did the change, so I understand the client still tries to authenticate and disconnects after a failed AUTH. However, 1.221.23.26 is definitely not on my allowed addresses list in file created in point 1), so shouldn't the connection be outright rejected without attempting AUTH at all? What am I doing wrong? -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub."
