On 12/26/2022 4:18 PM, mats wrote:
First statement: I'm new to Postfix
Second statement: I'm old enough that a 30mb harddrive was big then I started
working with computers ......
The Challenge
I want to be able to run my own "idp" type script when someone tries to connect
to my mailserver. Basically I want to refuse them even a tcp connection to smtpd if the
connecting ip is in our internal blacklist.
I'm doing it today with an old HMailserver and it's very effective so I would
like to port that functionality
Before someone says fail2ban so no, fail2ban is way to late since it requires
log entries from smtpd. I want to kill them before they even get a chance to
try and log on
There are numerous ways in addition to the ipset suggestions through
which you could do this better than running a script at connect time.
I'd simply publish my internal blocklist in DNS, using a DNSBL record
format. To list IP address 192.0.2.1, your records would look like this:
1.2.0.192.blocklist.internal. 60 IN A 127.0.0.1
60 IN TXT "Reject message"
You'd query your local DNSBL with a reject_rbl_client smtpd(8)
restriction, or better yet, in postscreen(8).
If you don't want to run/maintain your own DNSBL, publish your list in
cidr_table(5) format and use a check_client_access restriction.
For sane ways to do what you want, see these:
http://www.postfix.org/SMTPD_ACCESS_README.html
http://www.postfix.org/POSTSCREEN_README.html
There's no sane way to have smtpd run a command on connection, nor
should there be.
--
http://rob0.nodns4.us/
