Oki. I need the insane solutions then Using DNS is not a way forward for us. Maintaining cidr lists a number of times a minute with 10:s of thousands of ip's instead of a simple query for the ip I'm interested in, well not interested in that either
Sent with Proton Mail secure email. ------- Original Message ------- On Tuesday, December 27th, 2022 at 12:07 AM, Rob McGee <r...@nodns4.us> wrote: > On 12/26/2022 4:18 PM, mats wrote: > > > First statement: I'm new to Postfix > > Second statement: I'm old enough that a 30mb harddrive was big then I > > started working with computers ...... > > > > The Challenge > > I want to be able to run my own "idp" type script when someone tries to > > connect to my mailserver. Basically I want to refuse them even a tcp > > connection to smtpd if the connecting ip is in our internal blacklist. > > > > I'm doing it today with an old HMailserver and it's very effective so I > > would like to port that functionality > > > > Before someone says fail2ban so no, fail2ban is way to late since it > > requires log entries from smtpd. I want to kill them before they even get a > > chance to try and log on > > > There are numerous ways in addition to the ipset suggestions through > which you could do this better than running a script at connect time. > I'd simply publish my internal blocklist in DNS, using a DNSBL record > format. To list IP address 192.0.2.1, your records would look like this: > > 1.2.0.192.blocklist.internal. 60 IN A 127.0.0.1 > 60 IN TXT "Reject message" > > You'd query your local DNSBL with a reject_rbl_client smtpd(8) > restriction, or better yet, in postscreen(8). > > If you don't want to run/maintain your own DNSBL, publish your list in > cidr_table(5) format and use a check_client_access restriction. > > For sane ways to do what you want, see these: > http://www.postfix.org/SMTPD_ACCESS_README.html > http://www.postfix.org/POSTSCREEN_README.html > > There's no sane way to have smtpd run a command on connection, nor > should there be. > -- > http://rob0.nodns4.us/
