[pfx] Re: Allow TLSv1 only for internal senders

[Steffen Nurpmeso via Postfix-users]

Bernardo Reino wrote in
 <79552717-5p3o-8q26-r963-124or6r66...@oozx.bet>:
 |On Thu, 23 Mar 2023, Steffen Nurpmeso via Postfix-users wrote:
 ...
 |> (That is pretty off-topic for postfix; except maybe for fun
 |> posting my SMTP related firewall
 ...
 |>                     add_rule -p tcp --src ${addr}${mask} \
 |>                        --dport ${p_smtp} -m limit --limit 60/m -j f_m0_2
 ...
 |Could it be that $mask is set to something like /24 (or worse), and that 
 |somebody in the (ip) neighborhood of Jaroslaw is triggering your script?

60/m is low heh?  This is only a very, very small corner of the
internet.  These "unlimited" are mostly about bandwidth.

   change_chain f_m0_2
   add_rule -j CONNMARK --or-mark $((${M0} | ${M2}))
   add_rule -j ACCEPT

that are then picked up by according rules in the "mangle" table

  change_chain POSTROUTING
  ...
  add_rule -j CONNMARK --restore-mark
  ...
  add_rule -j m_marks
  ...
  change_chain m_marks
  ...
        add_rule -m connmark --mark ${M0}/${M0} -j m_marks

where "M0" just bypasses some checks which could declassify them

  ...
  add_rule -m connmark --mark ${M2}/${M2} -j m_a2

if they were only "M2",

  ...
  change_chain m_a2
  add_rule -j CLASSIFY --set-class 1:20
  add_rule -j ACCEPT

so this ends up solely as traffic control:

   ${tc} class add dev ${1} parent 1:1 classid 1:20 htb \
      rate ${R1} ceil ${R0} ${burst} prio 2
   ...
   ${tc} qdisc add dev ${1} parent 1:20 handle 20: sfq perturb 10

but do not ask tc questions, i have no idea what i am doing.

Other than that i am surely much older than Jaroslaw.
(Though i was environmental and hm "philosophical" (pooh!)
"activist" already when i was 22.  Yet i am no Swedish virgin, so
who gives a shit.)

 |(I apologize for replying to this off-topic topic).

Yeah, me too.


# $1=[ap]+ $2=addr -> $addr, $port, $ip6 ([non-]empty), $mask (or ALL BITS)
ipaddr_split() {
   addr=${2%:*}
   port=${2##*:}
   [ "${addr}" = "${port}" ] && port=

   ip6=
   if [ "${addr}" != "${addr%]*}" ]; then
      ip6=y
      addr=${addr%]*}
      addr=${addr#[*}
   fi

   mask=
   if [ "${addr}" != "${addr%/*}" ]; then
      mask=/${addr#*/}
      [ "${mask}" = / ] && mask=
      addr=${addr%/*}
   fi
   [ -z "${mask}" ] && { [ -z "${ip6}" ] && mask=/32 || mask=/128; }

   [ -z "${addr}" ] && [ "${1}" != "${1%a*}" ] && {
      echo >&2 'IP address required, none given: '${2}
      return 1
   }

   [ -z "${port}" ] && [ "${1}" != "${1%p*}" ] && {
      echo >&2 '(IP) Socket port required, none given: '${2}
      return 1
   }

   return 0
}

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org