[SLE] postfix smtpd_client_restrictions Help? Sandy?
List, Sandy: I'm trying to do this (from man 5 access): EXAMPLE The following example uses an indexed file, so that the order of table entries does not matter. The example permits access by the client at address 1.2.3.4 but rejects all other clients in 1.2.3.0/24. Instead of "hash" lookup tables, some systems use "dbm". Use the command "post- conf -m" to find out what lookup tables Postfix supports on your sys- tem. /etc/postfix/main.cf: smtpd_client_restrictions = check_client_access hash:/etc/postfix/access /etc/postfix/access: 1.2.3 REJECT 1.2.3.4 OK So I did this: main.cf: smtpd_client_restrictions = check_client_access hash:/etc/postfix/client_check [root@bonza postfix]# cat client_check 218 REJECT 221 REJECT postmap client_check postfix reload But for some reason, it does not work as expected. It does this: [root@bonza postfix]# postmap -q 221 hash:client_check REJECT [root@bonza postfix]# postmap -q 221.1.1.1 hash:client_check [root@bonza postfix]# postmap -q 221.2.1.1 hash:client_check It only seems to match if 221 is used, but does not match the rest of the IP range. Any ideas??? -- David C. Rankin, J.D., P.E. RANKIN LAW FIRM, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 (936) 715-9333 (936) 715-9339 fax www.rankinlawfirm.com -- -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
david rankin wrote:
List, Sandy:
I'm trying to do this (from man 5 access):
EXAMPLE The following example uses an indexed file, so that the order of table entries does not matter. The example permits access by the client at address 1.2.3.4 but rejects all other clients in 1.2.3.0/24. Instead of "hash" lookup tables, some systems use "dbm". Use the command "post- conf -m" to find out what lookup tables Postfix supports on your sys- tem.
/etc/postfix/main.cf: smtpd_client_restrictions = check_client_access hash:/etc/postfix/access
/etc/postfix/access: 1.2.3 REJECT 1.2.3.4 OK
So I did this:
main.cf: smtpd_client_restrictions = check_client_access hash:/etc/postfix/client_check
[root@bonza postfix]# cat client_check 218 REJECT 221 REJECT
postmap client_check postfix reload
But for some reason, it does not work as expected. It does this:
[root@bonza postfix]# postmap -q 221 hash:client_check REJECT [root@bonza postfix]# postmap -q 221.1.1.1 hash:client_check [root@bonza postfix]# postmap -q 221.2.1.1 hash:client_check
net Matches the specified IPv4 host address or subnetwork. An IPv4 host address is a sequence of four decimal octets sepaâ rated by ".". Subnetworks are matched by repeatedly truncating the last ".octet" from the remote IPv4 host address string until a match is found in the access table, or until further truncaâ tion is not possible. NOTE 1: The information in the access map should be in canonical form, with unnecessary null characters eliminated. Address information must not be enclosed with "[]" characâ ters. This is the important part here: NOTE 2: use the cidr lookup table type to specify netâ work/netmask patterns. See cidr_table(5) for details. If you use a cidr table you get: # cat client_check 218.0.0.0/8 REJECT 221.0.0.0/8 REJECT # postmap -q 221.1.1.1 cidr:client_check REJECT You could also use a pcre or regexp table. Sandy -- List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
From: "Sandy Drobic" <suse-linux-e@japantest.homelinux.com> david rankin wrote:
List, Sandy:
This is the important part here: NOTE 2: use the cidr lookup table type to specify netâ work/netmask patterns. See cidr_table(5) for details.
Ok, I saw that, but that still doesn't explain why the man 5 access example doesn't work. The man page suggests that you can designate "221 reject" and have it reject all hosts under the 221 net implying 221.0.0.0/24. But oviously it doesn't
If you use a cidr table you get:
# cat client_check 218.0.0.0/8 REJECT 221.0.0.0/8 REJECT
# postmap -q 221.1.1.1 cidr:client_check REJECT
How does this work?? Wouldn't you need /24 to reject the entire class A network range?? (or maybe I just don't understand....) Thank you again for your wisdom sandy! -- David C. Rankin, J.D., P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 (936) 715-9333 www.rankinlawfirm.com -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.9.10/384 - Release Date: 7/10/06 -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
From: "David Rankin" <drankin@cox-internet.com>
From: "Sandy Drobic" <suse-linux-e@japantest.homelinux.com> david rankin wrote:
List, Sandy:
How does this work?? Wouldn't you need /24 to reject the entire class A network range?? (or maybe I just don't understand....)
I got it figured out. It helps if you start counting bits at the correct end..... Works great now! nemesis:/etc/postfix # postmap -q 211.211.1.1 cidr:/etc/postfix/client_check.cidr REJECT nemesis:/etc/postfix # postmap -q 169.209.2.2 cidr:/etc/postfix/client_check.cidr nemesis:/etc/postfix # postmap -q 169.208.2.2 cidr:/etc/postfix/client_check.cidr REJECT nemesis:/etc/postfix # postmap -q 85.208.2.2 cidr:/etc/postfix/client_check.cidr REJECT Here is what I'm blocking (see below) (Don't Worry! This is not a production machine...) I'll work on black lists next, this is way to labor intensive..... nemesis:/etc/postfix # cat client_check.cidr 58.0.0.0/8 REJECT 60.0.0.0/8 REJECT 121.0.0.0/8 REJECT 122.0.0.0/8 REJECT 126.0.0.0/8 REJECT 169.208.0.0/16 REJECT 196.192.0.0/16 REJECT 202.0.0.0/8 REJECT 203.0.0.0/8 REJECT 210.0.0.0/8 REJECT 211.0.0.0/8 REJECT 218.0.0.0/8 REJECT 220.0.0.0/8 REJECT 222.0.0.0/8 REJECT 81.0.0.0/8 REJECT 82.0.0.0/8 REJECT 83.0.0.0/8 REJECT 84.0.0.0/8 REJECT 85.0.0.0/8 REJECT 86.0.0.0/8 REJECT 61.0.0.0/8 REJECT 193.0.0.0/8 REJECT 195.0.0.0/8 REJECT 201.0.0.0/8 REJECT 219.0.0.0/8 REJECT -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.9.10/384 - Release Date: 7/10/06 -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
From: "Sandy Drobic" <suse-linux-e@japantest.homelinux.com> david rankin wrote:
List, Sandy:
I'm trying to do this (from man 5 access):
EXAMPLE The following example uses an indexed file, so that the order of table entries does not matter. The example permits access by the client at address 1.2.3.4 but rejects all other clients in 1.2.3.0/24. Instead of "hash" lookup tables, some systems use "dbm". Use the command "post- conf -m" to find out what lookup tables Postfix supports on your sys- tem.
/etc/postfix/main.cf: smtpd_client_restrictions = check_client_access hash:/etc/postfix/access
/etc/postfix/access: 1.2.3 REJECT 1.2.3.4 OK
So I did this:
main.cf: smtpd_client_restrictions = check_client_access hash:/etc/postfix/client_check
[root@bonza postfix]# cat client_check 218 REJECT 221 REJECT
postmap client_check postfix reload
But for some reason, it does not work as expected. It does this:
[root@bonza postfix]# postmap -q 221 hash:client_check REJECT [root@bonza postfix]# postmap -q 221.1.1.1 hash:client_check [root@bonza postfix]# postmap -q 221.2.1.1 hash:client_check
AHAH! It does work as man 5 access says. HOWEVER, it does NOT work with postmap -q. Go figure? Here is a log entry with the hash:/etc/postfix/client_check Jul 11 23:50:20 bonza postfix/smtpd[27538]: NOQUEUE: reject: RCPT from unknown[218.12.90.19]: 554 <unknown[218.12.90.19]>: Client host rejected: F.O.A.D.; from=<info@ehbsr.com> to=<info@rankin-bertin.com> proto=SMTP helo=<mail2theweb.com> btw the "F.O.A.D." was my addition... Postfix didn't do that on its own... -- David C. Rankin, J.D., P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 (936) 715-9333 www.rankinlawfirm.com -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.9.10/384 - Release Date: 7/10/06 -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
participants (3)
-
David Rankin -
david rankin
-
Sandy Drobic