IP address

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

IP address

Hans E. Kristiansen
Hi all,

We have installed postscreen on our mail servers, with a table lookup to a postgres database. The lookup also records the client details (IP address), and we have a basic Java front end with lookups to maxmind to get location information. The tools allows us to block by CIDR, and monitor connection over time to identify various forms of attacks. It has been an eye opener. For reference, we also record mail from: and perform the usual checks after rcpt to:, and the mail from is checked against a whitelist in the same database which is also managed by our end users.

However, I would like to have the option to delay the rejection by capturing mail from/rcpt to, but there seems not be a a suitable config entry, the closest I have found is “check_client_a_access", but this option perform a check of the IP of the host, but I would like to have a table lookup akin to “check_client_ip_address” for consistency with the current connection.

Hopes this makes sense, and some help is greatly appreciated. Our reference installation has been updated to the 3.3.1, from source on a centos system.

Thank you.

Kind regards,
Hans E.

Reply | Threaded
Open this post in threaded view
|

Re: IP address

Wietse Venema
Hans E. Kristiansen:

> Hi all,
>
> We have installed postscreen on our mail servers, with a table
> lookup to a postgres database. The lookup also records the client
> details (IP address), and we have a basic Java front end with
> lookups to maxmind to get location information. The tools allows
> us to block by CIDR, and monitor connection over time to identify
> various forms of attacks. It has been an eye opener. For reference,
> we also record mail from: and perform the usual checks after rcpt
> to:, and the mail from is checked against a whitelist in the same
> database which is also managed by our end users.
>
> However, I would like to have the option to delay the rejection
> by capturing mail from/rcpt to, but there seems not be a a suitable
> config entry, the closest I have found is "check_client_a_access",
> but this option perform a check of the IP of the host, but I would
> like to have a table lookup akin to "check_client_ip_address" for
> consistency with the current connection.
>
> Hopes this makes sense, and some help is greatly appreciated. Our
> reference installation has been updated to the 3.3.1, from source
> on a centos system.

The Postfix postscreen daemon will delay rejection until RCPT TO
and will log the HELO/EHLO, MAIL FROM and RCPT TO information from
a client that fails the access_list, pregreet, dnsbl or other test,
if you configure the 'enforce' action for those tests. Example:

    Nov 23 02:28:16 spike postfix/postscreen[33859]: NOQUEUE: reject:
    RCPT from [103.106.193.166]:53404: 550 5.7.1 Service unavailable;
    client [103.106.193.166] blocked using zen.spamhaus.org;
    from=<[hidden email]>, to=<[hidden email]>,
    proto=SMTP, helo=<hotmail.com>

The Postfix smtpd daemon will delay rejection until RCPT TO and
will log the HELO/EHLO, MAIL FROM and RCPT TO information, with the
default configuration "smtpd_delay_reject = yes". Example:

    Nov 23 05:43:03 spike postfix/smtpd[35246]: NOQUEUE: reject:
    RCPT from li1587-232.members.linode.com[139.162.103.232]: 554
    5.1.8 <[hidden email]>: Sender address
    rejected: Domain not found; from=<[hidden email]>
    to=<[hidden email]> proto=ESMTP helo=<220690.cloudwaysapps.com>

        Wietse