Postscreen blacklist question

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Postscreen blacklist question

Jaap Bril

As a new user (postfix as well as postscreen) I monitor maillog to get a feel for how things work.

Today I noticed a site trying to AUTH from unknown (and I happen to know there is no possibly valid user at that address).

I decided to try out blacklisting:

postscreen_access.cidr:185.36.81.24 reject

Postscreen at once acknowledged the blacklisting but does not (yet?) block:

Oct 31 12:45:00 hermes postfix/postscreen[7300]: CONNECT from [185.36.81.24]:58505 to [192.168.30.11]:25
Oct 31 12:45:00 hermes postfix/postscreen[7300]: BLACKLISTED [185.36.81.24]:58505
Oct 31 12:45:01 hermes postfix/postscreen[7300]: PASS OLD [185.36.81.24]:58505
Oct 31 12:45:01 hermes postfix/smtpd/smtpd[7304]: connect from unknown[185.36.81.24]
Oct 31 12:45:01 hermes postfix/smtpd/smtpd[7304]: lost connection after AUTH from unknown[185.36.81.24]
Oct 31 12:45:01 hermes postfix/smtpd/smtpd[7304]: disconnect from unknown[185.36.81.24] ehlo=1 auth=0/1 commands=1/2

What am I missing?

Reply | Threaded
Open this post in threaded view
|

Re: Postscreen blacklist question

Matus UHLAR - fantomas
On 31.10.18 13:16, Jaap Bril wrote:

>As a new user (postfix as well as postscreen) I monitor maillog to get
>a feel for how things work.
>
>Today I noticed a site trying to AUTH from unknown (and I happen to
>know there is no possibly valid user at that address).
>
>I decided to try out blacklisting:
>
>   *postscreen_access.cidr:185.36.81.24 reject*
>
>Postscreen at once acknowledged the blacklisting but does not (yet?) block:
>
>Oct 31 12:45:00 hermes postfix/postscreen[7300]: CONNECT from
>[185.36.81.24]:58505 to [192.168.30.11]:25
>Oct 31 12:45:00 hermes postfix/postscreen[7300]: *BLACKLISTED*
>[185.36.81.24]:58505
>Oct 31 12:45:01 hermes postfix/postscreen[7300]: *PASS OLD
>*[185.36.81.24]:58505
>Oct 31 12:45:01 hermes postfix/smtpd/smtpd[7304]: *connect from
>unknown*[185.36.81.24]
>Oct 31 12:45:01 hermes postfix/smtpd/smtpd[7304]: lost connection
>after AUTH from unknown[185.36.81.24]
>Oct 31 12:45:01 hermes postfix/smtpd/smtpd[7304]: disconnect from
>unknown[185.36.81.24] ehlo=1 auth=0/1 commands=1/2
>
>What am I missing?

http://www.postfix.org/postconf.5.html#postscreen_blacklist_action

postscreen_blacklist_action (default: ignore)

see more in:
http://www.postfix.org/POSTSCREEN_README.html

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"They say when you play that M$ CD backward you can hear satanic messages."
"That's nothing. If you play it forward it will install Windows."