check_client_access not blocking /8 /16 /24 etc.

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

check_client_access not blocking /8 /16 /24 etc.

Philip
I'm curious to know what I've done wrong with my client checks file.

I can reject a specific IP but it won't reject when I use net blocks...
format is listed below in client_checks.cf

Suggestions comments welcome.

main.cf.

smtpd_recipient_restrictions =
       permit_mynetworks,
       permit_sasl_authenticated,
       check_client_access hash:/etc/postfix/client_checks.cf,
       check_sender_access hash:/etc/postfix/sender_checks.cf,
       reject_unlisted_sender,
       reject_unauth_pipelining,
       reject_unauth_destination,
       reject_rbl_client bl.spamcop.net,
       reject_rbl_client psbl.surriel.com,
       reject_rbl_client b.barracudacentral.org,
      check_policy_service unix:private/policyd-spf,
      permit

client_checks.cf.

5.0.0.0/8 REJECT We have not seen your IP Address before.  Please visit
https://example.com?newip=5.0.0.0/8 to unblock your IP

I've run postmap client_checks.cf and have the file set up.


Reply | Threaded
Open this post in threaded view
|

Re: check_client_access not blocking /8 /16 /24 etc.

Benny Pedersen-2
Philip skrev den 2018-07-11 04:24:

> check_client_access hash:/etc/postfix/client_checks.cf,

change hash here to cidr

> 5.0.0.0/8 REJECT We have not seen your IP Address before.  Please
> visit https://example.com?newip=5.0.0.0/8 to unblock your IP

and remember cidr does not need to be postmapped

it should be tested with

postmap -q 5.1.1.1 cidr:/etc/postfix/client_checks.cf

if it prints reject, it works :)
Reply | Threaded
Open this post in threaded view
|

Re: check_client_access not blocking /8 /16 /24 etc.

Bill Cole-3
In reply to this post by Philip
On 10 Jul 2018, at 22:24 (-0400), Philip wrote:

> I'm curious to know what I've done wrong with my client checks file.
>
> I can reject a specific IP but it won't reject when I use net
> blocks... format is listed below in client_checks.cf
>
> Suggestions comments welcome.

Pick a table format and use it.

>
> main.cf.
>
> smtpd_recipient_restrictions =
>       permit_mynetworks,
>       permit_sasl_authenticated,
>       check_client_access hash:/etc/postfix/client_checks.cf,
[...]
>
> client_checks.cf.
>
> 5.0.0.0/8 REJECT We have not seen your IP Address before.  Please
> visit https://example.com?newip=5.0.0.0/8 to unblock your IP

That's CIDR format, not the domain/octet prefix form required for a
hashed access map.

See the man pages for access(5) and cidr_table(5) for the differences
and details, so you can pick one.

Also note: if you're going to reject all of 5.0.0.0/8 by default, you
might as well simplify and go with an overall default reject policy.



--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steadier Work: https://linkedin.com/in/billcole