On 7/25/2016 14:38, Tim Daneliuk wrote: > On 07/25/2016 01:20 PM, Shawn Bakhtiar wrote: >> ecently a large body of clowncars have been targeting my sasl-enabled >> https gateway (which I use for client machines and thus do in fact need) >> and while sshguard picks up the attacks and tries to ban them, postfix >> is ignoring the entries it makes which implies it is not linked with the >> tcp wrappers. >> >> A quick look at the config for postfix doesn't disclose an obvious >> configuration solution....did I miss it? >> > > You can more-or-less run anything from a wrapper if you don't daemonize it > and kick it off on-demand from inetd. Essentially, you have inetd.conf > configured with a stanza that - upon connection attempt - launches an > instance of your desired program (postfix in this case), if and only > if the hosts.allow rules are satisfied. > > This works nicely for smaller installations, but is very slow in high > arrival rate environments because each connection attempt incurs the full > startup overhead of the program you're running. >
Tcpwrapper works with many persistent system services (sshd being a notable ones) and integrates nicely, so you can use hosts.allow. The package (or default build in ports) for sshguard uses the hosts.allow file. But, sshguard does know (if you build it by hand or use the right subport) how to insert into an ipfw table instead.... so I switched over to that. I was rather curious, however, if/why postfix wasn't integrated with the hosts.allow file as are many other system services (or if I just missed the config option to turn it on) since it's offered by FreeBSD as a "stock sendmail replacement" option for higher-volume (and more-secure) sites.... -- Karl Denninger k...@denninger.net <mailto:k...@denninger.net> /The Market Ticker/ /[S/MIME encrypted email preferred]/
smime.p7s
Description: S/MIME Cryptographic Signature
