On my mail server:
mail# blacklistctl dump -br | tail
218.94.104.180/32:587 OK 3/3 4h12m17s
222.132.167.110/32:587 OK 3/3 1h59m1s
91.45.76.228/32:587 OK 3/3 5h1m53s
36.39.140.2/32:587 OK 3/3 5h9m34s
87.200.232.247/32:587 OK 6/3 4h3m9s
62.48.165.174/32:587 OK 99/3 8h37m15s
123.55.175.130/32:587 OK 4/3 8h15m35s
88.201.163.65/32:587 OK 4/3 4h20m37s
218.4.214.115/32:587 OK 15/3 58m17s
70.166.207.76/32:587 OK 13/3 8h21m19s
mail# blacklistctl dump -br | wc -l
704
mail# pfctl -a blacklistd/587 -t port587 -Ts | wc -l
609
The blacklisted IPs are in the pf tables. However, pf is not blocking them.
Using the next to last address above:
mail# grep 218.4.214.115 /var/log/maillog
Jun 9 10:21:57 mail postfix/postscreen[13719]: CONNECT from
[218.4.214.115]:55584 to [10.0.1.230]:25
Jun 9 10:22:03 mail postfix/postscreen[13719]: PASS OLD [218.4.214.115]:55584
Jun 9 10:22:03 mail postfix/smtpd[15137]: connect from unknown[218.4.214.115]
Jun 9 10:22:09 mail postfix/smtpd[15137]: warning: unknown[218.4.214.115]:
SASL PLAIN authentication failed: (reason unavailable),
[email protected]
Jun 9 10:22:11 mail postfix/smtpd[15137]: NOQUEUE: lost connection after AUTH
from unknown[218.4.214.115]
Jun 9 10:22:11 mail postfix/smtpd[15137]: disconnect from
unknown[218.4.214.115] ehlo=1 auth=0/1 commands=1/2
That address was entered into the pf table approximately at 1 pm on Jun 8
(using the remaining time of approximately 1 hour). However, at 10 am on 9
Jun, it got through to postfix. It should have been blocked.
pfctl shows for the last rule:
@10 anchor "blacklistd/*" in on bge0 all
[ Evaluations: 102736 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 6053 State Creations: 0 ]
[ Last Active Time: N/A ]
pf is checking the tables, but not blocking anything. I suspect the rule
(taken from the handbook for blacklistd) is the culprit. However, I have no
idea how to correct that.
-- Doug
> On Jun 9, 2025, at 06:13, Patrick Proniewski <[email protected]> wrote:
>
> Hello,
>
>> On 9 Jun 2025, at 02:13, Doug Hardie via Postfix-users
>> <[email protected]> wrote:
>>
>> I believe that pf is not properly blocking IPs that are supposedly blocked
>> by blacklistd. In trying to test this, I am using postfix. However, I
>> don't seem to be able to get postfix to call blacklistd. The approach I am
>> using is to remove one of my machines from mynetworks using a !IPaddress.
>> That seems to work properly. I send using telnet to port 25 and give it
>> non-local addresses. Postfix responds with an appropriate snarky message.
>> However, traces of blacklistd shows no calls for that address. What are the
>> conditions when blacklistd is called? Is it only for authenciation
>> failures, as indicated in one web page. How can I test pf with postfix.
>
>
> Not sure I have a proper answer to your questions about testing, but you
> might want to double check /etc/blacklistd.conf. Especially to make sure your
> network is not «whitelisted».
>
> Mine looks like this:
>
> $ cat /etc/blacklistd.conf
> #
> # Blacklist rule
> # adr/mask:port type proto owner name nfail disable
> [local]
> ssh stream * * * 3 24h
> ftp stream * * * 3 24h
> smtp stream * * * 3 24h
> submission stream * * * 3 24h
> #6161 stream tcp6 christos * 2 10m
> * * * * * 3 60
>
> # adr/mask:port type proto owner name nfail disable
> [remote]
> #129.168.0.0/16 * * * = * *
> #6161 = = = =/24 = =
> #* stream tcp * = = =
>
> Obviously the blacklistd service must be started and your pf.conf must have
> an anchor for rules injection:
>
> anchor "blacklistd/*" in on $ext_if
>
> I successfully block offenders, both on ports 25 and 587. Exemple for port 25:
>
> $ sudo pfctl -a blacklistd/25 -t port25 -T show | wc -l
> 13
>
>
> patpro
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
