On Sun, Jan 04, 2026 at 11:32:28AM +1300, Nick Tait via Postfix-users wrote:
> On 04/01/2026 10:18, Fred Morris via Postfix-users wrote:
> >
> > I don't see how they can be more brain-damaged than they already are,
> > they're already looping:
> >
> > 2026-01-02T17:36:15.671360-08:00 flame postfix/smtpd[4447]: connect
> > from scan.cypex.ai[3.137.73.221]
> > 2026-01-02T17:36:15.672050-08:00 flame postfix/smtpd[4447]: warning:
> > non-SMTP command from scan.cypex.ai[3.137.73.221]: GET / HTTP/1.1
> > 2026-01-02T17:36:15.672419-08:00 flame postfix/smtpd[4447]: disconnect
> > from scan.cypex.ai[3.137.73.221] unknown=0/1 commands=0/1
> > 2026-01-02T17:37:34.445451-08:00 flame postfix/smtpd[4447]: connect
> > from scan.cypex.ai[3.137.73.221]
> > 2026-01-02T17:37:34.446043-08:00 flame postfix/smtpd[4447]: warning:
> > non-SMTP command from scan.cypex.ai[3.137.73.221]: GET / HTTP/1.1
> > 2026-01-02T17:37:34.446334-08:00 flame postfix/smtpd[4447]: disconnect
> > from scan.cypex.ai[3.137.73.221] unknown=0/1 commands=0/1
> >
> This client is sending non-SMTP commands, so setting "smtpd_delay_reject =
> no" will make no difference. i.e. It would only make a difference if the
> client was sending HELO/EHLO, MAIL FROM, RCPT TO, etc.
Yes, but note that with:
smtpd_delay_reject = no
smtpd_client_restrictions =
check_client_access =
inline:{{scan.cypex.ai = REJECT 521 5.7.1 HTTP scans not welcome
here}}
The Postfix smtpd(8) service would hang up with a "521" greeting after
connect, without waiting for any client commands, though after resolving
the client's IP address.
I still don't think this is worth doing, but it is possible to drop the
client before reading the HTTP "GET".
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
