On 10/2/2009 10:05 AM, Stan Hoeppner wrote:
Hi all,
I just had a viagra spam from gprs4f7a24e6.pool.t-umts.hu
(gprs4f7a24e6.pool.t-umts.hu [79.122.36.230] sneak past both of my pcre
checks which should have killed it. Until today they've been working
flawlessly, or so I believe, and I have ample log entries showing
they've been working. Here are my checks, both performed via
smtpd_client_restrictions but without explicit check_client_access:
smtpd_client_restrictions =
pcre:/etc/postfix/access.pcre,
pcre:/etc/postfix/check_client_fqdn.pcre
Better to use the proper syntax (although that's not the problem).
smtpd_client_restrictions =
check_client_access pcre:/etc/postfix/access.pcre
check_client_access pcre:/etc/postfix/check_client_fqdn.pcre
Any good excuse why these can't be combined into one pcre file?
/etc/postfix/access.pcre
/^.*?(lv|ec|id|ph|at|hu|tr|ee|pl|ro|my|co|tw|br|za|do|cz|bg|by|kr|jp|fr|cn|ru)$/i
550 We do not accept mail from .$1 domains
/\.(lv|ec|...|ru)$/ REJECT ...
Don't specify useless leading wildcards. Don't use the /i flag
unless you really need it - this might be why it didn't match.
And both your maps would be more effective if you use them
with check_reverse_client_hostname_access rather than
check_client_access - this might also be why it didn't match.
Requires postfix 2.6 or newer.
http://www.postfix.org/postconf.5.html#check_reverse_client_hostname_access
/etc/postfix/check_client_fqdn.pcre
/\.?(dhcp|dialup|dynamic|ppp|pool)\.?/ REJECT
Dynamic/DSL/Residential not allowed
/\.(dsl|\d+dsl|dsl\d+)\./ REJECT
Dynamic/DSL/Residential not allowed
Logs show both killing spam yesterday. check_client_fqdn.pcre has
already killed some today, but nothing killed by access.pcre yet today.
Any idea what's gone awry? Is there a way I can test the offending
FQrDNS against these two filters from the command line, with postconf or
something? What log data should I be looking for that may tell me why
pcre checks suddenly stopped working, or just didn't work on this
Hungrian Viagra connection?
test maps with postmap -q
http://www.postfix.org/postmap.1.html
# postmap -q key pcre:/etc/postfix/access.pcre
The key postfix used is in the mail log.
-- Noel Jones