Re: problems with pcre checks

Fri, 02 Oct 2009 08:55:21 -0700 

On 10/2/2009 10:05 AM, Stan Hoeppner wrote:

Hi all,

I just had a viagra spam from gprs4f7a24e6.pool.t-umts.hu
(gprs4f7a24e6.pool.t-umts.hu [79.122.36.230] sneak past both of my pcre
checks which should have killed it.  Until today they've been working
flawlessly, or so I believe, and I have ample log entries showing
they've been working.  Here are my checks, both performed via
smtpd_client_restrictions but without explicit check_client_access:

smtpd_client_restrictions =
         pcre:/etc/postfix/access.pcre,
         pcre:/etc/postfix/check_client_fqdn.pcre


Better to use the proper syntax (although that's not the problem).

smtpd_client_restrictions =
  check_client_access pcre:/etc/postfix/access.pcre
  check_client_access pcre:/etc/postfix/check_client_fqdn.pcre

Any good excuse why these can't be combined into one pcre file?



/etc/postfix/access.pcre
/^.*?(lv|ec|id|ph|at|hu|tr|ee|pl|ro|my|co|tw|br|za|do|cz|bg|by|kr|jp|fr|cn|ru)$/i
550 We do not accept mail from .$1 domains


/\.(lv|ec|...|ru)$/  REJECT ...
Don't specify useless leading wildcards. Don't use the /i flag unless you really need it - this might be why it didn't match.
And both your maps would be more effective if you use them with check_reverse_client_hostname_access rather than check_client_access - this might also be why it didn't match. Requires postfix 2.6 or newer. 
http://www.postfix.org/postconf.5.html#check_reverse_client_hostname_access



/etc/postfix/check_client_fqdn.pcre
/\.?(dhcp|dialup|dynamic|ppp|pool)\.?/       REJECT
Dynamic/DSL/Residential not allowed
/\.(dsl|\d+dsl|dsl\d+)\./                    REJECT
Dynamic/DSL/Residential not allowed

Logs show both killing spam yesterday.  check_client_fqdn.pcre has
already killed some today, but nothing killed by access.pcre yet today.

Any idea what's gone awry?  Is there a way I can test the offending
FQrDNS against these two filters from the command line, with postconf or
something?  What log data should I be looking for that may tell me why
pcre checks suddenly stopped working, or just didn't work on this
Hungrian Viagra connection?


test maps with postmap -q
http://www.postfix.org/postmap.1.html

# postmap -q key pcre:/etc/postfix/access.pcre

The key postfix used is in the mail log.

  -- Noel Jones

Reply via email to