postscreen - access list does not appear to be working

Sat, 12 May 2012 12:40:43 -0700 

It can be nice to have stupid systems out there that repeatedly connect and try 
to deliver junk, I can use for testing new rules. :)  I'm trying to test 
blacklists in postscreen.  From what I read on the postscreen readme, the 
following should work to block this IP, but alas the IP is still able to talk 
with smtpd. :(


I'm running version 2.9.1, configuration /usr/local/etc/postfix

May 12 19:20:55 mta01 postfix/postscreen[10488]: CONNECT from 
[211.155.26.83]:54916 to [192.168.7.30]:25
May 12 19:20:55 mta01 postfix/postscreen[10488]: BLACKLISTED 
[211.155.26.83]:54916
May 12 19:20:55 mta01 postfix/postscreen[10488]: PASS OLD [211.155.26.83]:54916

From what I've read on the readme

        When the SMTP client address appears on the temporary whitelist, 
        postscreen(8) logs this with the client address and port number as:

            PASS OLD [address]:port

I don't understand why the IP would be whitelisted.  I had stopped postfix, 
removed the postscreen cache and restarted postfix, thus no cache and this is 
the first time the IP has connected. Any ideas?


May 12 19:21:10 mta01 postfix/smtpd[10510]: connect from unknown[211.155.26.83]
May 12 19:21:10 mta01 postfix/smtpd[10510]: 3VqdLt5d81zV3gb: 
client=unknown[211.155.26.83]
May 12 19:21:12 mta01 postfix/smtpd[10510]: 3VqdLt5d81zV3gb: reject: RCPT from 
unknown[211.155.26.83]: 450 4.7.1 Client host rejected: cannot find your 
reverse hostname, [211.155.26.83]; from=<postmas...@gcec.com.cn> 
to=<c...@balius.com> proto=ESMTP helo=<mail.gcec.com.cn>
May 12 19:21:13 mta01 postfix/smtpd[10510]: disconnect from 
unknown[211.155.26.83]

Then about 15 seconds later the client connects again only this time it is 
talking with smtpd, not postscreen.  Which makes sense given whitelisting that 
happened above, but still not what I wanted to happen.


[root@mta01 /postfix]# grep postscreen main.cf
postscreen_access_list = permit_mynetworks,
        cidr:/usr/local/etc/postfix/maps/postscreen_access.cidr
postscreen_greet_action = enforce
postscreen_pipelining_action = enforce
postscreen_pipelining_enable = yes
postscreen_non_smtp_command_action = drop
postscreen_non_smtp_command_enable = yes
postscreen_bare_newline_action = ignore
postscreen_bare_newline_enable = yes


[root@mta01 /postfix]# cat maps/postscreen_access.cidr 
#Rules are evaluated in the order as specified
#
# example:
# 192.168.0.1           permit
# 192.168.0.0/16        reject
#
211.155.26.83           reject


Thank you,
Chad

Reply via email to