From owner-freebsd-stable@freebsd.org  Mon Jul 25 18:22:01 2016
Return-Path: <owner-freebsd-stable@freebsd.org>
Delivered-To: freebsd-stable@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id B4017B9CB9C
 for <freebsd-stable@mailman.ysv.freebsd.org>;
 Mon, 25 Jul 2016 18:22:01 +0000 (UTC)
 (envelope-from shashaness@hotmail.com)
Received: from SNT004-OMC4S38.hotmail.com (snt004-omc4s38.hotmail.com
 [65.55.90.241])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
 (Client CN "*.outlook.com", Issuer "Microsoft IT SSL SHA2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 6A1C41AFC
 for <freebsd-stable@freebsd.org>; Mon, 25 Jul 2016 18:22:01 +0000 (UTC)
 (envelope-from shashaness@hotmail.com)
Received: from NAM02-CY1-obe.outbound.protection.outlook.com ([65.55.90.201])
 by SNT004-OMC4S38.hotmail.com over TLS secured channel with Microsoft
 SMTPSVC(7.5.7601.23008); Mon, 25 Jul 2016 11:20:54 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com;
 s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
 bh=jaGLflVxoa7VcdTfeoSAlPFd89nTp+gOzse0QOzTl4A=;
 b=fqi3FDxXgwYo5dVstPjBSeooHPbZzX8Szun7TIG50ihslOBDqpbrvPxPG3xUF9DjaLKa5d8T55kLVltjde4nzX0RcEzvwsS/VliwRhqOALNRM8JpjY+GhEvygMKvPkHMeEZdIxLrEc205Gt00BFjFTeZt4EtK2JlO0QqHxVQ2q4PqDn0QAjf/FbBjo6eaeUAVyOO//UbqmC2UBe7VJ9fp3a+vpOs6VtfrYB0oMpoCsLv1vFO7MdowgDya7NJqTHCyeeDNmGpqEQZmayJjExQxz7IVVQ5iZ2HZad1/koVaIHjfUgFzzfmkmfi18YRd992q4nUAu9IKmGqYl0UPflqQg==
Received: from CY1NAM02FT027.eop-nam02.prod.protection.outlook.com
 (10.152.74.57) by CY1NAM02HT080.eop-nam02.prod.protection.outlook.com
 (10.152.74.245) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.549.5; Mon, 25 Jul
 2016 18:20:53 +0000
Received: from CY1PR14MB0520.namprd14.prod.outlook.com (10.152.74.53) by
 CY1NAM02FT027.mail.protection.outlook.com (10.152.75.159) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id
 15.1.549.5 via Frontend Transport; Mon, 25 Jul 2016 18:20:53 +0000
Received: from CY1PR14MB0520.namprd14.prod.outlook.com ([10.164.71.150]) by
 CY1PR14MB0520.namprd14.prod.outlook.com ([10.164.71.150]) with mapi id
 15.01.0544.019; Mon, 25 Jul 2016 18:20:52 +0000
From: Shawn Bakhtiar <shashaness@hotmail.com>
To: "freebsd-stable@freebsd.org" <freebsd-stable@freebsd.org>
Subject: Re: Postfix and tcpwrappers?
Thread-Topic: Postfix and tcpwrappers?
Thread-Index: AQHR5pR4eP8Mhb9U/kODHoQHaKxQD6ApX/eAgAAH8oCAAA12AA==
Date: Mon, 25 Jul 2016 18:20:52 +0000
Message-ID: <CY1PR14MB052028E7772BEDE8E74854C7C40D0@CY1PR14MB0520.namprd14.prod.outlook.com>
References: <a3ad16f6-3bae-68dd-d4c7-9ed7cd223aa5@denninger.net>
 <op.yk51o9vtkndu52@ronaldradial.radialsg.local>
 <c5fc2cb8-faa6-ffe5-887a-dc07b242f694@denninger.net>
In-Reply-To: <c5fc2cb8-faa6-ffe5-887a-dc07b242f694@denninger.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: spf=softfail (sender IP is 10.152.74.53)
 smtp.mailfrom=hotmail.com; freebsd.org; dkim=none (message not signed)
 header.d=none;freebsd.org; dmarc=fail action=none header.from=hotmail.com;
received-spf: SoftFail (protection.outlook.com: domain of transitioning
 hotmail.com discourages use of 10.152.74.53 as permitted sender)
x-ms-exchange-messagesentrepresentingtype: 1
x-eopattributedmessage: 0
x-forefront-antispam-report: CIP:10.152.74.53; IPV:NLI; CTRY:; EFV:NLI;
 SFV:NSPM; SFS:(10019020)(98900003); DIR:OUT; SFP:1102; SCL:1;
 SRVR:CY1NAM02HT080; H:CY1PR14MB0520.namprd14.prod.outlook.com; FPR:; SPF:None;
 LANG:en; 
x-microsoft-exchange-diagnostics: 1; CY1NAM02HT080;
 6:PecyXTaFbcS2FdCzIWL2rZMwnp+TLcHZdgktrL1Odl1BXsadcPkr53ofm3gbReq3lIE8Ey7tQhW9h813Z3iwcUzl7eP8NgNpmCQLIMnQu6WvjdlG7GqDcTjm5oFlRw5LzghxcUCh6ZOsCvc6Cl+Z8dQKyIMdL3ixs5onu142rQz+cJ8lTZN+it2neCSicxQGjTVMq1QhAYIfZ4DrN2+O0ErK4muWdCuvvY5NTm2OLTHwTawHTt5GXJ4tGbjOkYpLsvu0TBz5JCjv7GNvlN/HEV6Ko3oXLbeaYS0ZNNhpsNJRXGisVZ8yqo+VhNgE/Wx7;
 5:m7a3xYRybd8llwM/EuVeKanmKmHKtNsw3kc1rEVumnn8KJfHoDILiTcl7H/NxElgbAGzqItEFuLukK/Ul+g0GbPRgcjWn7Tg7zgM8PxsKU9YQaiMAsaoCVdTtjzcllrhhP3dlvmlMsH+mrCzw7HPHg==;
 24:q6jRoCyH7HJUN8RlgKXv4gaotRH781MH2JAFzGzKr5RYmuP30U4VRoiHN/3S+PjwQYYB34NhzC77Xz9jWzyNzeZTt5/Acvi7mzkT6hT3tyQ=;
 7:EFoDFj6czZHuOmD0+s67Z8UZWF86ySStd8FR1O1vdktQfl9NEZeLPKWipVSNFq6nxqiSLgXko6i+Lg+Qi1WWRwYrZX2meHxi7GZcMBQxYBB4VP1OEbChl82UHjegpodAJk1foRAuE8f/cKi5pcNmjtOpW1ZsCkhHCYqkzp0qWI77t0cBTsznSYG+fzPUCv+PGxTw4/tMwSLdFSeknC57JldQ0+z5MP3W+D1762hnnhHVoJxG3yO3TDMVW+NIMnnV
x-ms-office365-filtering-correlation-id: 27c1cd23-81e7-4948-ad95-08d3b4b86844
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(1601124038)(1601125047);
 SRVR:CY1NAM02HT080; 
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(432015012)(82015046);
 SRVR:CY1NAM02HT080; BCL:0; PCL:0; RULEID:; SRVR:CY1NAM02HT080; 
x-forefront-prvs: 0014E2CF50
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
MIME-Version: 1.0
X-OriginatorOrg: hotmail.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Jul 2016 18:20:52.0657 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1NAM02HT080
X-OriginalArrivalTime: 25 Jul 2016 18:20:54.0755 (UTC)
 FILETIME=[484C7B30:01D1E6A1]
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.22
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-stable>, 
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jul 2016 18:22:01 -0000


On Jul 25, 2016, at 10:32 AM, Karl Denninger <karl@denninger.net<mailto:kar=
l@denninger.net>> wrote:

On 7/25/2016 12:04, Ronald Klop wrote:
On Mon, 25 Jul 2016 18:48:25 +0200, Karl Denninger
<karl@denninger.net<mailto:karl@denninger.net>> wrote:

This may not belong in "stable", but since Postfix is one of the
high-performance alternatives to sendmail....

Question is this -- I have sshguard protecting connections inbound, but
Postfix appears to be ignoring it, which implies that it is not paying
attention to the hosts.allow file (and the wrapper that enables it.)

Recently a large body of clowncars have been targeting my sasl-enabled
https gateway (which I use for client machines and thus do in fact need)
and while sshguard picks up the attacks and tries to ban them, postfix
is ignoring the entries it makes which implies it is not linked with the
tcp wrappers.

A quick look at the config for postfix doesn't disclose an obvious
configuration solution....did I miss it?


Don't know if postfix can handle tcp wrappers, but I use bruteblock
[1] for protecting connections via the ipfw firewall. I use this for
ssh and postfix.

I recompiled sshguard to use ipfw and stuck the table lookup in my
firewall config..... works, and is software-agnostic (thus doesn't care
if something was linked against tcpwrappers or not.)


I would triple concur with the above advice. using ipfw is a much better ch=
oice (especially at high volume) as ipfw works primarily at layer 3 (and in=
 the kernel itself), Where as tcp wrappers works at layer 7 (requiring appl=
ication awareness).

Here are the handbook references:
https://www.freebsd.org/doc/handbook/tcpwrappers.html
https://www.freebsd.org/doc/handbook/firewalls-ipfw.html


--
Karl Denninger
karl@denninger.net<mailto:karl@denninger.net> <mailto:karl@denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/