Date: Mon, 25 Jul 2016 21:48:56 +0200 From: Willem Jan Withagen <wjw@digiware.nl> To: Karl Denninger <karl@denninger.net>, freebsd-stable@freebsd.org Subject: Re: Postfix and tcpwrappers? Message-ID: <1308b751-450d-4c73-6a49-746d53031b11@digiware.nl> In-Reply-To: <c5fc2cb8-faa6-ffe5-887a-dc07b242f694@denninger.net> References: <a3ad16f6-3bae-68dd-d4c7-9ed7cd223aa5@denninger.net> <op.yk51o9vtkndu52@ronaldradial.radialsg.local> <c5fc2cb8-faa6-ffe5-887a-dc07b242f694@denninger.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 25-7-2016 19:32, Karl Denninger wrote: > On 7/25/2016 12:04, Ronald Klop wrote: >> On Mon, 25 Jul 2016 18:48:25 +0200, Karl Denninger >> <karl@denninger.net> wrote: >> >>> This may not belong in "stable", but since Postfix is one of the >>> high-performance alternatives to sendmail.... >>> >>> Question is this -- I have sshguard protecting connections inbound, but >>> Postfix appears to be ignoring it, which implies that it is not paying >>> attention to the hosts.allow file (and the wrapper that enables it.) >>> >>> Recently a large body of clowncars have been targeting my sasl-enabled >>> https gateway (which I use for client machines and thus do in fact need) >>> and while sshguard picks up the attacks and tries to ban them, postfix >>> is ignoring the entries it makes which implies it is not linked with the >>> tcp wrappers. >>> >>> A quick look at the config for postfix doesn't disclose an obvious >>> configuration solution....did I miss it? >>> >> >> Don't know if postfix can handle tcp wrappers, but I use bruteblock >> [1] for protecting connections via the ipfw firewall. I use this for >> ssh and postfix. Given the fact that both tcpwrappers and postfix originate from the same author (Wietse Venenma) I'd be very surprised it you could not do this. http://www.postfix.org/linuxsecurity-200407.html But grepping the binary for libwrap it does seems to be the case. Note that you can also educate sshguard to actually use a script to do whatever you want it to do. I'm using it to add rules to an ipfw table that is used in a deny-rule. Reloading the fw keeps the deny-rules, flushing the table deletes all blocked hosts without reloading the firewall. Both times a bonus. --WjW --WjW
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1308b751-450d-4c73-6a49-746d53031b11>