From owner-freebsd-stable@freebsd.org Mon Jul 25 19:49:01 2016 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6B226BA1A26 for ; Mon, 25 Jul 2016 19:49:01 +0000 (UTC) (envelope-from wjw@digiware.nl) Received: from smtp.digiware.nl (gtw.digiware.nl [IPv6:2001:4cb8:90:ffff::3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 35A7F160F for ; Mon, 25 Jul 2016 19:49:01 +0000 (UTC) (envelope-from wjw@digiware.nl) Received: from router.digiware.nl (localhost.digiware.nl [127.0.0.1]) by smtp.digiware.nl (Postfix) with ESMTP id 22BC51F837; Mon, 25 Jul 2016 21:48:57 +0200 (CEST) X-Virus-Scanned: amavisd-new at digiware.com Received: from smtp.digiware.nl ([127.0.0.1]) by router.digiware.nl (router.digiware.nl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8xBP06FRehVA; Mon, 25 Jul 2016 21:48:56 +0200 (CEST) Received: from [192.168.10.10] (asus [192.168.10.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.digiware.nl (Postfix) with ESMTPSA id 171861F836; Mon, 25 Jul 2016 21:48:56 +0200 (CEST) Subject: Re: Postfix and tcpwrappers? To: Karl Denninger , freebsd-stable@freebsd.org References: From: Willem Jan Withagen Message-ID: <1308b751-450d-4c73-6a49-746d53031b11@digiware.nl> Date: Mon, 25 Jul 2016 21:48:56 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jul 2016 19:49:01 -0000 On 25-7-2016 19:32, Karl Denninger wrote: > On 7/25/2016 12:04, Ronald Klop wrote: >> On Mon, 25 Jul 2016 18:48:25 +0200, Karl Denninger >> wrote: >> >>> This may not belong in "stable", but since Postfix is one of the >>> high-performance alternatives to sendmail.... >>> >>> Question is this -- I have sshguard protecting connections inbound, but >>> Postfix appears to be ignoring it, which implies that it is not paying >>> attention to the hosts.allow file (and the wrapper that enables it.) >>> >>> Recently a large body of clowncars have been targeting my sasl-enabled >>> https gateway (which I use for client machines and thus do in fact need) >>> and while sshguard picks up the attacks and tries to ban them, postfix >>> is ignoring the entries it makes which implies it is not linked with the >>> tcp wrappers. >>> >>> A quick look at the config for postfix doesn't disclose an obvious >>> configuration solution....did I miss it? >>> >> >> Don't know if postfix can handle tcp wrappers, but I use bruteblock >> [1] for protecting connections via the ipfw firewall. I use this for >> ssh and postfix. Given the fact that both tcpwrappers and postfix originate from the same author (Wietse Venenma) I'd be very surprised it you could not do this. http://www.postfix.org/linuxsecurity-200407.html But grepping the binary for libwrap it does seems to be the case. Note that you can also educate sshguard to actually use a script to do whatever you want it to do. I'm using it to add rules to an ipfw table that is used in a deny-rule. Reloading the fw keeps the deny-rules, flushing the table deletes all blocked hosts without reloading the firewall. Both times a bonus. --WjW --WjW