From owner-freebsd-questions@freebsd.org  Mon Oct  7 16:56:59 2019
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 8C174134561
 for <freebsd-questions@mailman.nyi.freebsd.org>;
 Mon,  7 Oct 2019 16:56:59 +0000 (UTC)
 (envelope-from per@hedeland.org)
Received: from mailout.easydns.com (mailout.easydns.com [64.68.202.10])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 46n68V35Lwz4HZn
 for <freebsd-questions@freebsd.org>; Mon,  7 Oct 2019 16:56:57 +0000 (UTC)
 (envelope-from per@hedeland.org)
Received: from localhost (localhost [127.0.0.1])
 by mailout.easydns.com (Postfix) with ESMTP id E8412C1AD8;
 Mon,  7 Oct 2019 16:56:56 +0000 (UTC)
Received: from mailout.easydns.com ([127.0.0.1])
 by localhost (emo12-pco.easydns.vpn [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id r6m4HEvYDELE; Mon,  7 Oct 2019 16:56:56 +0000 (UTC)
Received: from hedeland.org (81-228-157-209-no289.tbcn.telia.com
 [81.228.157.209])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mailout.easydns.com (Postfix) with ESMTPSA id 5F018C1A91;
 Mon,  7 Oct 2019 16:56:54 +0000 (UTC)
Received: from pluto.hedeland.org (pluto.hedeland.org [10.1.1.5])
 by tellus.hedeland.org (8.15.2/8.15.2) with ESMTPS id x97GuqlD012296
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO);
 Mon, 7 Oct 2019 18:56:53 +0200 (CEST)
 (envelope-from per@hedeland.org)
Subject: Re: sendmail/saslauthd Domain Blocking
To: Tim Daneliuk <tundra@tundraware.com>,
 FreeBSD Mailing List <freebsd-questions@freebsd.org>
References: <2fc80d5e-0092-77b3-e6c1-f5bbb38e72fe@tundraware.com>
From: Per Hedeland <per@hedeland.org>
Message-ID: <eea0fbc1-dd04-966d-d41b-8a29f39604e0@hedeland.org>
Date: Mon, 7 Oct 2019 18:56:52 +0200
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:60.0) Gecko/20100101
 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <2fc80d5e-0092-77b3-e6c1-f5bbb38e72fe@tundraware.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 46n68V35Lwz4HZn
X-Spamd-Bar: ++
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=none (mx1.freebsd.org: domain of per@hedeland.org has no SPF policy when
 checking 64.68.202.10) smtp.mailfrom=per@hedeland.org
X-Spamd-Result: default: False [2.48 / 15.00]; ARC_NA(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_COUNT_FIVE(0.00)[5];
 FROM_HAS_DN(0.00)[]; MIME_GOOD(-0.10)[text/plain];
 RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[hedeland.org];
 AUTH_NA(1.00)[]; NEURAL_SPAM_MEDIUM(0.09)[0.091,0];
 TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[];
 RCPT_COUNT_TWO(0.00)[2];
 RCVD_IN_DNSWL_NONE(0.00)[10.202.68.64.list.dnswl.org : 127.0.5.0];
 NEURAL_SPAM_LONG(0.85)[0.847,0]; R_SPF_NA(0.00)[];
 FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[];
 MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:16686, ipnet:64.68.200.0/22, country:CA];
 MID_RHS_MATCH_FROM(0.00)[];
 IP_SCORE(0.64)[ip: (1.56), ipnet: 64.68.200.0/22(-0.11), asn: 16686(1.82),
 country: CA(-0.09)]; 
 RECEIVED_SPAMHAUS_PBL(0.00)[209.157.228.81.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net
 : 127.0.0.11]
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Oct 2019 16:56:59 -0000

On 2019-10-07 16:48, Tim Daneliuk wrote:
> I block unwanted domains from sending mail to one of our servers by
> putting it on the reject list in /etc/mail/access.
> 
> I am seeing distributed brute force attempts to use that same
> server as a relay.  These are coming from a few domains.
> So far, these attempts have failed but I'd like to be proactive in
> preventing future such intrusions.
> 
> Is there an equivalent way to block entire domains and/or subdomains
> from ever even connecting to saslauthd?

I'm not sure exactly what you're asking, since you seem to already
have the answer... At least in the context of sendmail (and I believe
it is the same in other contexts), no external entities connect
directly to saslauthd, only sendmail does that. So you need to reject
connections from those domains to sendmail - which you can do with
e.g. access_db a.k.a. /etc/mail/access. E.g. an entry

   Connect:example.com   REJECT

will reject connections from hosts that have an IP address that
reverse-resolves to anything in the example.com domain. See
/usr/share/sendmail/cf/README for the details.

Of course using a firewall of your choice (ipf/pf/ipfw) may be an
alternative, to block the connections before they even reach sendmail
- they can't work with "domains", but IP address ranges may be equally
useful.

--Per Hedeland