From owner-freebsd-stable@freebsd.org Mon Jul 25 19:43:56 2016 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5BAF3BA1801 for ; Mon, 25 Jul 2016 19:43:56 +0000 (UTC) (envelope-from tundra@tundraware.com) Received: from oceanview.tundraware.com (oceanview.tundraware.com [45.55.60.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "oceanview.tundraware.com", Issuer "oceanview.tundraware.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 214FB1289 for ; Mon, 25 Jul 2016 19:43:55 +0000 (UTC) (envelope-from tundra@tundraware.com) Received: from [192.168.43.211] (mobile-166-175-189-49.mycingular.net [166.175.189.49] (may be forged)) (authenticated bits=0) by oceanview.tundraware.com (8.15.2/8.15.2) with ESMTPSA id u6PJcPkl014009 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Mon, 25 Jul 2016 14:38:26 -0500 (CDT) (envelope-from tundra@tundraware.com) Subject: Re: Postfix and tcpwrappers? To: Shawn Bakhtiar , "freebsd-stable@freebsd.org" References: From: Tim Daneliuk Message-ID: Date: Mon, 25 Jul 2016 14:38:20 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.4.3 (oceanview.tundraware.com [45.55.60.57]); Mon, 25 Jul 2016 14:38:27 -0500 (CDT) X-TundraWare-MailScanner-Information: Please contact the ISP for more information X-TundraWare-MailScanner-ID: u6PJcPkl014009 X-TundraWare-MailScanner: Found to be clean X-TundraWare-MailScanner-From: tundra@tundraware.com X-Spam-Status: No X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jul 2016 19:43:56 -0000 On 07/25/2016 01:20 PM, Shawn Bakhtiar wrote: > ecently a large body of clowncars have been targeting my sasl-enabled > https gateway (which I use for client machines and thus do in fact need) > and while sshguard picks up the attacks and tries to ban them, postfix > is ignoring the entries it makes which implies it is not linked with the > tcp wrappers. > > A quick look at the config for postfix doesn't disclose an obvious > configuration solution....did I miss it? > You can more-or-less run anything from a wrapper if you don't daemonize it and kick it off on-demand from inetd. Essentially, you have inetd.conf configured with a stanza that - upon connection attempt - launches an instance of your desired program (postfix in this case), if and only if the hosts.allow rules are satisfied. This works nicely for smaller installations, but is very slow in high arrival rate environments because each connection attempt incurs the full startup overhead of the program you're running.