FreeBSD Mail Archives

Date:      Mon, 25 Jul 2016 14:46:46 -0500
From:      Karl Denninger <karl@denninger.net>
To:        freebsd-stable@freebsd.org
Subject:   Re: Postfix and tcpwrappers?
Message-ID:  <43294d7b-d70b-de92-ffa4-5c969f3df386@denninger.net>
In-Reply-To: <b37c4eb8-7a41-df22-f100-d276af6946cb@tundraware.com>
References:  <a3ad16f6-3bae-68dd-d4c7-9ed7cd223aa5@denninger.net> <op.yk51o9vtkndu52@ronaldradial.radialsg.local> <c5fc2cb8-faa6-ffe5-887a-dc07b242f694@denninger.net> <CY1PR14MB052028E7772BEDE8E74854C7C40D0@CY1PR14MB0520.namprd14.prod.outlook.com> <b37c4eb8-7a41-df22-f100-d276af6946cb@tundraware.com>


[-- Attachment #1 --]
On 7/25/2016 14:38, Tim Daneliuk wrote:
> On 07/25/2016 01:20 PM, Shawn Bakhtiar wrote:
>> ecently a large body of clowncars have been targeting my sasl-enabled
>> https gateway (which I use for client machines and thus do in fact need)
>> and while sshguard picks up the attacks and tries to ban them, postfix
>> is ignoring the entries it makes which implies it is not linked with the
>> tcp wrappers.
>>
>> A quick look at the config for postfix doesn't disclose an obvious
>> configuration solution....did I miss it?
>>
>
> You can more-or-less run anything from a wrapper if you don't daemonize it
> and kick it off on-demand from inetd.  Essentially, you have inetd.conf
> configured with a stanza that - upon connection attempt - launches an
> instance of your desired program (postfix in this case), if and only
> if the hosts.allow rules are satisfied.
>
> This works nicely for smaller installations, but is very slow in high 
> arrival rate environments because each connection attempt incurs the full
> startup overhead of the program you're running.
>

Tcpwrapper works with many persistent system services (sshd being a
notable ones) and integrates nicely, so you can use hosts.allow.  The
package (or default build in ports) for sshguard uses the hosts.allow file.

But, sshguard does know (if you build it by hand or use the right
subport) how to insert into an ipfw table instead.... so I switched over
to that.  I was rather curious, however, if/why postfix wasn't
integrated with the hosts.allow file as are many other system services
(or if I just missed the config option to turn it on) since it's offered
by FreeBSD as a "stock sendmail replacement" option for higher-volume
(and more-secure) sites....


-- 
Karl Denninger
karl@denninger.net <mailto:karl@denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/

[-- Attachment #2 --]
0�	*�H��
��0�10
	`�He0�	*�H��
��_0�[0�C�)0
	*�H��
0��10	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems LLC CA1"0 	*�H��
	Cuda Systems LLC CA0
150421022159Z
200419022159Z0Z10	UUS10UFlorida10U
Cuda Systems LLC10UKarl Denninger (OCSP)0�"0
	*�H��
�0�
���X�@v�kY�
�T��q/v�E�]��5#�֯�MX����\8��L�J/V?�5���Da�+
��sJ��c�*��/�r�{ȼ�n��S�+�w"�)���ąZ^�Dt��dC�OZ�� ~7��Q ��'��@���a#i�j�c۴oZdB&���!�Ӝ���-�<	�?��H���N���5���y
5�}F�|ef゘��"V��لi��o��7��4���zn�">����a����1q�Wuɖ�b�F��e�GE�&�3(��K�h����ix�G�3���!��#�e_X�Ƭ����Ϝ/,��$�+�;�4y��'�B�z<qT�9����_?rRU�pn�5
��Jn&R��x/�p J�yel�*�pN�8�/#�9�u����/��YP�E��C)T����Y>��~/˘N[������v��yi���DKˉ�,�^�"� ?�$��T8����v�&�����K�%z��8�C @?�K{�9�f`��+���@,|����M��bia���0��07++0)0'+0�http://cudasystems.net:88880	U00	`�H��B�0U�0,	`�H��B
OpenSSL Generated Certificate0U��-��h\F����f ��Y0U#0�$q���}��ݽ�ʒ����m50U0�karl@denninger.net0
	*�H��
�Ow�b��a�bɺx�&��Uk�[��(O�j��!����%�p��MQ�0I�!#�Q��H��}.>~2���&D}�<�wm_>�V6�v��]�f��>=�N�n�+8;q �wfΰ����/��R�LyU��G#�b�}n�!D����ր_��up�|��_�ǰ��c��/�%ۥ���
�nN8:�d��;�-�UJ��d/�m��1~Vނי���nN I˾$t�F1&}�|?q?�\đ�X��ԑ�&\�4V�<lK������ۮ3%Am_����(��q����-(c����Ae�G�X)f}�-˥6c��v~��K�g�8m~v��;|�9�:-i�A����P��қ�6�ېn�-���.)�<[�$KJ�t�����t/L4�ᖣ�^Cm�u4v�b{+�B�G�$M���0c�\��[M�R�|�0FԸ�����P&7����8�"4p������#���}��DZ�9;V�9�#>�S�w"��[�UP7�1�0�0��0��10	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems LLC CA1"0 	*�H��
	Cuda Systems LLC CA)0
	`�He��M0	*�H��
	1	*�H��
0	*�H��
	1
160725194646Z0O	*�H��
	1B@c1����'��8��?7`X�*th�I���X���\,����m���F�����.j�d���P�Q�0l	*�H��
	1_0]0	`�He*0	`�He0
*�H��
0*�H��
�0
*�H��
@0+0
*�H��
(0��	+�71��0��0��10	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems LLC CA1"0 	*�H��
	Cuda Systems LLC CA)0��*�H��
	1�����0��10	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems LLC CA1"0 	*�H��
	Cuda Systems LLC CA)0
	*�H��
�fGz�v�[]�Ꜭ�����rՊ�o�(�h;6�
>���I�qh'���x��?��a�o�z�Ѡ�2L	x�Ç�
���c�6���m߁M`�i��]<-E{��˶�t�}�CAY��9$+���D>/��
��;�W1��-����U��풣�}�|o9��bE�ᔣo@����L�����Ss�|��y�r�X|��ب!;+�=T 騄7c2��č*"GIa)�l��{HS�Ew����+�e3 �b�5acH�o8�Q�"LhS�F�����!|m����?���6�+i�(F*_�!�1�?/��Y��&���&V*vY� m���ZW���*b�$7�"�
��4e�����5i4��[b��5��Ǒ�I���t��6Q�|a���/����7��_
:=����d��l��C����&�+�}y
I�w�
��cW�~Ѿ2��Z��P�dQ���y����d�	eoMD1fL���R'�,P^
2��z���4���?ɧ9��

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43294d7b-d70b-de92-ffa4-5c969f3df386>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation