Date: Mon, 25 Jul 2016 14:46:46 -0500 From: Karl Denninger <karl@denninger.net> To: freebsd-stable@freebsd.org Subject: Re: Postfix and tcpwrappers? Message-ID: <43294d7b-d70b-de92-ffa4-5c969f3df386@denninger.net> In-Reply-To: <b37c4eb8-7a41-df22-f100-d276af6946cb@tundraware.com> References: <a3ad16f6-3bae-68dd-d4c7-9ed7cd223aa5@denninger.net> <op.yk51o9vtkndu52@ronaldradial.radialsg.local> <c5fc2cb8-faa6-ffe5-887a-dc07b242f694@denninger.net> <CY1PR14MB052028E7772BEDE8E74854C7C40D0@CY1PR14MB0520.namprd14.prod.outlook.com> <b37c4eb8-7a41-df22-f100-d276af6946cb@tundraware.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a cryptographically signed message in MIME format. --------------ms080003090008060100040205 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 7/25/2016 14:38, Tim Daneliuk wrote: > On 07/25/2016 01:20 PM, Shawn Bakhtiar wrote: >> ecently a large body of clowncars have been targeting my sasl-enabled >> https gateway (which I use for client machines and thus do in fact nee= d) >> and while sshguard picks up the attacks and tries to ban them, postfix= >> is ignoring the entries it makes which implies it is not linked with t= he >> tcp wrappers. >> >> A quick look at the config for postfix doesn't disclose an obvious >> configuration solution....did I miss it? >> > > You can more-or-less run anything from a wrapper if you don't daemonize= it > and kick it off on-demand from inetd. Essentially, you have inetd.conf= > configured with a stanza that - upon connection attempt - launches an > instance of your desired program (postfix in this case), if and only > if the hosts.allow rules are satisfied. > > This works nicely for smaller installations, but is very slow in high=20 > arrival rate environments because each connection attempt incurs the fu= ll > startup overhead of the program you're running. > Tcpwrapper works with many persistent system services (sshd being a notable ones) and integrates nicely, so you can use hosts.allow. The package (or default build in ports) for sshguard uses the hosts.allow fil= e. But, sshguard does know (if you build it by hand or use the right subport) how to insert into an ipfw table instead.... so I switched over to that. I was rather curious, however, if/why postfix wasn't integrated with the hosts.allow file as are many other system services (or if I just missed the config option to turn it on) since it's offered by FreeBSD as a "stock sendmail replacement" option for higher-volume (and more-secure) sites.... --=20 Karl Denninger karl@denninger.net <mailto:karl@denninger.net> /The Market Ticker/ /[S/MIME encrypted email preferred]/ --------------ms080003090008060100040205 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwEAAKCC Bl8wggZbMIIEQ6ADAgECAgEpMA0GCSqGSIb3DQEBCwUAMIGQMQswCQYDVQQGEwJVUzEQMA4G A1UECBMHRmxvcmlkYTESMBAGA1UEBxMJTmljZXZpbGxlMRkwFwYDVQQKExBDdWRhIFN5c3Rl bXMgTExDMRwwGgYDVQQDExNDdWRhIFN5c3RlbXMgTExDIENBMSIwIAYJKoZIhvcNAQkBFhND dWRhIFN5c3RlbXMgTExDIENBMB4XDTE1MDQyMTAyMjE1OVoXDTIwMDQxOTAyMjE1OVowWjEL MAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExGTAXBgNVBAoTEEN1ZGEgU3lzdGVtcyBM TEMxHjAcBgNVBAMTFUthcmwgRGVubmluZ2VyIChPQ1NQKTCCAiIwDQYJKoZIhvcNAQEBBQAD ggIPADCCAgoCggIBALmEWPhAdphrWd4K5VTvE5pxL3blRQPyGF3ApjUjgtavqU1Y8pbI3Byg XDj2/Uz9Si8XVj/kNbKEjkRh5SsNvx3Fc0oQ1uVjyCq7zC/kctF7yLzQbvWnU4grAPZ3IuAp 3/fFxIVaXpxEdKmyZAVDhk9az+IgHH43rdJRIMzxJ5vqQMb+n2EjadVqiGPbtG9aZEImlq7f IYDTnKyToi23PAnkPwwT+q1IkI2DTvf2jzWrhLR5DTX0fUYC0nxlHWbjgpiapyJWtR7K2YQO aevQb/3vN9gSojT2h+cBem7QIj6U69rEYcEDvPyCMXEV9VcXdcmW42LSRsPvZcBHFkWAJqMZ Myiz4kumaP+s+cIDaXitR/szoqDKGSHM4CPAZV9Yh8asvxQL5uDxz5wvLPgS5yS8K/o7zDR5 vNkMCyfYQuR6PAJxVOk5Arqvj9lfP3JSVapwbr01CoWDBkpuJlKfpQIEeC/pcCBKknllbMYq yHBO2TipLyO5Ocd1nhN/nOsO+C+j31lQHfOMRZaPQykXVPWG5BbhWT7ttX4vy5hOW6yJgeT/ o3apynlp1cEavkQRS8uJHoQszF6KIrQMID/JfySWvVQ4ksnfzwB2lRomrdrwnQ4eG/HBS+0l eozwOJNDIBlAP+hLe8A5oWZgooIIK/SulUAsfI6Sgd8dTZTTYmlhAgMBAAGjgfQwgfEwNwYI KwYBBQUHAQEEKzApMCcGCCsGAQUFBzABhhtodHRwOi8vY3VkYXN5c3RlbXMubmV0Ojg4ODgw CQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBaAwCwYDVR0PBAQDAgXgMCwGCWCGSAGG+EIB DQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUxRyULenJaFwX RtT79aNmIB/u5VkwHwYDVR0jBBgwFoAUJHGbnYV9/N3dvbDKkpQDofrTbTUwHQYDVR0RBBYw FIESa2FybEBkZW5uaW5nZXIubmV0MA0GCSqGSIb3DQEBCwUAA4ICAQBPf3cYtmKowmGIYsm6 eBinJu7QVWvxi1vqnBz3KE+HapqoIZS8/PolB/hwiY0UAE1RsjBJ7yEjihVRwummSBvkoOyf G30uPn4yg4vbJkR9lTz8d21fPshWETa6DBh2jx2Qf13LZpr3Pj2fTtlu6xMYKzg7cSDgd2bO sJGH/rcvva9Spkx5Vfq0RyOrYph9boshRN3D4tbWgBAcX9POdXCVfJONDxhfBuPHsJ6vEmPb An+XL5Yl26XYFPiODQ+Qbk44Ot1kt9s7oS3dVUrh92Qv0G3J3DF+Vt6C15nED+f+bk4gScu+ JHT7RjEmfa18GT8DcT//D1zEke1Ymhb41JH+GyZchDRWtjxsS5OBFMzrju7d264zJUFtX7iJ 3xvpKN7VcZKNtB6dLShj3v/XDsQVQWXmR/1YKWZ93C3LpRs2Y5nYdn6gEOpL/WfQFThtfnat HNc7fNs5vjotaYpBl5H8+VCautKbGOs219uQbhGZLYTv6okuKcY8W+4EJEtK0xB08vqr9Jd0 FS9MGjQE++GWo+5eQxFt6nUENHbVYnsr6bYPQsZH0CRNycgTG9MwY/UIXOf4W034UpR82TBG 1LiMsYfb8ahQJhs3wdf1nzipIjRwoZKT1vGXh/cj3gwSr64GfenURBxaFZA5O1acOZUjPrRT n3ci4McYW/0WVVA3lDGCBRMwggUPAgEBMIGWMIGQMQswCQYDVQQGEwJVUzEQMA4GA1UECBMH RmxvcmlkYTESMBAGA1UEBxMJTmljZXZpbGxlMRkwFwYDVQQKExBDdWRhIFN5c3RlbXMgTExD MRwwGgYDVQQDExNDdWRhIFN5c3RlbXMgTExDIENBMSIwIAYJKoZIhvcNAQkBFhNDdWRhIFN5 c3RlbXMgTExDIENBAgEpMA0GCWCGSAFlAwQCAwUAoIICTTAYBgkqhkiG9w0BCQMxCwYJKoZI hvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNjA3MjUxOTQ2NDZaME8GCSqGSIb3DQEJBDFCBEBj Ma2O5u0nqbMaOIUZ2T83YFjRKnRohUkE0PCY1ViS5fYXXCzvFYiTpm2C6Rz4Rq2Bof66LhZq yGSM/PpQrlHVMGwGCSqGSIb3DQEJDzFfMF0wCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBAjAK BggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYI KoZIhvcNAwICASgwgacGCSsGAQQBgjcQBDGBmTCBljCBkDELMAkGA1UEBhMCVVMxEDAOBgNV BAgTB0Zsb3JpZGExEjAQBgNVBAcTCU5pY2V2aWxsZTEZMBcGA1UEChMQQ3VkYSBTeXN0ZW1z IExMQzEcMBoGA1UEAxMTQ3VkYSBTeXN0ZW1zIExMQyBDQTEiMCAGCSqGSIb3DQEJARYTQ3Vk YSBTeXN0ZW1zIExMQyBDQQIBKTCBqQYLKoZIhvcNAQkQAgsxgZmggZYwgZAxCzAJBgNVBAYT AlVTMRAwDgYDVQQIEwdGbG9yaWRhMRIwEAYDVQQHEwlOaWNldmlsbGUxGTAXBgNVBAoTEEN1 ZGEgU3lzdGVtcyBMTEMxHDAaBgNVBAMTE0N1ZGEgU3lzdGVtcyBMTEMgQ0ExIjAgBgkqhkiG 9w0BCQEWE0N1ZGEgU3lzdGVtcyBMTEMgQ0ECASkwDQYJKoZIhvcNAQEBBQAEggIAZkd6xnao W13Q6pyspL8XwPiNctWK4m/fKBa/aDs2gxENPn/PGoOmSYUfcWgnzB3zyXiqEOiIP7voYRXC E2+hev7RoLsyTAl4mcOHngq0k5pj0jak/QcCoW3fgU1g7K1pH6PoXTzupLMtRXuRgMu2D8p0 txx9Fv5DD0FZGODzOSQrE6fv1UQ+FgUv8ewK9uI7sVcx6MQttJvOALZVmvntkqPLfb18bzmG /GJFjADhlKNvQLSK0NEYTLqJyOMTjVNzyBB8v595hHLcWHySu9ioGyE7K6Y9VCDpqIQ3YzK4 lcSNKiJHSWEpzhxs+BD3e0hTEdZFd6/G18Er5WUEMyAL3GKCNQdhY0jWbziHUboiTGhTvUaQ otQRr7IhfG2JEH+84+E/7biJNq4raZYoRipfhiGlMY8/L+vFWZGrJpWn8AEmVhF/KnZZoSBt kLGGWlfvDKOMKmK5JDeXIh+OCo/gNGWzkJC2mTVpNIy4EVtipR7rhzXj9x/HkbdJ5dXadBnL 0jZRvXxhl4z1L/iFveU3qcZfCjo9tuy8A8PIZJSiA2z/jkPA0sGjJs8rzw59eQpJv3eqDbjw n2NX2H7RvjLx2Vqvi1DUZFHo84jteaoDtQKGGe9k/wllb01EMWYYTLXAuFIFJ8csUAVefwoy Gr+WerO6Eso0FovvBI4/yac5srEAAAAAAAA= --------------ms080003090008060100040205--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43294d7b-d70b-de92-ffa4-5c969f3df386>