OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: A Question About "check_client_access"

From: mouss (usebsdfree.fr)
Date: Wed Oct 12 2005 - 14:55:13 CDT

Rich Shepard a écrit :

> On Wed, 12 Oct 2005, mouss wrote:
>
>> In general, if a client is not blocked, this is because no reject
>> rule was
>> applied to it, and in particular, it didn't match a client_access
>> rule that
>> rejects it.
>
>
> I guess I was not sufficiently clear.

happy to read you say so, but you still don't provide your postconf -n.
now, don't. just check that no other restrictions allowed the mails in
question. we'll trust until next step:)

>
> The first 16 bits in the IP address are listed in the client_access
> rule,
> and 'reject' is the action to be taken.

so you mean you have
a.b REJECT
in your file, and you say below that only "REJECT" is used. no other action.

now, do you have lines starting with space?

>
>> - do all entries in badip have "REJECT" as the right hand side (the
>> result field) or do you use different results?
>
>
> Yes.
>
>> - what is the format of the IPs that don't get caught? post a full
>> line of
>> this (replace digits by 'd' if you want, but keep dots and other chars).
>
>
> It is analagous to
>
> Received: from <some_domain_name> (IP address unknown[xx.yyy.z.ddd])

I trust you to know what is an IP block. I was looking for the other
stuff (spaces, '#', commas, ... etc).
for instance
---------------------
1.2 REJECT
   3.4 REJECT
---------------------
is incorrect (see the space before 3.4).

>
> My understanding of the postfix restrictions is that 1) the
> 'reject_unknown_sender_domain' checked the IP address and rejected it
> if it

> was unknown and 2) the entry in 'check_client_access
> hash:/etc/postfix/badip'
> would also catch it if xx.yyy was listed in that map file.
>
it is supposed to do so unless
- another check in your restrictions allows the mail
- there is an error in your file.
for instance

As suggested by Rob, use postmap -q to check that the IP really match an
entry in your hash.
(the IP need not be present in the hash, but it should match one of your
blocks if it is supposed to be blocked).