NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2008-02

Re: access table and unverified hostnames

From: Noel Jones (njonesmegan.vbhcs.org)
Date: Mon Feb 11 2008 - 17:42:51 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Cedric Knight, GreenNet wrote:
> Hi
>
> I'd like to reject connections from certain spam sources, such as
> residential IP blocks heavily infected by the Dorf botnet.
>
> These sources are quite well-defined by the reverse DNS of the client,
> so for example inserting into the access table
>
> ttnet.net.tr 554 Too much spam from this network
> dynamic.163data.com.cn 554 Too much spam from this network
> kd.ny.adsl 554 Too much spam from this network
> res.rr.com 554 Too much spam from this network
>
> should in theory block a lot. (parent_domain_matches_subdomains includes
> smtpd_access_maps, so the domains don't need to prefixed with '.')
>
> The problem in each case is that the forward DNS doesn't exist, isn't
> always available, or doesn't match the client IP address, as shown by
> the logs:
> postfix/smtpd[6278]: warning: smtpd_peer_init: 88.230.72.217: hostname
> dsl88.230-18649.ttnet.net.tr verification failed: Name or service not known
>
> Postfix only looks up verified client hostnames in the access table, so
> these entries are either completely useless, or less useful than hoped.
> The same domains often include many different and diverse IP ranges,
> and it would be difficult to find them all and add them to the access
> table.
>
> Is there some way to look up the "reverse_name" in a table, instead of
> limiting it to verified hostnames?
>
> Postfix 2.1.5 on Debian stable.
>
> Thanks
>
> Cedric Knight

Postfix doesn't have a "check_reverse_client_access" lookup
because unverified hostnames can't be used safely for
whitelisting.

You can use (or write) a policy server that rejects clients
based on the reverse hostname. I believe "policyd" has this
ability, along with many others.
http://www.postfix.org/SMTPD_POLICY_README.html
http://www.postfix.org/addon.html#policy
http://policyd.sourceforge.net/

Or you can patch the source code to add a new lookup type;
this particular mod looks fairly easy.

--
Noel Jones

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]