Re: Is this expected reject behavior for foreign IP connect attempt?

From: mouss (no email)
Date: Wed Nov 28 2007 - 09:35:17 EST

  • Next message: Laurent Neiger: "Addresses filtering for only one supported domain"

    Charles Marcus wrote:
    > On 11/28/2007, mouss () wrote:
    >> you could use firewall rules so that unauthorized clients don't even
    >> disturb postfix...
    >
    > I know, but iptables rules are a bit on the greek side to me... ;)
    >

    you mean it's horrible ;-p

    your rules should look more or less like:

    ... -i lo -j ACCEPT
    ... -s 208.65.144.0/21 -p tcp --dport 25 -j ACCEPT
    ... -p tcp --dport 25 -j REJECT --reject-with tcp-reset

    > I had already planned on doing this though if it became necessary.
    >
    >> if you don't like the message, you can use
    >>
    >> check_client_access pcre:/etc/postfix/unauthorized_access
    >
    > The main thing I was concerned about was if this was the appropriate
    > response...
    >

    since your host is not an MX, nobody should connect to it except your
    systems and your filtering SP. Those who get the reject shouldn't have
    come here in the first place.

    > I'm surprised, actually, because as I said in my original email - I'd
    > have thought that I'd be getting hammered by these in the logs, just due
    > to the nature of the internet and all the spambots out there. Maybe its
    > because my server doesn't connect to the outside world directly, but
    > relays through our ISP?
    >

    if the host has never been an MX, it should get no connection, except
    those from zombies trying to find an open relay.

    > Oh well, thanks for the tip on using a pcre map for a more meaningful
    > message - but as long as I know what it means, I'm not too worried about
    > the wording.
    >

    it's only for you (when you parse logs). otherwise, you don't need to care.


  • Next message: Laurent Neiger: "Addresses filtering for only one supported domain"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    Powered By FreeBSD   Powered By FreeBSD