Postfix and tcpwrappers?
Karl Denninger
karl at denninger.net
Mon Jul 25 19:46:54 UTC 2016
On 7/25/2016 14:38, Tim Daneliuk wrote:
> On 07/25/2016 01:20 PM, Shawn Bakhtiar wrote:
>> ecently a large body of clowncars have been targeting my sasl-enabled
>> https gateway (which I use for client machines and thus do in fact need)
>> and while sshguard picks up the attacks and tries to ban them, postfix
>> is ignoring the entries it makes which implies it is not linked with the
>> tcp wrappers.
>>
>> A quick look at the config for postfix doesn't disclose an obvious
>> configuration solution....did I miss it?
>>
>
> You can more-or-less run anything from a wrapper if you don't daemonize it
> and kick it off on-demand from inetd. Essentially, you have inetd.conf
> configured with a stanza that - upon connection attempt - launches an
> instance of your desired program (postfix in this case), if and only
> if the hosts.allow rules are satisfied.
>
> This works nicely for smaller installations, but is very slow in high
> arrival rate environments because each connection attempt incurs the full
> startup overhead of the program you're running.
>
Tcpwrapper works with many persistent system services (sshd being a
notable ones) and integrates nicely, so you can use hosts.allow. The
package (or default build in ports) for sshguard uses the hosts.allow file.
But, sshguard does know (if you build it by hand or use the right
subport) how to insert into an ipfw table instead.... so I switched over
to that. I was rather curious, however, if/why postfix wasn't
integrated with the hosts.allow file as are many other system services
(or if I just missed the config option to turn it on) since it's offered
by FreeBSD as a "stock sendmail replacement" option for higher-volume
(and more-secure) sites....
--
Karl Denninger
karl at denninger.net <mailto:karl at denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2996 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20160725/4bbcbcd0/attachment.bin>
More information about the freebsd-stable
mailing list