Subject: Re: DNS-based firewalling?
To: None <netbsd-users@NetBSD.org>
From: Mike Parson <mparson@bl.org>
List: netbsd-users
Date: 02/07/2005 10:12:54
On Sun, Feb 06, 2005 at 05:36:53PM +0000, Matthias Scheler wrote:
> In article <Pine.NEB.4.61.0501100026140.823@irina.net.flo>,
> 	Florian Stoehr <netbsd@wolfnode.de>writes:
>> I want to block all (ALL!) SMTP traffic from the whole "attbi.com" 
>> IP address range for my private mail server.
>
> Try adding something like this in "/etc/hosts.allow":
>
> sendmail: ALL EXCEPT .attbi.com
>
> They'll be able to get a SMTP connection but not to deliver e-mail.
> But I would really recomment to use a better technology like e.g.
> Greylisting.

I've gotta second the greylisting suggestion, the greatest thing to
happen to email since SpamAssassin. =) Both of them together, I get <1
spam/month in my INBOX.  The 8 or so I got in the last 48 hours wound up
in my spam folder for later perusal.

The better way to block a domain is in the mail access file:

/etc/mail/access

attbi.com	REJECT

makemap hash access <access

kill -HUP `head -1 /var/run/sendmail.pid`

My access file has nearly 400 such lines in it. =) Most of it is from
the pre-SA/pre-GL days, but it still serves it's purpose (according to
graphdefang, 2058 rejected messages in the last 48 hours, for all of
bl.org, 8 active users).

-- 
Michael Parson
mparson@bl.org