Subject: Re: DNS-based firewalling?
To: Mike Parson <mparson@bl.org>
From: Florian Stoehr <netbsd@wolfnode.de>
List: netbsd-users
Date: 02/07/2005 17:18:15
On Mon, 7 Feb 2005, Mike Parson wrote:
> On Sun, Feb 06, 2005 at 05:36:53PM +0000, Matthias Scheler wrote:
>> In article <Pine.NEB.4.61.0501100026140.823@irina.net.flo>,
>> Florian Stoehr <netbsd@wolfnode.de>writes:
>>> I want to block all (ALL!) SMTP traffic from the whole "attbi.com"
>>> IP address range for my private mail server.
>>
>> Try adding something like this in "/etc/hosts.allow":
>>
>> sendmail: ALL EXCEPT .attbi.com
>>
>> They'll be able to get a SMTP connection but not to deliver e-mail.
>> But I would really recomment to use a better technology like e.g.
>> Greylisting.
>
> I've gotta second the greylisting suggestion, the greatest thing to
> happen to email since SpamAssassin. =) Both of them together, I get <1
> spam/month in my INBOX. The 8 or so I got in the last 48 hours wound up
> in my spam folder for later perusal.
>
> The better way to block a domain is in the mail access file:
>
> /etc/mail/access
>
> attbi.com REJECT
>
> makemap hash access <access
>
> kill -HUP `head -1 /var/run/sendmail.pid`
>
> My access file has nearly 400 such lines in it. =) Most of it is from
> the pre-SA/pre-GL days, but it still serves it's purpose (according to
> graphdefang, 2058 rejected messages in the last 48 hours, for all of
> bl.org, 8 active users).
>
> --
> Michael Parson
> mparson@bl.org
>
Yep, meanwhile I use a
check_client_access hash:/etc/postfix/blacklist,
config line in postfix' smtpd_client_restrictions section.
Although of course greylisting is better than blocking specific
domains, I agree.
Btw, for me the "reject_unknown_client" blocks 80% of spam,
it's amazing how many spammers try to connect without a proper
reverse-DNS :-)
-Florian