DevHeads.net

check_client_access not blocking /8 /16 /24 etc.

I'm curious to know what I've done wrong with my client checks file.

I can reject a specific IP but it won't reject when I use net blocks...
format is listed below in client_checks.cf

Suggestions comments welcome.

main.cf.

smtpd_recipient_restrictions =
      permit_mynetworks,
      permit_sasl_authenticated,
      check_client_access hash:/etc/postfix/client_checks.cf,
      check_sender_access hash:/etc/postfix/sender_checks.cf,
      reject_unlisted_sender,
      reject_unauth_pipelining,
      reject_unauth_destination,
      reject_rbl_client bl.spamcop.net,
      reject_rbl_client psbl.surriel.com,
      reject_rbl_client b.barracudacentral.org,
     check_policy_service unix:private/policyd-spf,
     permit

client_checks.cf.

5.0.0.0/8 REJECT We have not seen your IP Address before.  Please visit
<a href="https://example.com?newip=5.0.0.0/8" title="https://example.com?newip=5.0.0.0/8">https://example.com?newip=5.0.0.0/8</a> to unblock your IP

I've run postmap client_checks.cf and have the file set up.

Comments

Re: check_client_access not blocking /8 /16 /24 etc.

By Bill Cole at 07/11/2018 - 00:01

Pick a table format and use it.

That's CIDR format, not the domain/octet prefix form required for a
hashed access map.

See the man pages for access(5) and cidr_table(5) for the differences
and details, so you can pick one.

Also note: if you're going to reject all of 5.0.0.0/8 by default, you
might as well simplify and go with an overall default reject policy.

Re: check_client_access not blocking /8 /16 /24 etc.

By Benny Pedersen at 07/10/2018 - 23:52

Philip skrev den 2018-07-11 04:24:

change hash here to cidr

and remember cidr does not need to be postmapped

it should be tested with

postmap -q 5.1.1.1 cidr:/etc/postfix/client_checks.cf

if it prints reject, it works :)