Why the ip can't be banned with postfix blacklist?

Question

vim /etc/postfix/main.cf
smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/access

Add some ips in /etc/postfix/access

vim  /etc/postfix/access
86.111.171.141  REJECT 
191.96.249.63   REJECT

Restart postfix.

postmap hash:/etc/postfix/access
systemctl restart  postfix

After serveral times.

tail  /var/log/maillog
Oct 30 10:18:45 localhost postfix/smtpd[3491]: connect from unknown[86.111.171.141]
Oct 30 10:18:45 localhost postfix/smtpd[3491]: warning: unknown[86.111.171.141]: SASL LOGIN authentication failed: authentication failure
Oct 30 10:18:46 localhost postfix/smtpd[3491]: disconnect from unknown[86.111.171.141]      
Oct 30 10:18:45 localhost postfix/smtpd[3491]: connect from unknown[191.96.249.63]
Oct 30 10:18:45 localhost postfix/smtpd[3491]: warning: unknown[191.96.249.63]: SASL LOGIN authentication failed: authentication failure
Oct 30 10:18:46 localhost postfix/smtpd[3491]: disconnect from unknown[191.96.249.63]

Why the ip can't be banned with postfix blacklist?

score 6 · Answer 1 · answered Oct 30 '17 at 14:59

Because the check_sender_access is a smtpd_sender_restriction and, therefore, performed

for the MAIL FROM address, domain, parent domains, or localpart@, and execute the corresponding action.

If you wan't to block IP addresses using Postfix, take a look at smtpd_helo_restrictions, instead. There's a possibility to check_helo_a_access for the IP addresses for the HELO / EHLO hostname. Remember add smtpd_helo_required = yes and possibly reject_unknown_helo_hostname, too.

Why the ip can't be banned with postfix blacklist?

1 Answers1