Postfix smtpd_client_restrictions with check_client_access not working

chmike

7/22/23, 8:12 AM

I suddenly receive many spam mails per day and I’m trying to filter the source by IP.

In my main.cf file I have this:

smtpd_client_restrictions = 
        check_client_access cidr:/etc/postfix/blacklist,
        permit

and in this blacklist file I have IP addresses and networks defined in the following way according to https://linux.die.net/man/5/access. I don’t filter by domain name since every spam has a different domain name.

1.2.3.4  REJECT Blacklisted
5.6.7    REJECT Blacklisted

I used cdbpreviously and it was working perfectly, except for networks (5.6.7). I switched to cidr which is apparently recommended, but I still get spam although the network is in my blacklist file.

I did the sudo postmap /etc/postfix/blacklist && sudo postfix reload after adding the network to the blacklist file, but it didn’t filter the spam mail.

0 + 0

postfix

Score:1

Server

anx

8/18/23, 2:02 AM

Specify explicit network mask.

The syntax for the cidr table is different from simpler indexed files (such as DB or DBM), it expects an explicit mask - and uses it to allow for much nicer representation of blocks smaller or bigger than /8 /16 /24.

# network_address/network_mask result
192.0.2.0/24     REJECT Blacklisted
203.0.113.128/28 REJECT Blacklisted

Test your file using postmap -q:

# postmap -q 203.0.113.144 cidr:/path/to/example.cidr
# postmap -q 203.0.113.143 cidr:/path/to/example.cidr
REJECT Blacklisted

A warning will be emitted for syntax problems, no result will be printed for IPs not matching any listed network.

0 + 0

chmike

8/18/23, 5:06 AM

Apparently my version of postfix doesn't support CIDR table. I tried that. The only thing that works (finally) is with CDB and with IP address defined as in access manual, 1.2.3.4 or 1.2.3 for subnets.

chmike

8/18/23, 5:22 AM

Sorry, just checked again with `postconf -m` and cidr is supported. I had an error when I tried to use it. Cidr is definitely better. To generate the database, do you also call `postconf cidr:ip_to_blacklist` ?

anx

8/18/23, 2:22 PM

@chmike The manual does not mention anything about `cidr` type tables making use of the `postmap`-generated indexed databases. Unsurprisingly, as the prefixes are checked in the order as specified in the table anyway.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Postfix smtpd_client_restrictions with check_client_access not working

TH: แก้ไข smtpd_client_restrictions ด้วย check_client_access ไม่ทำงาน

RO: Postfix smtpd_client_restrictions cu check_client_access nu funcționează

RU: Постфикс smtpd_client_restrictions с check_client_access не работает

VI: Postfix smtpd_client_restrictions với check_client_access không hoạt động

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.