From owner-freebsd-stable@freebsd.org  Mon Jul 25 17:04:14 2016
Return-Path: <owner-freebsd-stable@freebsd.org>
Delivered-To: freebsd-stable@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id EDB94BA4F9B
 for <freebsd-stable@mailman.ysv.freebsd.org>;
 Mon, 25 Jul 2016 17:04:14 +0000 (UTC)
 (envelope-from ronald-lists@klop.ws)
Received: from smarthost1.greenhost.nl (smarthost1.greenhost.nl
 [195.190.28.81])
 (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id BA9FE1829
 for <freebsd-stable@freebsd.org>; Mon, 25 Jul 2016 17:04:14 +0000 (UTC)
 (envelope-from ronald-lists@klop.ws)
Received: from smtp.greenhost.nl ([213.108.104.138])
 by smarthost1.greenhost.nl with esmtp (Exim 4.80)
 (envelope-from <ronald-lists@klop.ws>)
 id 1bRjIa-0003em-7O; Mon, 25 Jul 2016 19:04:12 +0200
Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes
To: freebsd-stable@freebsd.org, "Karl Denninger" <karl@denninger.net>
Subject: Re: Postfix and tcpwrappers?
References: <a3ad16f6-3bae-68dd-d4c7-9ed7cd223aa5@denninger.net>
Date: Mon, 25 Jul 2016 19:04:11 +0200
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: "Ronald Klop" <ronald-lists@klop.ws>
Message-ID: <op.yk51o9vtkndu52@ronaldradial.radialsg.local>
In-Reply-To: <a3ad16f6-3bae-68dd-d4c7-9ed7cd223aa5@denninger.net>
User-Agent: Opera Mail/1.0 (Win32)
X-Authenticated-As-Hash: 398f5522cb258ce43cb679602f8cfe8b62a256d1
X-Virus-Scanned: by clamav at smarthost1.samage.net
X-Spam-Level: /
X-Spam-Score: -0.2
X-Spam-Status: No, score=-0.2 required=5.0 tests=ALL_TRUSTED,
 BAYES_50 autolearn=disabled version=3.4.0
X-Scan-Signature: 51a43cd7ff6838d9e9bce89dbcde6c26
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-stable>, 
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jul 2016 17:04:15 -0000

On Mon, 25 Jul 2016 18:48:25 +0200, Karl Denninger <karl@denninger.net>  
wrote:

> This may not belong in "stable", but since Postfix is one of the
> high-performance alternatives to sendmail....
>
> Question is this -- I have sshguard protecting connections inbound, but
> Postfix appears to be ignoring it, which implies that it is not paying
> attention to the hosts.allow file (and the wrapper that enables it.)
>
> Recently a large body of clowncars have been targeting my sasl-enabled
> https gateway (which I use for client machines and thus do in fact need)
> and while sshguard picks up the attacks and tries to ban them, postfix
> is ignoring the entries it makes which implies it is not linked with the
> tcp wrappers.
>
> A quick look at the config for postfix doesn't disclose an obvious
> configuration solution....did I miss it?
>

Don't know if postfix can handle tcp wrappers, but I use bruteblock [1]  
for protecting connections via the ipfw firewall. I use this for ssh and  
postfix.

Regards,
Ronald.

[1] http://www.freshports.org/security/bruteblock/