SWEET!! Thanks, Len, Eric. I moved the reject down before the reject and formatted it this way:
reject_rbl_client, check_recipient_maps hash:/etc/postfix/account_control.map, reject Then the logs show this: Jan 28 17:02:19 scooter postfix/smtpd[29528]: 3D30E7BC4B: reject: RCPT from smtp.moneyconcepts.co.nz[210.86.3.181]: 554 <[EMAIL PROTECTED]>: Recipient address rejected: Access denied; from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]> proto=SMTP helo=<moneyconcepts.co.nz> And, [EMAIL PROTECTED] is not in account_control.map. I'll watch for a while to be sure everything is ok now. The setup here is two imgate gateways forwarding to imgate-amavis-sophos virus scanner that forward to a final delivery server. That attack had so much stuff stacked on the imgate-amavis virus scanning machine, it would not finish a mailq | grep Kbytes to find how much was in the queue. It was then that I started looking around two hours after receiving 40+ emails per second. The little perl program killed almost 150 thousand bounces from the queue between the gateway machine and the virus scanning machine. The email I sent to [EMAIL PROTECTED] hasn't bounced yet either. These systems were running pretty hard but every valid email was delivered. POSTFIX/IMGATE is wonderful! Dave On Tue, 2003-01-28 at 15:32, Len Conrad wrote: > > > >I had a dictionary attack this morning and had to remove about 150k > >emails with "hi how are you" in the header > > where were they, in IMGate or in the mailbox server? > > >coming from a swbell dsl > >client in St.Louis I think > > These DSL lines are capable of stupendous volumes, and ime, the DSL network > providers don't care. > > That's why I was posting a couple weeks some ideas about regexp for > blocking all MTA's that had PTR's with (dsl|cust|pool|dial|...) in them. > > >. They were all from a random hotmail.com > >account. > > ... then SAV would have rejected every one of them. > > >Jan 28 07:14:39 scooter postfix/smtpd[21983]: 7B9517BCA5: > >client=adsl-65-71-214-5.dsl.stlsmo.swbell.net[65.71.214.5] > > > >Now I'm trying to "close the barn door". I have a file: > >account_control.map that has my valid clients in it like this: > > > >grep internetworks.net account_control.map > > > >[EMAIL PROTECTED] OK > >[EMAIL PROTECTED] OK > >[EMAIL PROTECTED] OK > >[EMAIL PROTECTED] OK > >[EMAIL PROTECTED] OK > > and you need this one: > > #else > internetworks.net 553 ACL account_control > > or in my style > > #else > internetworks.net 553 ACL to_recipients_known recipient is unknown user > > >in main.cf I have: > > > >smtpd_recipient_restrictions = > > reject_unauth_pipelining, > > reject_non_fqdn_sender, > > reject_non_fqdn_recipient, > > reject_unknown_recipient_domain, > > hash:/etc/postfix/account_control.map, <<<<<<<<<<<< > > ... is how to do it in pre-2.0, and this line has to be the penultimate > restriction: > > reject_rbl_client, > hash:/etc/postfix/account_control.map, <<<<<<<<<<<< > reject > > Otherwise, as soon as it matches in your position, all other checks are > skipped (first match wins) > > But in postfix 2.0, there is new way that allows one, finally!, to have, as > the very first restriction: > > if not a known user, then reject. > else > <all other restrictions>, > permit > > see the recently updated: > > http://www.postfix.org/uce.html#smtpd_recipient_restrictions > > >grep [EMAIL PROTECTED] account_control.map > >yields nothing... > > egrep -i "Reyne\@internetworks\.net" /path/to/account_control.map > > and more importantly: > > postmap -q "[EMAIL PROTECTED]" hash:/path/to/account_control.map > > and check the #else > > postmap -q "[EMAIL PROTECTED]" hash:/path/to/account_control.map > > > > ( besides haveing shut off SAV last night) > > :(( > > >SAV would have stopped this in it's tracks. > > yep > > >Also, I used this script to clear my queue based on the header. > > thanks. > > Len > >
