Your anchor is populated, at least for port 587. If you don’t see any PF block based on this anchor it might be a rule ordering problem. You must ensure your anchor is high enough in the ruleset (super-high, just below the default "block all" rule)
> On 9 Jun 2025, at 20:59, Doug Hardie <bc...@lafn.org> wrote: > > On my mail server: > > mail# blacklistctl dump -br | tail > 218.94.104.180/32:587 OK 3/3 4h12m17s > 222.132.167.110/32:587 OK 3/3 1h59m1s > 91.45.76.228/32:587 OK 3/3 5h1m53s > 36.39.140.2/32:587 OK 3/3 5h9m34s > 87.200.232.247/32:587 OK 6/3 4h3m9s > 62.48.165.174/32:587 OK 99/3 8h37m15s > 123.55.175.130/32:587 OK 4/3 8h15m35s > 88.201.163.65/32:587 OK 4/3 4h20m37s > 218.4.214.115/32:587 OK 15/3 58m17s > 70.166.207.76/32:587 OK 13/3 8h21m19s > > mail# blacklistctl dump -br | wc -l > 704 > > mail# pfctl -a blacklistd/587 -t port587 -Ts | wc -l > 609 > > The blacklisted IPs are in the pf tables. However, pf is not blocking them. > Using the next to last address above: > > mail# grep 218.4.214.115 /var/log/maillog > Jun 9 10:21:57 mail postfix/postscreen[13719]: CONNECT from > [218.4.214.115]:55584 to [10.0.1.230]:25 > Jun 9 10:22:03 mail postfix/postscreen[13719]: PASS OLD [218.4.214.115]:55584 > Jun 9 10:22:03 mail postfix/smtpd[15137]: connect from unknown[218.4.214.115] > Jun 9 10:22:09 mail postfix/smtpd[15137]: warning: unknown[218.4.214.115]: > SASL PLAIN authentication failed: (reason unavailable), > sasl_username=and...@lafn.org > Jun 9 10:22:11 mail postfix/smtpd[15137]: NOQUEUE: lost connection after > AUTH from unknown[218.4.214.115] > Jun 9 10:22:11 mail postfix/smtpd[15137]: disconnect from > unknown[218.4.214.115] ehlo=1 auth=0/1 commands=1/2 > > That address was entered into the pf table approximately at 1 pm on Jun 8 > (using the remaining time of approximately 1 hour). However, at 10 am on 9 > Jun, it got through to postfix. It should have been blocked. > > > pfctl shows for the last rule: > > @10 anchor "blacklistd/*" in on bge0 all > [ Evaluations: 102736 Packets: 0 Bytes: 0 States: 0 > ] > [ Inserted: uid 0 pid 6053 State Creations: 0 ] > [ Last Active Time: N/A ] > > pf is checking the tables, but not blocking anything. I suspect the rule > (taken from the handbook for blacklistd) is the culprit. However, I have no > idea how to correct that. > > -- Doug > >> On Jun 9, 2025, at 06:13, Patrick Proniewski <pat...@patpro.net> wrote: >> >> Hello, >> >>> On 9 Jun 2025, at 02:13, Doug Hardie via Postfix-users >>> <postfix-users@postfix.org> wrote: >>> >>> I believe that pf is not properly blocking IPs that are supposedly blocked >>> by blacklistd. In trying to test this, I am using postfix. However, I >>> don't seem to be able to get postfix to call blacklistd. The approach I am >>> using is to remove one of my machines from mynetworks using a !IPaddress. >>> That seems to work properly. I send using telnet to port 25 and give it >>> non-local addresses. Postfix responds with an appropriate snarky message. >>> However, traces of blacklistd shows no calls for that address. What are >>> the conditions when blacklistd is called? Is it only for authenciation >>> failures, as indicated in one web page. How can I test pf with postfix. >> >> >> Not sure I have a proper answer to your questions about testing, but you >> might want to double check /etc/blacklistd.conf. Especially to make sure >> your network is not «whitelisted». >> >> Mine looks like this: >> >> $ cat /etc/blacklistd.conf >> # >> # Blacklist rule >> # adr/mask:port type proto owner name nfail disable >> [local] >> ssh stream * * * 3 24h >> ftp stream * * * 3 24h >> smtp stream * * * 3 24h >> submission stream * * * 3 24h >> #6161 stream tcp6 christos * 2 10m >> * * * * * 3 60 >> >> # adr/mask:port type proto owner name nfail disable >> [remote] >> #129.168.0.0/16 * * * = * * >> #6161 = = = =/24 = = >> #* stream tcp * = = = >> >> Obviously the blacklistd service must be started and your pf.conf must have >> an anchor for rules injection: >> >> anchor "blacklistd/*" in on $ext_if >> >> I successfully block offenders, both on ports 25 and 587. Exemple for port >> 25: >> >> $ sudo pfctl -a blacklistd/25 -t port25 -T show | wc -l >> 13 >> >> >> patpro > > _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
