| Main Archive Page > Month Archives > postfix-users archives |
Re: CIDR
From: Duane Hill <duihi77_at_nospam>Date: Sun Dec 18 2011 - 10:49:28 GMT
To: postfix-users@postfix.org
On Sunday, December 18, 2011 at 08:41:48 UTC, tolga@ozses.net confabulated:
> On 18 December 2011 00:34, Stan Hoeppner <stan@hardwarefreak.com> wrote:
>> On 12/17/2011 2:32 PM, Ansgar Wiechers wrote:
>> > On 2011-12-17 Tolga wrote:
>> >> I've been getting a lot of Chinese spam. I've googled and come across
>> >> a guide that advises to use a cidr file and tell postfix to use it. I
>> >> got the file, edited it, and told postfix to use it. However, it
>> >> doesn't seem to be working (I tested it by putting in my own IP
>> >> address). How can I fix it? Below is my postconf -n:
>> >>
>> >> [root@bilgisayarciniz ~]# postconf -n
>> > [...]
>> >> smtpd_client_restrictions = check_client_access
>> >> cidr:/etc/postfix/sinokorea.cidr
>> >
>> > Move the check_client_access restriction to
>> $smtpd_recipient_restrictions.
>>
>> This alone won't help. The OP said he tested by plugging his own IP
>> address into the CIDR table. If he inserts this restriction after
>> permit_mynetworks his test still won't work. This is not a valid way to
>> test a CIDR table BTW.
>>
>> Tolga, first, are you certain this "Chinese spam" is coming from Chinese
>> IP addresses? Check your mail log for connections from one of these
>> addresses and confirm the IP is assigned to a Chinese entity, using the
>> whois command. Then plug that IP address into postmap and post the
>> output of that command here. For example, I block all Chinese IP space
>> using ipdeny.com lists in a CIDR table. A sample test of my CIDR table:
>>
>> /etc/postfix/cidr_files$ postmap -q 58.99.128.128 cidr:countries
>> REJECT Mail not accepted from China
>>
>> If you confirmed the IP is Chinese, and you have that Chinese network in
>> your CIDR table, and the postmap test is successful, you know the table
>> is working. If you get an error, post the error here. If the postmap
>> test is successful and you still aren't rejecting connections from
>> Chinese IP addresses then something else is wrong. One possible cause
>> is a NAT router that rewrites the source address of the TCP packet.
>> Your mail logs will tell you instantly if that is the case as all
>> connections will be from the same IP address on the private side of the
>> router. In that case a CIDR table is useless until you get a new router
>> that does NAT correctly.
>>
>> Last, it would be helpful if you post a link to your CIDR table, or at
>> least show 50 lines or so of its contents, so we can make sure you've
>> created it correctly. It should look something like this:
>>
>> Hi, I've confirmed that the IP is from China, using www.ip2location.com.
> My CIDR file is at www.bilgisayarciniz.org/sinokorea.cidr.txt
> When I plugged the IP into postmap like you said, I got an error
> postmap -q 60.190.223.61 sinokorea.cidr REJECT Mail not accepted from China
> postmap: fatal: open database REJECT.db: No such file or directory.
> Thanks for all the replies :)
You should just do:
postmap -q 60.190.223.61 cidr:sinokorea.cidr
from within the directory the map file is located. Otherwise, you
should include the full path to the file after the 'cidr:' part.
The 'REJECT Mail not accepted from China' part of Stan's response was
the response from his example postmap command. It wasn't something
for you to type in.
>> 58.14.0.0/15 REJECT Mail not accepted from China
>> 58.16.0.0/13 REJECT Mail not accepted from China
>> 58.24.0.0/15 REJECT Mail not accepted from China
>> 58.30.0.0/15 REJECT Mail not accepted from China
>> 58.32.0.0/11 REJECT Mail not accepted from China
>> 58.66.0.0/15 REJECT Mail not accepted from China
>> 58.68.128.0/17 REJECT Mail not accepted from China
>> 58.82.0.0/15 REJECT Mail not accepted from China
>> 58.87.64.0/18 REJECT Mail not accepted from China
>> 58.99.128.0/17 REJECT Mail not accepted from China
>> 58.100.0.0/15 REJECT Mail not accepted from China
>> 58.116.0.0/14 REJECT Mail not accepted from China
>> 58.128.0.0/13 REJECT Mail not accepted from China
>> 58.144.0.0/16 REJECT Mail not accepted from China
>> 58.154.0.0/15 REJECT Mail not accepted from China
>> 58.192.0.0/11 REJECT Mail not accepted from China
>> 58.240.0.0/12 REJECT Mail not accepted from China
>>
>> --
>> Stan
>>
-- If at first you don't succeed, so much for skydiving.