Loading ...
Sorry, an error occurred while loading the content.

Re: smtpd_client_restrictions = reject_unauth_pipelining weirdness

Expand Messages
  • Wietse Venema
    ... That s a bug. As of Postfix 2.6, reject_unauth_pipelining works only after the Postfix SMTP server has read input. I am currently too busy with real work
    Message 1 of 7 , Jul 28, 2013
    • 0 Attachment
      Jeffrey 'jf' Lim:
      > > Allow me to repeat my reply above:
      > >
      > > Current reject_unauth_pipelining implementations [...] don't reject
      > > clients that talk before Postfix greets them.
      > >
      > > To reject clients that talk before Postfix greets them, use
      > > Postscreen's pregreet detection feature.
      > >
      >
      > Yes, I got that.
      >
      > I also highlighted another question/issue I have in the 2nd part of my
      > question, where the pipelining occurs *after* ehlo/helo. In that case,
      > smtpd_delay_reject set to 'no' does not work. Should that be expected
      > behaviour?

      That's a bug. As of Postfix 2.6, reject_unauth_pipelining works
      only after the Postfix SMTP server has read input. I am currently
      too busy with real work to fix that.

      If you must block clients that talk too soon, use postscreen. It
      does a much better job, and it even has a trick to make buggy
      clients talk too soon.

      Wietse
    • Jeffrey 'jf' Lim
      ... I see. Thanks for the confirmation! ... gotcha. thanks, -jf -- He who settles on the idea of the intelligent man as a static entity only shows himself to
      Message 2 of 7 , Jul 28, 2013
      • 0 Attachment
        On Mon, Jul 29, 2013 at 4:51 AM, Wietse Venema <wietse@...> wrote:
        > Jeffrey 'jf' Lim:
        >> > Allow me to repeat my reply above:
        >> >
        >> > Current reject_unauth_pipelining implementations [...] don't reject
        >> > clients that talk before Postfix greets them.
        >> >
        >> > To reject clients that talk before Postfix greets them, use
        >> > Postscreen's pregreet detection feature.
        >> >
        >>
        >> Yes, I got that.
        >>
        >> I also highlighted another question/issue I have in the 2nd part of my
        >> question, where the pipelining occurs *after* ehlo/helo. In that case,
        >> smtpd_delay_reject set to 'no' does not work. Should that be expected
        >> behaviour?
        >
        > That's a bug. As of Postfix 2.6, reject_unauth_pipelining works
        > only after the Postfix SMTP server has read input. I am currently
        > too busy with real work to fix that.
        >

        I see. Thanks for the confirmation!


        > If you must block clients that talk too soon, use postscreen. It
        > does a much better job, and it even has a trick to make buggy
        > clients talk too soon.
        >

        gotcha.

        thanks,
        -jf

        --
        He who settles on the idea of the intelligent man as a static entity
        only shows himself to be a fool.

        "Every nonfree program has a lord, a master --
        and if you use the program, he is your master."
        --Richard Stallman
      Your message has been successfully submitted and would be delivered to recipients shortly.