Re[2]: how to block connections at TCP level?

=FA=C4=D2=C1=D7=D3=D4=D7=D5=CA=D4=C5, Greg.

=F7=D9 =D0=C9=D3=C1=CC=C9 9 =C6=C5=D7=D2=C1=CC=D1 2004 =C7., 23:17:44:

GAW> [ On Monday, February 9, 2004 at 18:49:32 (+0100), Tony Earnshaw wro=
te: ]
>> Subject: Re: how to block connections at TCP level?
>>
>> Postfix can not refuse at TCP level (OSI level 3). Your firewall can. =
An
>> alternative might be Wietse's tcp wrappers.

GAW> TCP Wrappers doesn't block at the TCP level -- In most TCP network
GAW> stacks the connection must be accepted before an application can
GAW> identify its source.

GAW> Besides, Postfix doesn't (and should not) use TCP Wrappers -- it has
GAW> much better SMTP-compatible client restrictions built into it.

Yes, surely. But when restriction is applyed at "recipient check" stage, =
the session is already established, and some bytes of traffic was sent an=
d received. Even when restriction triggers at "client check" stage, postf=
ix sends something like "554 service not available" and eats bytes of tra=
ffic.

You can say, "it is only about two dozens of bytes". Yes. One of my boxes=
that received 10 non-spam messages last month have 6 Gigs (!) of traffic=
.. Useless spam traffic.

Maybe at least "DISCONNECT" action in postfix maps may be implemented, wh=
ich, when triggered, disconnects client immediately.

Best wishes,
Igor Lidin