Re[2]: how to block connections at TCP level?

>> Is there any possibility to block incoming SMTP connections to port
>> 25 controlled by postfix at TCP level (e.g. refuse connection or at
>> least disconnect immediately) using filtering rules already supported by
>> postfix - cidr maps, tcp maps, dnsbl checks and so on?

TE> Postfix can not refuse at TCP level (OSI level 3). Your firewall can. An
TE> alternative might be Wietse's tcp wrappers.

Sadly, firewall CAN NOT refuse connection using DNSBL check on originating address.

>> It is needed because of huge traffic amount that eated by useless
>> spam connections (e.g. from *.ipt.aol.com) that are filtered anyway at
>> "client" stage.
>>
>> It may be implemented as something like smtpd_tcp_restrictions configuration variable.

TE> Don't see how. I block via Postfix using smtpd_recipient_restrictions.
TE> That works fine for me (at the moment I'm blocking up to 40% of all MAIL
TE> FROM:/RCPT TO: offerings), but YMMV. BTW, this has risen from around
TE> 10-15% within the last week.

When you block at this stage, some amount of traffic already passed. Ideally (for me), postfix should refuse connections from, say, dynamically allocated IPs using some blacklist. Practically, I think, at least some sort of DISCONNECT action in maps can be implemented to reduce traffic amount used by useless connections.

Best wishes,
Igor Lidin