[prev in list] [next in list] [prev in thread] [next in thread] 

List:       postfix-users
Subject:    Re: smtpd_client_restrictions = reject_unauth_pipelining weirdness
From:       "Jeffrey 'jf' Lim" <jfs.world () gmail ! com>
Date:       2013-07-29 3:06:31
Message-ID: CAE4WMGjhXWLv+UvGR9sert94m3WGH8rUv6CPHCNE3oW-UMKhKA () mail ! gmail ! com
[Download RAW message or body]

On Mon, Jul 29, 2013 at 4:51 AM, Wietse Venema <wietse@porcupine.org> wrote:
> Jeffrey 'jf' Lim:
>> > Allow me to repeat my reply above:
>> >
>> > Current reject_unauth_pipelining implementations [...] don't reject
>> > clients that talk before Postfix greets them.
>> >
>> > To reject clients that talk before Postfix greets them, use
>> > Postscreen's pregreet detection feature.
>> >
>>
>> Yes, I got that.
>>
>> I also highlighted another question/issue I have in the 2nd part of my
>> question, where the pipelining occurs *after* ehlo/helo. In that case,
>> smtpd_delay_reject set to 'no' does not work. Should that be expected
>> behaviour?
>
> That's a bug. As of Postfix 2.6, reject_unauth_pipelining works
> only after the Postfix SMTP server has read input. I am currently
> too busy with real work to fix that.
>

I see. Thanks for the confirmation!


> If you must block clients that talk too soon, use postscreen. It
> does a much better job, and it even has a trick to make buggy
> clients talk too soon.
>

gotcha.

thanks,
-jf

--
He who settles on the idea of the intelligent man as a static entity
only shows himself to be a fool.

"Every nonfree program has a lord, a master --
and if you use the program, he is your master."
    --Richard Stallman
[prev in list] [next in list] [prev in thread] [next in thread]