Loading ...
Sorry, an error occurred while loading the content.

Re: Block/allow incoming IP only for SOME domains

Expand Messages
  • Noel Jones
    ... Yes, that s the correct solution, but it must be in smtpd_recipient_restrictions. Make sure you leave smtpd_delay_reject at the default yes value for
    Message 1 of 4 , Jul 23, 2010
    • 0 Attachment
      On 7/23/2010 4:11 PM, Denis BUCHER wrote:
      > Hello Brian,
      >
      > Le 23.07.2010 16:49, Brian Evans - Postfix List a écrit :
      >>> Yesterday I succeeded into blocking some IP (or more
      >>> exactly allowing
      >>> only some) to connect to one of my server and send email
      >>> via SMTP.
      >>>
      >>> Now for another server, I need something a little more
      >>> complicated and
      >>> I would be happy if someone could direct me to the right
      >>> method.
      >>>
      >>> I would like to activate this functionality ONLY for some
      >>> domains :
      >>> * Some (recipient) domains should accept emails from any IP
      >>> * Some other (recipient) domains should accept emails only
      >>> from IP in
      >>> the list
      >>>
      >>> This is my working config to allow emails only from some
      >>> IP, for all
      >>> domains :
      >>>
      >>> > 1. Added this in main.cf :
      >>> > smtpd_client_restrictions = check_client_access
      >>> cidr:/etc/postfix/access
      >>> >
      >>> > 2. Added this to /etc/postfix/access :
      >>> > 216.82.240.0/20 OK
      >>> > 213.213.213.213 REJECT
      >>> >
      >>> > 3. Command line :
      >>> > postmap access
      >>> > /etc/init.d/postfix reload
      >>>
      >>> How can I therefore decide for which domains this config is
      >>> active and
      >>> for which domains all incoming IP are accepted ?
      >> Easy example, more can be found at
      >> http://www.postfix.org/RESTRICTION_CLASS_README.html
      >> (Note, you may wish to make the cidr access table name
      >> something more
      >> informative to you. Postfix does not require it to be called
      >> access).
      >>
      >> denybyip = check_client_access cidr:/etc/postfix/access
      >> smtpd_restriction_classes = denybyip
      >> smtpd_recipient_restrictions =
      >> permit_mynetworks,
      >> reject_unauth_destination,
      >> ....
      >> check_recipient_access hash:/etc/postfix/domainipcheck
      >>
      >>
      >> /etc/postfix/domainipcheck:
      >>
      >> example.com denybyip
      >> example.net denybyip
      >
      > Thank you very much ! I tried your suggestion, with a small
      > change, "smtpd_client_restrictions" instead of
      > smtpd_recipient_restrictions and it seems to be working very
      > well.
      >
      > But now I have another problem, with that config, I have a
      > problem, it's not possible to send emails anymore, because
      > something is missing : we should allow any authenticated user
      > to send emails ? Something like permit_auth_users ?
      >
      > Should I simply add "permit_sasl_authenticated,
      > permit_mynetworks," BEFORE check_recipient_access
      > hash:/etc/postfix/domainipcheck ?
      >
      > (I think it is correct because I tried and it seems to work,
      > but I prefer to have your confirmation)
      >

      Yes, that's the correct solution, but it must be in
      smtpd_recipient_restrictions. Make sure you leave
      smtpd_delay_reject at the default "yes" value for this to work
      correctly.

      -- Noel Jones
    Your message has been successfully submitted and would be delivered to recipients shortly.