Loading ...
Sorry, an error occurred while loading the content.

Isolating SMTP to a single band of 8 IP's

Expand Messages
  • Keith Steensma
    It s been a long time since I have participated in this list (goes to show how good Postfiix is when it can run for years with so few problems). Our company
    Message 1 of 6 , Nov 2, 2011
    • 0 Attachment
      It's been a long time since I have participated in this list (goes to show how good Postfiix is when it can run for years with so few problems).  Our company has decided to start using an outside SPAM filtering service. Overall, this is doing a very good job.  But we are getting SPAM directly into out system and I need to block all outside SMTP connections except the connections from a group of 8 IP address'.

           CIDR notation: 199.89.0.0/21
           Netmask notation: 199.89.0.0 with a netmask of 255.255.248.0
           Address range: 199.89.0.0 through 199.89.7.255


      I tried (from "Getting selective with SMTP access restriction lists" web page)

      smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
      mynetworks = 127.0.0.0/8, 192.168.1.0/24, 199.89.0.0/21

      But that only solved half the problem.  Mail is still getting in from from IP's (like from 203.200.235.214 by 125.160.50.143)

      Can anyone offer a suggestion how to fix this problem the right way?

      Keith Steensma

    • Noel Jones
      ... Just replace reject_unauth_destination with reject and you re good to go. -- Noel Jones
      Message 2 of 6 , Nov 2, 2011
      • 0 Attachment
        On 11/2/2011 10:43 AM, Keith Steensma wrote:
        > It's been a long time since I have participated in this list (goes
        > to show how good Postfiix is when it can run for years with so few
        > problems). Our company has decided to start using an outside SPAM
        > filtering service. Overall, this is doing a very good job. But we
        > are getting SPAM directly into out system and I need to block all
        > outside SMTP connections except the connections from a group of 8 IP
        > address'.
        >
        > CIDR notation: 199.89.0.0/21
        > Netmask notation: 199.89.0.0 with a netmask of 255.255.248.0
        > Address range: 199.89.0.0 through 199.89.7.255
        >
        > I tried (from "Getting selective with SMTP access restriction lists"
        > web page)
        >
        > smtpd_recipient_restrictions = permit_mynetworks,
        > reject_unauth_destination


        Just replace "reject_unauth_destination" with "reject" and you're
        good to go.



        -- Noel Jones



        > mynetworks = 127.0.0.0/8, 192.168.1.0/24, 199.89.0.0/21
        >
        > But that only solved half the problem. Mail is still getting in
        > from from IP's (like from 203.200.235.214 by 125.160.50.143)
        >
        > Can anyone offer a suggestion how to fix this problem the right way?
        >
        > Keith Steensma
        >
      • Charles Marcus
        ... We use webroot for anti-spam filtering... Do it with check_client_access restriction like so: smtpd_recipient_restrictions = permit_mynetworks,
        Message 3 of 6 , Nov 2, 2011
        • 0 Attachment
          On 2011-11-02 11:43 AM, Keith Steensma <keith@...> wrote:
          > It's been a long time since I have participated in this list (goes to
          > show how good Postfiix is when it can run for years with so few
          > problems). Our company has decided to start using an outside SPAM
          > filtering service. Overall, this is doing a very good job. But we are
          > getting SPAM directly into out system and I need to block all outside
          > SMTP connections except the connections from a group of 8 IP address'.
          >
          > CIDR notation: 199.89.0.0/21
          > Netmask notation: 199.89.0.0 with a netmask of 255.255.248.0
          > Address range: 199.89.0.0 through 199.89.7.255
          >
          > I tried (from "Getting selective with SMTP access restriction lists" web
          > page)
          >
          > smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
          > mynetworks = 127.0.0.0/8, 192.168.1.0/24, 199.89.0.0/21
          >
          > But that only solved half the problem. Mail is still getting in from
          > from IP's (like from 203.200.235.214 by 125.160.50.143)
          >
          > Can anyone offer a suggestion how to fix this problem the right way?

          We use webroot for anti-spam filtering...

          Do it with check_client_access restriction like so:

          smtpd_recipient_restrictions = permit_mynetworks,
          permit_sasl_authenticated, reject_unauth_destination,
          check_client_access cidr:/etc/postfix/maps/cidr/allowed_clients.cidr,
          etc...

          where allowed_clients.cidr contains something like:

          # allow webmail/localhost
          #
          127.0.0.1 permit
          192.168.1.4 permit
          192.168.1.250 permit
          #
          # allowed IP blocks, with subsequent checks
          #
          # to disallow subsequent checks, use permit_auth_destination instead of
          # dunno
          #
          # webroot netblocks
          208.87.136.0/23 dunno
          203.100.58.0/24 dunno
          194.116.198.0/23 dunno
          #
          # reject all clients not matching anything above, and be damn sure
          # to comment out the last reject under recipient_restrictions
          #
          0.0.0.0/0 reject unauthorized client, please use our MX

          That last line is what blocks all other connections from unapproved hosts.

          I also duplicate this on our firewall, just for an added layer of
          protection.

          --

          Best regards,

          Charles
        • Reindl Harald
          ... what about close port 25 via iptables and open only for the spamfilter-ips and let customers only use port 587 (submission) with smtp-auth?
          Message 4 of 6 , Nov 2, 2011
          • 0 Attachment
            Am 02.11.2011 16:43, schrieb Keith Steensma:
            > It's been a long time since I have participated in this list (goes to show how good Postfiix is when it can run for
            > years with so few problems). Our company has decided to start using an outside SPAM filtering service. Overall,
            > this is doing a very good job. But we are getting SPAM directly into out system and I need to block all outside
            > SMTP connections except the connections from a group of 8 IP address'

            what about close port 25 via iptables and open only for the spamfilter-ips
            and let customers only use port 587 (submission) with smtp-auth?
          • /dev/rob0
            ... That is of course much more than 8 addresses, that is 8 * 256. But no matter. ... main.cf : smtpd_recipient_restrictions = permit_mynetworks,
            Message 5 of 6 , Nov 2, 2011
            • 0 Attachment
              On Wednesday 02 November 2011 10:43:35 Keith Steensma wrote:
              > It's been a long time since I have participated in this list (goes
              > to show how good Postfiix is when it can run for years with so few
              > problems). Our company has decided to start using an outside SPAM
              > filtering service. Overall, this is doing a very good job. But we
              > are getting SPAM directly into out system and I need to block all
              > outside SMTP connections except the connections from a group of 8
              > IP address'.
              >
              > CIDR notation: 199.89.0.0/21
              > Netmask notation: 199.89.0.0 with a netmask of 255.255.248.0
              > Address range: 199.89.0.0 through 199.89.7.255

              That is of course much more than 8 addresses, that is 8 * 256. But no
              matter.

              > I tried (from "Getting selective with SMTP access restriction
              > lists" web page)
              >
              > smtpd_recipient_restrictions = permit_mynetworks,
              > reject_unauth_destination
              > mynetworks = 127.0.0.0/8, 192.168.1.0/24, 199.89.0.0/21
              >
              > But that only solved half the problem. Mail is still getting in
              > from from IP's (like from 203.200.235.214 by 125.160.50.143)
              >
              > Can anyone offer a suggestion how to fix this problem the right
              > way?

              main.cf :

              smtpd_recipient_restrictions = permit_mynetworks,
              reject_unauth_destination
              check_client_access cidr:/path/to/filter_hosts, reject

              /path/to/filter_hosts :
              199.89.0.0/21 permit_auth_destination
              0.0.0.0/0 REJECT Please use the MX host

              Being a bit slow on the draw this morning I see that Charles has
              suggested fundamentally the same thing, just done differently.
              --
              Offlist mail to this address is discarded unless
              "/dev/rob0" or "not-spam" is in Subject: header
            • Keith Steensma
              The original message from the company said It s a block of 8 Class C networks . I (just) read things wrong. And said (to myself), self , that s 8 ip s,
              Message 6 of 6 , Nov 2, 2011
              • 0 Attachment
                The original message from the company said 'It's a block of 8 Class C networks'.  I (just) read things wrong.  And said (to myself), 'self', that's 8 ip's, right, right! (Dumb!!)  Thanks to all.

                Keith

                On 11/2/2011 11:00 AM, /dev/rob0 wrote:
                On Wednesday 02 November 2011 10:43:35 Keith Steensma wrote:
                
                It's been a long time since I have participated in this list (goes
                to show how good Postfiix is when it can run for years with so few
                problems).  Our company has decided to start using an outside SPAM
                filtering service. Overall, this is doing a very good job.  But we
                are getting SPAM directly into out system and I need to block all
                outside SMTP connections except the connections from a group of 8
                IP address'.
                
                      CIDR notation: 199.89.0.0/21
                      Netmask notation: 199.89.0.0 with a netmask of 255.255.248.0
                      Address range: 199.89.0.0 through 199.89.7.255
                
                That is of course much more than 8 addresses, that is 8 * 256. But no 
                matter.
                
                
                I tried (from "Getting selective with SMTP access restriction
                lists" web page)
                
                smtpd_recipient_restrictions = permit_mynetworks,
                reject_unauth_destination
                mynetworks = 127.0.0.0/8, 192.168.1.0/24, 199.89.0.0/21
                
                But that only solved half the problem.  Mail is still getting in
                from from IP's (like from 203.200.235.214 by 125.160.50.143)
                
                Can anyone offer a suggestion how to fix this problem the right
                way?
                
                main.cf :
                
                smtpd_recipient_restrictions = permit_mynetworks,
                    reject_unauth_destination
                    check_client_access cidr:/path/to/filter_hosts, reject
                
                /path/to/filter_hosts :
                199.89.0.0/21			permit_auth_destination
                0.0.0.0/0				REJECT Please use the MX host
                
                Being a bit slow on the draw this morning I see that Charles has 
                suggested fundamentally the same thing, just done differently.
                
              Your message has been successfully submitted and would be delivered to recipients shortly.