Loading ...
Sorry, an error occurred while loading the content.

Re: Isolating SMTP to a single band of 8 IP's

Expand Messages
  • Charles Marcus
    ... We use webroot for anti-spam filtering... Do it with check_client_access restriction like so: smtpd_recipient_restrictions = permit_mynetworks,
    Message 1 of 6 , Nov 2, 2011
    • 0 Attachment
      On 2011-11-02 11:43 AM, Keith Steensma <keith@...> wrote:
      > It's been a long time since I have participated in this list (goes to
      > show how good Postfiix is when it can run for years with so few
      > problems). Our company has decided to start using an outside SPAM
      > filtering service. Overall, this is doing a very good job. But we are
      > getting SPAM directly into out system and I need to block all outside
      > SMTP connections except the connections from a group of 8 IP address'.
      >
      > CIDR notation: 199.89.0.0/21
      > Netmask notation: 199.89.0.0 with a netmask of 255.255.248.0
      > Address range: 199.89.0.0 through 199.89.7.255
      >
      > I tried (from "Getting selective with SMTP access restriction lists" web
      > page)
      >
      > smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
      > mynetworks = 127.0.0.0/8, 192.168.1.0/24, 199.89.0.0/21
      >
      > But that only solved half the problem. Mail is still getting in from
      > from IP's (like from 203.200.235.214 by 125.160.50.143)
      >
      > Can anyone offer a suggestion how to fix this problem the right way?

      We use webroot for anti-spam filtering...

      Do it with check_client_access restriction like so:

      smtpd_recipient_restrictions = permit_mynetworks,
      permit_sasl_authenticated, reject_unauth_destination,
      check_client_access cidr:/etc/postfix/maps/cidr/allowed_clients.cidr,
      etc...

      where allowed_clients.cidr contains something like:

      # allow webmail/localhost
      #
      127.0.0.1 permit
      192.168.1.4 permit
      192.168.1.250 permit
      #
      # allowed IP blocks, with subsequent checks
      #
      # to disallow subsequent checks, use permit_auth_destination instead of
      # dunno
      #
      # webroot netblocks
      208.87.136.0/23 dunno
      203.100.58.0/24 dunno
      194.116.198.0/23 dunno
      #
      # reject all clients not matching anything above, and be damn sure
      # to comment out the last reject under recipient_restrictions
      #
      0.0.0.0/0 reject unauthorized client, please use our MX

      That last line is what blocks all other connections from unapproved hosts.

      I also duplicate this on our firewall, just for an added layer of
      protection.

      --

      Best regards,

      Charles
    • Reindl Harald
      ... what about close port 25 via iptables and open only for the spamfilter-ips and let customers only use port 587 (submission) with smtp-auth?
      Message 2 of 6 , Nov 2, 2011
      • 0 Attachment
        Am 02.11.2011 16:43, schrieb Keith Steensma:
        > It's been a long time since I have participated in this list (goes to show how good Postfiix is when it can run for
        > years with so few problems). Our company has decided to start using an outside SPAM filtering service. Overall,
        > this is doing a very good job. But we are getting SPAM directly into out system and I need to block all outside
        > SMTP connections except the connections from a group of 8 IP address'

        what about close port 25 via iptables and open only for the spamfilter-ips
        and let customers only use port 587 (submission) with smtp-auth?
      • /dev/rob0
        ... That is of course much more than 8 addresses, that is 8 * 256. But no matter. ... main.cf : smtpd_recipient_restrictions = permit_mynetworks,
        Message 3 of 6 , Nov 2, 2011
        • 0 Attachment
          On Wednesday 02 November 2011 10:43:35 Keith Steensma wrote:
          > It's been a long time since I have participated in this list (goes
          > to show how good Postfiix is when it can run for years with so few
          > problems). Our company has decided to start using an outside SPAM
          > filtering service. Overall, this is doing a very good job. But we
          > are getting SPAM directly into out system and I need to block all
          > outside SMTP connections except the connections from a group of 8
          > IP address'.
          >
          > CIDR notation: 199.89.0.0/21
          > Netmask notation: 199.89.0.0 with a netmask of 255.255.248.0
          > Address range: 199.89.0.0 through 199.89.7.255

          That is of course much more than 8 addresses, that is 8 * 256. But no
          matter.

          > I tried (from "Getting selective with SMTP access restriction
          > lists" web page)
          >
          > smtpd_recipient_restrictions = permit_mynetworks,
          > reject_unauth_destination
          > mynetworks = 127.0.0.0/8, 192.168.1.0/24, 199.89.0.0/21
          >
          > But that only solved half the problem. Mail is still getting in
          > from from IP's (like from 203.200.235.214 by 125.160.50.143)
          >
          > Can anyone offer a suggestion how to fix this problem the right
          > way?

          main.cf :

          smtpd_recipient_restrictions = permit_mynetworks,
          reject_unauth_destination
          check_client_access cidr:/path/to/filter_hosts, reject

          /path/to/filter_hosts :
          199.89.0.0/21 permit_auth_destination
          0.0.0.0/0 REJECT Please use the MX host

          Being a bit slow on the draw this morning I see that Charles has
          suggested fundamentally the same thing, just done differently.
          --
          Offlist mail to this address is discarded unless
          "/dev/rob0" or "not-spam" is in Subject: header
        • Keith Steensma
          The original message from the company said It s a block of 8 Class C networks . I (just) read things wrong. And said (to myself), self , that s 8 ip s,
          Message 4 of 6 , Nov 2, 2011
          • 0 Attachment
            The original message from the company said 'It's a block of 8 Class C networks'.  I (just) read things wrong.  And said (to myself), 'self', that's 8 ip's, right, right! (Dumb!!)  Thanks to all.

            Keith

            On 11/2/2011 11:00 AM, /dev/rob0 wrote:
            On Wednesday 02 November 2011 10:43:35 Keith Steensma wrote:
            
            It's been a long time since I have participated in this list (goes
            to show how good Postfiix is when it can run for years with so few
            problems).  Our company has decided to start using an outside SPAM
            filtering service. Overall, this is doing a very good job.  But we
            are getting SPAM directly into out system and I need to block all
            outside SMTP connections except the connections from a group of 8
            IP address'.
            
                  CIDR notation: 199.89.0.0/21
                  Netmask notation: 199.89.0.0 with a netmask of 255.255.248.0
                  Address range: 199.89.0.0 through 199.89.7.255
            
            That is of course much more than 8 addresses, that is 8 * 256. But no 
            matter.
            
            
            I tried (from "Getting selective with SMTP access restriction
            lists" web page)
            
            smtpd_recipient_restrictions = permit_mynetworks,
            reject_unauth_destination
            mynetworks = 127.0.0.0/8, 192.168.1.0/24, 199.89.0.0/21
            
            But that only solved half the problem.  Mail is still getting in
            from from IP's (like from 203.200.235.214 by 125.160.50.143)
            
            Can anyone offer a suggestion how to fix this problem the right
            way?
            
            main.cf :
            
            smtpd_recipient_restrictions = permit_mynetworks,
                reject_unauth_destination
                check_client_access cidr:/path/to/filter_hosts, reject
            
            /path/to/filter_hosts :
            199.89.0.0/21			permit_auth_destination
            0.0.0.0/0				REJECT Please use the MX host
            
            Being a bit slow on the draw this morning I see that Charles has 
            suggested fundamentally the same thing, just done differently.
            
          Your message has been successfully submitted and would be delivered to recipients shortly.