Loading ...
Sorry, an error occurred while loading the content.
 

Re: Isolating SMTP to a single band of 8 IP's

Expand Messages
  • Reindl Harald
    ... what about close port 25 via iptables and open only for the spamfilter-ips and let customers only use port 587 (submission) with smtp-auth?
    Message 1 of 6 , Nov 2, 2011
      Am 02.11.2011 16:43, schrieb Keith Steensma:
      > It's been a long time since I have participated in this list (goes to show how good Postfiix is when it can run for
      > years with so few problems). Our company has decided to start using an outside SPAM filtering service. Overall,
      > this is doing a very good job. But we are getting SPAM directly into out system and I need to block all outside
      > SMTP connections except the connections from a group of 8 IP address'

      what about close port 25 via iptables and open only for the spamfilter-ips
      and let customers only use port 587 (submission) with smtp-auth?
    • /dev/rob0
      ... That is of course much more than 8 addresses, that is 8 * 256. But no matter. ... main.cf : smtpd_recipient_restrictions = permit_mynetworks,
      Message 2 of 6 , Nov 2, 2011
        On Wednesday 02 November 2011 10:43:35 Keith Steensma wrote:
        > It's been a long time since I have participated in this list (goes
        > to show how good Postfiix is when it can run for years with so few
        > problems). Our company has decided to start using an outside SPAM
        > filtering service. Overall, this is doing a very good job. But we
        > are getting SPAM directly into out system and I need to block all
        > outside SMTP connections except the connections from a group of 8
        > IP address'.
        >
        > CIDR notation: 199.89.0.0/21
        > Netmask notation: 199.89.0.0 with a netmask of 255.255.248.0
        > Address range: 199.89.0.0 through 199.89.7.255

        That is of course much more than 8 addresses, that is 8 * 256. But no
        matter.

        > I tried (from "Getting selective with SMTP access restriction
        > lists" web page)
        >
        > smtpd_recipient_restrictions = permit_mynetworks,
        > reject_unauth_destination
        > mynetworks = 127.0.0.0/8, 192.168.1.0/24, 199.89.0.0/21
        >
        > But that only solved half the problem. Mail is still getting in
        > from from IP's (like from 203.200.235.214 by 125.160.50.143)
        >
        > Can anyone offer a suggestion how to fix this problem the right
        > way?

        main.cf :

        smtpd_recipient_restrictions = permit_mynetworks,
        reject_unauth_destination
        check_client_access cidr:/path/to/filter_hosts, reject

        /path/to/filter_hosts :
        199.89.0.0/21 permit_auth_destination
        0.0.0.0/0 REJECT Please use the MX host

        Being a bit slow on the draw this morning I see that Charles has
        suggested fundamentally the same thing, just done differently.
        --
        Offlist mail to this address is discarded unless
        "/dev/rob0" or "not-spam" is in Subject: header
      • Keith Steensma
        The original message from the company said It s a block of 8 Class C networks . I (just) read things wrong. And said (to myself), self , that s 8 ip s,
        Message 3 of 6 , Nov 2, 2011
          The original message from the company said 'It's a block of 8 Class C networks'.  I (just) read things wrong.  And said (to myself), 'self', that's 8 ip's, right, right! (Dumb!!)  Thanks to all.

          Keith

          On 11/2/2011 11:00 AM, /dev/rob0 wrote:
          On Wednesday 02 November 2011 10:43:35 Keith Steensma wrote:
          
          It's been a long time since I have participated in this list (goes
          to show how good Postfiix is when it can run for years with so few
          problems).  Our company has decided to start using an outside SPAM
          filtering service. Overall, this is doing a very good job.  But we
          are getting SPAM directly into out system and I need to block all
          outside SMTP connections except the connections from a group of 8
          IP address'.
          
                CIDR notation: 199.89.0.0/21
                Netmask notation: 199.89.0.0 with a netmask of 255.255.248.0
                Address range: 199.89.0.0 through 199.89.7.255
          
          That is of course much more than 8 addresses, that is 8 * 256. But no 
          matter.
          
          
          I tried (from "Getting selective with SMTP access restriction
          lists" web page)
          
          smtpd_recipient_restrictions = permit_mynetworks,
          reject_unauth_destination
          mynetworks = 127.0.0.0/8, 192.168.1.0/24, 199.89.0.0/21
          
          But that only solved half the problem.  Mail is still getting in
          from from IP's (like from 203.200.235.214 by 125.160.50.143)
          
          Can anyone offer a suggestion how to fix this problem the right
          way?
          
          main.cf :
          
          smtpd_recipient_restrictions = permit_mynetworks,
              reject_unauth_destination
              check_client_access cidr:/path/to/filter_hosts, reject
          
          /path/to/filter_hosts :
          199.89.0.0/21			permit_auth_destination
          0.0.0.0/0				REJECT Please use the MX host
          
          Being a bit slow on the draw this morning I see that Charles has 
          suggested fundamentally the same thing, just done differently.
          
        Your message has been successfully submitted and would be delivered to recipients shortly.