Loading ...
Sorry, an error occurred while loading the content.

permit smtp connections from specific country only

Expand Messages
  • Tom Kinghorn
    Good day list. Without the use of policyd or postfwd, is it possible to limit connections to your mail server from a specific country only? I was thinking
    Message 1 of 5 , Dec 11, 2012
    • 0 Attachment
      Good day list.

      Without the use of policyd or postfwd, is it possible to
      limit connections to your mail server from a specific country only?

      I was thinking something like:

      mynetworks = $config_directory/mynetworks
      countryips = $config_directory/country_ips

      smtpd_client_restrictions =
      check_client_access regexp:/etc/postfix/fqrdns.regexp,
      permit_mynetworks,
      permit_countryips,
      .........
      .........


      Just wondering if its possible.

      Thanks
      Tom
    • Mark Goodge
      ... Technically, it s possible. But IP geolocation is both complex and imprecise. Your $config_directory/country_ips file will need to be updated regularly and
      Message 2 of 5 , Dec 11, 2012
      • 0 Attachment
        On 11/12/2012 10:26, Tom Kinghorn wrote:
        > Good day list.
        >
        > Without the use of policyd or postfwd, is it possible to
        > limit connections to your mail server from a specific country only?
        >
        > I was thinking something like:
        >
        > mynetworks = $config_directory/mynetworks
        > countryips = $config_directory/country_ips
        >
        > smtpd_client_restrictions =
        > check_client_access regexp:/etc/postfix/fqrdns.regexp,
        > permit_mynetworks,
        > permit_countryips,
        > .........
        > .........
        >
        >
        > Just wondering if its possible.

        Technically, it's possible. But IP geolocation is both complex and
        imprecise. Your $config_directory/country_ips file will need to be
        updated regularly and will be very large.

        If I was going to do it, I'd use a database backend (such as MySQL) and
        query that rather than using a flat file. It will be more efficient, and
        easier to maintain.

        But I don't think I'd try to do it at all, unless there was a very good
        reason. Even with regular updates, you will still have a significant
        risk of false positives causing mail to be rejected when it should be
        delivered as well as mail accepted that you want to reject. As well as
        direct connections, you have to allow for the fact that many people may
        be using webmail servers (eg, Gmail, Hotmail, Yahoo, or a variety of
        corporate hosted solutions) that are not in their own country. So the IP
        of the sending server is, at best, only a rough guide to the location of
        the sending person.

        Mark
        --
        Please take a short survey about the Leveson Report: http://meyu.eu/ak
      • Eero Volotinen
        ... maybe something like this helps: http://www.kutukupret.com/2011/05/29/postfix-geoip-based-rejections/ -- Eero
        Message 3 of 5 , Dec 11, 2012
        • 0 Attachment
          > connections, you have to allow for the fact that many people may be using
          > webmail servers (eg, Gmail, Hotmail, Yahoo, or a variety of corporate hosted
          > solutions) that are not in their own country. So the IP of the sending
          > server is, at best, only a rough guide to the location of the sending
          > person.

          maybe something like this helps:

          http://www.kutukupret.com/2011/05/29/postfix-geoip-based-rejections/

          --
          Eero
        • Tom Kinghorn
          ... Excellent. Thank you very much. Tom
          Message 4 of 5 , Dec 11, 2012
          • 0 Attachment
            On 11/12/2012 12:51, Eero Volotinen wrote:
            > maybe something like this helps:
            >
            > http://www.kutukupret.com/2011/05/29/postfix-geoip-based-rejections/
            >
            > --
            > Eero
            >
            Excellent.

            Thank you very much.

            Tom
          • Benny Pedersen
            ... check_client_acccess cidr:/etc/postfix/countryips_in_cidr_format.cidr remember order of listning is important, first match wins ... maybe just an rbl ?
            Message 5 of 5 , Dec 11, 2012
            • 0 Attachment
              Tom Kinghorn skrev den 11-12-2012 11:26:

              > smtpd_client_restrictions =
              > check_client_access regexp:/etc/postfix/fqrdns.regexp,
              > permit_mynetworks,
              > permit_countryips,

              check_client_acccess cidr:/etc/postfix/countryips_in_cidr_format.cidr

              remember order of listning is important, first match wins

              > Just wondering if its possible.

              maybe just an rbl ?

              google "postfix dnswl"
            Your message has been successfully submitted and would be delivered to recipients shortly.