Loading ...
Sorry, an error occurred while loading the content.

block ip-range for 1 domain

Expand Messages
  • richard lucassen
    I have transport front-end servers for domains: domain1.tld domain2.tld domain3.tld domain4.tld [..] domainX.tld I want to blacklist 1.2.3.4/24 only for
    Message 1 of 9 , Feb 19, 2013
    • 0 Attachment
      I have transport front-end servers for domains:

      domain1.tld
      domain2.tld
      domain3.tld
      domain4.tld
      [..]
      domainX.tld

      I want to blacklist 1.2.3.4/24 only for destination domain3.tld (and
      reply with a 5xx if possible).

      What's the best way to handle this? On the backend server somewhere?
      But the backend server receives the mail from the frontend server, so
      simple blacklisting will not work.

      Any hint?

      R.

      --
      ___________________________________________________________________
      It is better to remain silent and be thought a fool, than to speak
      aloud and remove all doubt.

      +------------------------------------------------------------------+
      | Richard Lucassen, Utrecht |
      | Public key and email address: |
      | http://www.lucassen.org/mail-pubkey.html |
      +------------------------------------------------------------------+
    • Mikael Bak
      Richard, ... I think you are looking for this: http://www.postfix.org/RESTRICTION_CLASS_README.html HTH, Mikael
      Message 2 of 9 , Feb 19, 2013
      • 0 Attachment
        Richard,

        On 02/19/2013 12:34 PM, richard lucassen wrote:
        > I have transport front-end servers for domains:
        >
        > domain1.tld
        > domain2.tld
        > domain3.tld
        > domain4.tld
        > [..]
        > domainX.tld
        >
        > I want to blacklist 1.2.3.4/24 only for destination domain3.tld (and
        > reply with a 5xx if possible).
        >
        > What's the best way to handle this? On the backend server somewhere?
        > But the backend server receives the mail from the frontend server, so
        > simple blacklisting will not work.
        >
        > Any hint?
        >

        I think you are looking for this:
        http://www.postfix.org/RESTRICTION_CLASS_README.html

        HTH,
        Mikael
      • richard lucassen
        On Tue, 19 Feb 2013 12:54:42 +0100 ... Probably :) I ll have a look at it! Thnx! R. -- ___________________________________________________________________ It
        Message 3 of 9 , Feb 19, 2013
        • 0 Attachment
          On Tue, 19 Feb 2013 12:54:42 +0100
          Mikael Bak <mbak@...> wrote:

          > > I want to blacklist 1.2.3.4/24 only for destination domain3.tld (and
          > > reply with a 5xx if possible).
          > >
          > > What's the best way to handle this? On the backend server somewhere?
          > > But the backend server receives the mail from the frontend server,
          > > so simple blacklisting will not work.
          >
          > I think you are looking for this:
          > http://www.postfix.org/RESTRICTION_CLASS_README.html

          Probably :) I'll have a look at it! Thnx!

          R.

          --
          ___________________________________________________________________
          It is better to remain silent and be thought a fool, than to speak
          aloud and remove all doubt.

          +------------------------------------------------------------------+
          | Richard Lucassen, Utrecht |
          | Public key and email address: |
          | http://www.lucassen.org/mail-pubkey.html |
          +------------------------------------------------------------------+
        • Benny Pedersen
          ... google postfwd postfix can do it with classes, but its more complicated then with postfwd
          Message 4 of 9 , Feb 19, 2013
          • 0 Attachment
            richard lucassen skrev den 2013-02-19 12:34:

            > Any hint?

            google postfwd

            postfix can do it with classes, but its more complicated then with
            postfwd
          • richard lucassen
            On Tue, 19 Feb 2013 13:49:54 +0100 ... Ok, that seems to be very nice. AFAIUI it can be implemented on the backend server. I d prefer not to touch the
            Message 5 of 9 , Feb 19, 2013
            • 0 Attachment
              On Tue, 19 Feb 2013 13:49:54 +0100
              Benny Pedersen <me@...> wrote:

              > > Any hint?
              >
              > google postfwd
              >
              > postfix can do it with classes, but its more complicated then with
              > postfwd

              Ok, that seems to be very nice. AFAIUI it can be implemented on the
              backend server. I'd prefer not to touch the front-end servers.

              Thnx!

              R.

              --
              ___________________________________________________________________
              It is better to remain silent and be thought a fool, than to speak
              aloud and remove all doubt.

              +------------------------------------------------------------------+
              | Richard Lucassen, Utrecht |
              | Public key and email address: |
              | http://www.lucassen.org/mail-pubkey.html |
              +------------------------------------------------------------------+
            • Benny Pedersen
              ... then use the ha-proxy on front end, and postfwd on backend could you remove email addr in reply template ? (@ does not belong to body content)
              Message 6 of 9 , Feb 19, 2013
              • 0 Attachment
                richard lucassen skrev den 2013-02-19 13:58:

                > Ok, that seems to be very nice. AFAIUI it can be implemented on the
                > backend server. I'd prefer not to touch the front-end servers.

                then use the ha-proxy on front end, and postfwd on backend

                could you remove email addr in reply template ? (@ does not belong to
                body content)
              • Mikael Bak
                ... That does NOT sound like a good idea. If you accept the message on the fronend and then reject is on the backend, then you will generate a bounce message
                Message 7 of 9 , Feb 19, 2013
                • 0 Attachment
                  On 02/19/2013 01:58 PM, richard lucassen wrote:
                  > On Tue, 19 Feb 2013 13:49:54 +0100
                  > Benny Pedersen <me@...> wrote:
                  >
                  >>> Any hint?
                  >>
                  >> google postfwd
                  >>
                  >> postfix can do it with classes, but its more complicated then with
                  >> postfwd
                  >
                  > Ok, that seems to be very nice. AFAIUI it can be implemented on the
                  > backend server. I'd prefer not to touch the front-end servers.
                  >

                  That does NOT sound like a good idea.
                  If you accept the message on the fronend and then reject is on the
                  backend, then you will generate a bounce message back to the sender. If
                  the sender's address is forged, then you will generate backscatter, and
                  could end up on black lists.

                  Reject on the frontend servers to avoid this.

                  HTH,
                  Mikael
                • richard lucassen
                  On Tue, 19 Feb 2013 17:07:43 +0100 ... If the backend generates a 5xx, the frontend servers will also generate a 5xx. At least, in case a user does not exist.
                  Message 8 of 9 , Feb 19, 2013
                  • 0 Attachment
                    On Tue, 19 Feb 2013 17:07:43 +0100
                    Mikael Bak <mbak@...> wrote:

                    > > Ok, that seems to be very nice. AFAIUI it can be implemented on the
                    > > backend server. I'd prefer not to touch the front-end servers.
                    >
                    > That does NOT sound like a good idea.
                    > If you accept the message on the fronend and then reject is on the
                    > backend, then you will generate a bounce message back to the sender.
                    > If the sender's address is forged, then you will generate
                    > backscatter, and could end up on black lists.
                    >
                    > Reject on the frontend servers to avoid this.

                    If the backend generates a 5xx, the frontend servers will also generate
                    a 5xx. At least, in case a user does not exist. Don't know if this
                    particular mechanism will work the same way. I will have play with it
                    to find out. And I agree with you: no backscatter.

                    R.

                    --
                    ___________________________________________________________________
                    It is better to remain silent and be thought a fool, than to speak
                    aloud and remove all doubt.

                    +------------------------------------------------------------------+
                    | Richard Lucassen, Utrecht |
                    | Public key and email address: |
                    | http://www.lucassen.org/mail-pubkey.html |
                    +------------------------------------------------------------------+
                  • richard lucassen
                    On Tue, 19 Feb 2013 14:40:58 +0100 ... You mean the Reply-To? -- ___________________________________________________________________ It is better to remain
                    Message 9 of 9 , Feb 19, 2013
                    • 0 Attachment
                      On Tue, 19 Feb 2013 14:40:58 +0100
                      Benny Pedersen <me@...> wrote:

                      > richard lucassen skrev den 2013-02-19 13:58:
                      >
                      > > Ok, that seems to be very nice. AFAIUI it can be implemented on the
                      > > backend server. I'd prefer not to touch the front-end servers.
                      >
                      > then use the ha-proxy on front end, and postfwd on backend
                      >
                      > could you remove email addr in reply template ? (@ does not belong to
                      > body content)

                      You mean the Reply-To?

                      --
                      ___________________________________________________________________
                      It is better to remain silent and be thought a fool, than to speak
                      aloud and remove all doubt.

                      +------------------------------------------------------------------+
                      | Richard Lucassen, Utrecht |
                      | Public key and email address: |
                      | http://www.lucassen.org/mail-pubkey.html |
                      +------------------------------------------------------------------+
                    Your message has been successfully submitted and would be delivered to recipients shortly.