Loading ...
Sorry, an error occurred while loading the content.

Re: block ip-range for 1 domain

Expand Messages
  • Mikael Bak
    Richard, ... I think you are looking for this: http://www.postfix.org/RESTRICTION_CLASS_README.html HTH, Mikael
    Message 1 of 9 , Feb 19, 2013
    • 0 Attachment
      Richard,

      On 02/19/2013 12:34 PM, richard lucassen wrote:
      > I have transport front-end servers for domains:
      >
      > domain1.tld
      > domain2.tld
      > domain3.tld
      > domain4.tld
      > [..]
      > domainX.tld
      >
      > I want to blacklist 1.2.3.4/24 only for destination domain3.tld (and
      > reply with a 5xx if possible).
      >
      > What's the best way to handle this? On the backend server somewhere?
      > But the backend server receives the mail from the frontend server, so
      > simple blacklisting will not work.
      >
      > Any hint?
      >

      I think you are looking for this:
      http://www.postfix.org/RESTRICTION_CLASS_README.html

      HTH,
      Mikael
    • richard lucassen
      On Tue, 19 Feb 2013 12:54:42 +0100 ... Probably :) I ll have a look at it! Thnx! R. -- ___________________________________________________________________ It
      Message 2 of 9 , Feb 19, 2013
      • 0 Attachment
        On Tue, 19 Feb 2013 12:54:42 +0100
        Mikael Bak <mbak@...> wrote:

        > > I want to blacklist 1.2.3.4/24 only for destination domain3.tld (and
        > > reply with a 5xx if possible).
        > >
        > > What's the best way to handle this? On the backend server somewhere?
        > > But the backend server receives the mail from the frontend server,
        > > so simple blacklisting will not work.
        >
        > I think you are looking for this:
        > http://www.postfix.org/RESTRICTION_CLASS_README.html

        Probably :) I'll have a look at it! Thnx!

        R.

        --
        ___________________________________________________________________
        It is better to remain silent and be thought a fool, than to speak
        aloud and remove all doubt.

        +------------------------------------------------------------------+
        | Richard Lucassen, Utrecht |
        | Public key and email address: |
        | http://www.lucassen.org/mail-pubkey.html |
        +------------------------------------------------------------------+
      • Benny Pedersen
        ... google postfwd postfix can do it with classes, but its more complicated then with postfwd
        Message 3 of 9 , Feb 19, 2013
        • 0 Attachment
          richard lucassen skrev den 2013-02-19 12:34:

          > Any hint?

          google postfwd

          postfix can do it with classes, but its more complicated then with
          postfwd
        • richard lucassen
          On Tue, 19 Feb 2013 13:49:54 +0100 ... Ok, that seems to be very nice. AFAIUI it can be implemented on the backend server. I d prefer not to touch the
          Message 4 of 9 , Feb 19, 2013
          • 0 Attachment
            On Tue, 19 Feb 2013 13:49:54 +0100
            Benny Pedersen <me@...> wrote:

            > > Any hint?
            >
            > google postfwd
            >
            > postfix can do it with classes, but its more complicated then with
            > postfwd

            Ok, that seems to be very nice. AFAIUI it can be implemented on the
            backend server. I'd prefer not to touch the front-end servers.

            Thnx!

            R.

            --
            ___________________________________________________________________
            It is better to remain silent and be thought a fool, than to speak
            aloud and remove all doubt.

            +------------------------------------------------------------------+
            | Richard Lucassen, Utrecht |
            | Public key and email address: |
            | http://www.lucassen.org/mail-pubkey.html |
            +------------------------------------------------------------------+
          • Benny Pedersen
            ... then use the ha-proxy on front end, and postfwd on backend could you remove email addr in reply template ? (@ does not belong to body content)
            Message 5 of 9 , Feb 19, 2013
            • 0 Attachment
              richard lucassen skrev den 2013-02-19 13:58:

              > Ok, that seems to be very nice. AFAIUI it can be implemented on the
              > backend server. I'd prefer not to touch the front-end servers.

              then use the ha-proxy on front end, and postfwd on backend

              could you remove email addr in reply template ? (@ does not belong to
              body content)
            • Mikael Bak
              ... That does NOT sound like a good idea. If you accept the message on the fronend and then reject is on the backend, then you will generate a bounce message
              Message 6 of 9 , Feb 19, 2013
              • 0 Attachment
                On 02/19/2013 01:58 PM, richard lucassen wrote:
                > On Tue, 19 Feb 2013 13:49:54 +0100
                > Benny Pedersen <me@...> wrote:
                >
                >>> Any hint?
                >>
                >> google postfwd
                >>
                >> postfix can do it with classes, but its more complicated then with
                >> postfwd
                >
                > Ok, that seems to be very nice. AFAIUI it can be implemented on the
                > backend server. I'd prefer not to touch the front-end servers.
                >

                That does NOT sound like a good idea.
                If you accept the message on the fronend and then reject is on the
                backend, then you will generate a bounce message back to the sender. If
                the sender's address is forged, then you will generate backscatter, and
                could end up on black lists.

                Reject on the frontend servers to avoid this.

                HTH,
                Mikael
              • richard lucassen
                On Tue, 19 Feb 2013 17:07:43 +0100 ... If the backend generates a 5xx, the frontend servers will also generate a 5xx. At least, in case a user does not exist.
                Message 7 of 9 , Feb 19, 2013
                • 0 Attachment
                  On Tue, 19 Feb 2013 17:07:43 +0100
                  Mikael Bak <mbak@...> wrote:

                  > > Ok, that seems to be very nice. AFAIUI it can be implemented on the
                  > > backend server. I'd prefer not to touch the front-end servers.
                  >
                  > That does NOT sound like a good idea.
                  > If you accept the message on the fronend and then reject is on the
                  > backend, then you will generate a bounce message back to the sender.
                  > If the sender's address is forged, then you will generate
                  > backscatter, and could end up on black lists.
                  >
                  > Reject on the frontend servers to avoid this.

                  If the backend generates a 5xx, the frontend servers will also generate
                  a 5xx. At least, in case a user does not exist. Don't know if this
                  particular mechanism will work the same way. I will have play with it
                  to find out. And I agree with you: no backscatter.

                  R.

                  --
                  ___________________________________________________________________
                  It is better to remain silent and be thought a fool, than to speak
                  aloud and remove all doubt.

                  +------------------------------------------------------------------+
                  | Richard Lucassen, Utrecht |
                  | Public key and email address: |
                  | http://www.lucassen.org/mail-pubkey.html |
                  +------------------------------------------------------------------+
                • richard lucassen
                  On Tue, 19 Feb 2013 14:40:58 +0100 ... You mean the Reply-To? -- ___________________________________________________________________ It is better to remain
                  Message 8 of 9 , Feb 19, 2013
                  • 0 Attachment
                    On Tue, 19 Feb 2013 14:40:58 +0100
                    Benny Pedersen <me@...> wrote:

                    > richard lucassen skrev den 2013-02-19 13:58:
                    >
                    > > Ok, that seems to be very nice. AFAIUI it can be implemented on the
                    > > backend server. I'd prefer not to touch the front-end servers.
                    >
                    > then use the ha-proxy on front end, and postfwd on backend
                    >
                    > could you remove email addr in reply template ? (@ does not belong to
                    > body content)

                    You mean the Reply-To?

                    --
                    ___________________________________________________________________
                    It is better to remain silent and be thought a fool, than to speak
                    aloud and remove all doubt.

                    +------------------------------------------------------------------+
                    | Richard Lucassen, Utrecht |
                    | Public key and email address: |
                    | http://www.lucassen.org/mail-pubkey.html |
                    +------------------------------------------------------------------+
                  Your message has been successfully submitted and would be delivered to recipients shortly.