Loading ...
Sorry, an error occurred while loading the content.

Re: Block certain remote hosts on submission port

Expand Messages
  • LuKreme
    ... Interesting idea. I m in much the same boat. Although I do have international users, they all use webmail to access mail, so I m interested in trying this.
    Message 1 of 11 , Aug 24, 2013
    • 0 Attachment
      On 22 Aug 2013, at 21:28 , Stan Hoeppner <stan@...> wrote:

      > ~$ wget http://ipdeny.com/ipblocks/data/countries/us.zone
      > ~$ sed 's/$/ OK/g' us.zone > us.cidr
      > ~$ cp us.cidr /etc/postfix
      > ~$ postfix reload
      >
      > and you're off to the races.

      Interesting idea. I'm in much the same boat. Although I do have international users, they all use webmail to access mail, so I'm interested in trying this.

      A couple of questions:

      1) I wouldn't think that CIDR list changes very often, but how often should it be refreshed?

      2) If I did this I also would like to log these rejections to a separate file, possible?

      Under 2.10, would it make sense to put those restriction in the smtpd_relay_restrictions if port 25 is open for connections?

      --
      "Rosa sat, so Martin could walk. Martin walked, so Obama could run.
      Obama ran, so our children can fly." (paraphrased from NPR)
    • Stan Hoeppner
      ... How often does APNIC reassign, for example, a /22 from an entity in Vietnam to one in Japan, if ever? I don t have the answer to that. But this is the
      Message 2 of 11 , Aug 24, 2013
      • 0 Attachment
        On 8/24/2013 1:18 PM, LuKreme wrote:
        >
        > On 22 Aug 2013, at 21:28 , Stan Hoeppner <stan@...> wrote:
        >
        >> ~$ wget http://ipdeny.com/ipblocks/data/countries/us.zone
        >> ~$ sed 's/$/ OK/g' us.zone > us.cidr
        >> ~$ cp us.cidr /etc/postfix
        >> ~$ postfix reload
        >>
        >> and you're off to the races.
        >
        > Interesting idea. I'm in much the same boat. Although I do have international users, they all use webmail to access mail, so I'm interested in trying this.
        >
        > A couple of questions:
        >
        > 1) I wouldn't think that CIDR list changes very often, but how often should it be refreshed?

        How often does APNIC reassign, for example, a /22 from an entity in
        Vietnam to one in Japan, if ever? I don't have the answer to that. But
        this is the only type of situation that would prompt you to refresh, now
        that all IPv4 space has been allocated to the RIRs. We now know every
        IP by region, but what country it is assigned in may or may not change
        in future.

        And BTW, it's better to do this at the firewall if at all practical.

        > 2) If I did this I also would like to log these rejections to a separate file, possible?

        Not directly. You'd specify a custom reject code then parse your mail
        log for that, pipe to another file. If you do it at the firewall it
        would depend on the firewall's features.

        > Under 2.10, would it make sense to put those restriction in the smtpd_relay_restrictions if port 25 is open for connections?

        In the other half of the instructions I gave, which you cut, I show that
        this needs to be done in master.cf. smtpd_foo_restrictions in main.cf
        are global. You want this restriction only on the submission port, not
        the public smtp port.

        --
        Stan
      • Noel Jones
        ... If you do the reject in postfix you ll be able to see the sender details, which may be valuable for seeing which accounts have been compromised and/or
        Message 3 of 11 , Aug 24, 2013
        • 0 Attachment
          On 8/24/2013 3:52 PM, Stan Hoeppner wrote:
          > On 8/24/2013 1:18 PM, LuKreme wrote:
          >>
          >> On 22 Aug 2013, at 21:28 , Stan Hoeppner <stan@...> wrote:
          >>
          >>> ~$ wget http://ipdeny.com/ipblocks/data/countries/us.zone
          >>> ~$ sed 's/$/ OK/g' us.zone > us.cidr
          >>> ~$ cp us.cidr /etc/postfix
          >>> ~$ postfix reload
          >>>
          >>> and you're off to the races.
          >>
          ...
          >
          > And BTW, it's better to do this at the firewall if at all practical.

          If you do the reject in postfix you'll be able to see the sender
          details, which may be valuable for seeing which accounts have been
          compromised and/or troubleshooting false positive reports.

          All the firewall can show is some IP was blocked.

          >
          >> 2) If I did this I also would like to log these rejections to a separate file, possible?
          >
          > Not directly. You'd specify a custom reject code then parse your mail
          > log for that, pipe to another file. If you do it at the firewall it
          > would depend on the firewall's features.

          You can append a wildcard reject AT THE END of the cidr file with a
          custom message. That message will be sent to the client and will be
          included in your log.

          # us cidr table
          ... everything else
          0.0.0.0/0 REJECT submission not allowed from your location geoip


          >
          >> Under 2.10, would it make sense to put those restriction in the smtpd_relay_restrictions if port 25 is open for connections?
          >
          > In the other half of the instructions I gave, which you cut, I show that
          > this needs to be done in master.cf. smtpd_foo_restrictions in main.cf
          > are global. You want this restriction only on the submission port, not
          > the public smtp port.
          >


          Yes indeed.



          -- Noel Jones
        Your message has been successfully submitted and would be delivered to recipients shortly.