Accep email onl from specific IP address(es)?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Accep email onl from specific IP address(es)?

Rick Duval
I hope I can explain this corrctly...

I want to allow incoming SMTP email only from authorized users which I already have BUT I don't want the system to accept mail for local users UNLESS it comes from a specific IP address.

I have an outboard spam filter that all my domains mx records point to. Problem is that many spammers ignore the MX record and try to send mail straight to the domain assuming that many will be correct. I want to stop that.

Any help would be appreciated...

Oh, BTW, I'm running postfix through virtualmin.

Thanks

RIck
Reply | Threaded
Open this post in threaded view
|

Re: Accep email onl from specific IP address(es)?

Noel Jones-2
Rick Duval wrote:

> I hope I can explain this corrctly...
>
> I want to allow incoming SMTP email only from authorized users which I
> already have BUT I don't want the system to accept mail for local users
> UNLESS it comes from a specific IP address.
>
> I have an outboard spam filter that all my domains mx records point to.
> Problem is that many spammers ignore the MX record and try to send mail
> straight to the domain assuming that many will be correct. I want to
> stop that.
>
> Any help would be appreciated...
>
> Oh, BTW, I'm running postfix through virtualmin.
>
> Thanks
>
> RIck

Here's one way...

# main.cf
smtpd_recipient_restrictions =
   permit_mynetworks
   permit_sasl_authenticated
   check_client_access cidr:/etc/postfix/auth_clients
   reject


# auth_clients
1.2.3.4  permit_auth_destination
2.3.4.5  permit_auth_destination
0.0.0.0/0  REJECT unauthorized client, please use our MX


--
Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Accep email onl from specific IP address(es)?

Rick Duval
Noel: where exactly would I put the IP address to acces mail from?
Sorry, but I'm really new to postfix.

Rick

On Wed, Jul 30, 2008 at 10:45 AM, Noel Jones <[hidden email]> wrote:

>
> Rick Duval wrote:
>>
>> I hope I can explain this corrctly...
>>
>> I want to allow incoming SMTP email only from authorized users which I already have BUT I don't want the system to accept mail for local users UNLESS it comes from a specific IP address.
>>
>> I have an outboard spam filter that all my domains mx records point to. Problem is that many spammers ignore the MX record and try to send mail straight to the domain assuming that many will be correct. I want to stop that.
>>
>> Any help would be appreciated...
>>
>> Oh, BTW, I'm running postfix through virtualmin.
>>
>> Thanks
>>
>> RIck
>
> Here's one way...
>
> # main.cf
> smtpd_recipient_restrictions =
>  permit_mynetworks
>  permit_sasl_authenticated
>  check_client_access cidr:/etc/postfix/auth_clients
>  reject
>
>
> # auth_clients
> 1.2.3.4  permit_auth_destination
> 2.3.4.5  permit_auth_destination
> 0.0.0.0/0  REJECT unauthorized client, please use our MX
>
>
> --
> Noel Jones
>
> --
> This message has been scanned for
> viruses and dangerous content by Accurate Anti-Spam Technologies
> and is believed to be clean.
>
Reply | Threaded
Open this post in threaded view
|

Re: Accep email onl from specific IP address(es)?

Brian Evans - Postfix List
Rick Duval wrote:
> Noel: where exactly would I put the IP address to acces mail from?
> Sorry, but I'm really new to postfix.
>
> Rick
>  
[Please do not top post, reply to what you would like to comment on.]

Following Noel's example, you replace 1.2.3.4 in the new cidr map file
with an IP or network/subnet to allow.
This can be repeated for any networks or IPs you wish.

OK is not OK here as it will open relay, unless that is what you really
want *and* trust them explicitly with your reputation.

Brian

> On Wed, Jul 30, 2008 at 10:45 AM, Noel Jones <[hidden email]> wrote:
>  
>> Rick Duval wrote:
>>    
>>> I hope I can explain this corrctly...
>>>
>>> I want to allow incoming SMTP email only from authorized users which I already have BUT I don't want the system to accept mail for local users UNLESS it comes from a specific IP address.
>>>
>>> I have an outboard spam filter that all my domains mx records point to. Problem is that many spammers ignore the MX record and try to send mail straight to the domain assuming that many will be correct. I want to stop that.
>>>
>>> Any help would be appreciated...
>>>
>>> Oh, BTW, I'm running postfix through virtualmin.
>>>
>>> Thanks
>>>
>>> RIck
>>>      
>> Here's one way...
>>
>> # main.cf
>> smtpd_recipient_restrictions =
>>  permit_mynetworks
>>  permit_sasl_authenticated
>>  check_client_access cidr:/etc/postfix/auth_clients
>>  reject
>>
>>
>> # auth_clients
>> 1.2.3.4  permit_auth_destination
>> 2.3.4.5  permit_auth_destination
>> 0.0.0.0/0  REJECT unauthorized client, please use our MX
>>
>>
>> --
>> Noel Jones
>>
>> --
>> This message has been scanned for
>> viruses and dangerous content by Accurate Anti-Spam Technologies
>> and is believed to be clean.
>>
>>    

Reply | Threaded
Open this post in threaded view
|

Re: Accep email onl from specific IP address(es)?

Rick Duval
Maybe i'm confused or I haven't explained it correctly. I don't want
to relay mail through the server unless it's by auth sesssion which is
already the case.

I DONT want to ACCEPT mail for my local users UNLESS the connection
delivering it is a specific IP address.

Basically don't accept mail unless its to a local know address (like
normal) AND it cam from IP 1.2.3.4

Unless I'm mistaken the earlier code from Noel is about relaying mail
for outbound sending isn't it?

Rick

On Wed, Jul 30, 2008 at 2:36 PM, Brian Evans - Postfix List
<[hidden email]> wrote:

> Rick Duval wrote:
>>
>> Noel: where exactly would I put the IP address to acces mail from?
>> Sorry, but I'm really new to postfix.
>>
>> Rick
>>
>
> [Please do not top post, reply to what you would like to comment on.]
>
> Following Noel's example, you replace 1.2.3.4 in the new cidr map file with
> an IP or network/subnet to allow.
> This can be repeated for any networks or IPs you wish.
>
> OK is not OK here as it will open relay, unless that is what you really want
> *and* trust them explicitly with your reputation.
>
> Brian
>
>> On Wed, Jul 30, 2008 at 10:45 AM, Noel Jones <[hidden email]>
>> wrote:
>>
>>>
>>> Rick Duval wrote:
>>>
>>>>
>>>> I hope I can explain this corrctly...
>>>>
>>>> I want to allow incoming SMTP email only from authorized users which I
>>>> already have BUT I don't want the system to accept mail for local users
>>>> UNLESS it comes from a specific IP address.
>>>>
>>>> I have an outboard spam filter that all my domains mx records point to.
>>>> Problem is that many spammers ignore the MX record and try to send mail
>>>> straight to the domain assuming that many will be correct. I want to stop
>>>> that.
>>>>
>>>> Any help would be appreciated...
>>>>
>>>> Oh, BTW, I'm running postfix through virtualmin.
>>>>
>>>> Thanks
>>>>
>>>> RIck
>>>>
>>>
>>> Here's one way...
>>>
>>> # main.cf
>>> smtpd_recipient_restrictions =
>>>  permit_mynetworks
>>>  permit_sasl_authenticated
>>>  check_client_access cidr:/etc/postfix/auth_clients
>>>  reject
>>>
>>>
>>> # auth_clients
>>> 1.2.3.4  permit_auth_destination
>>> 2.3.4.5  permit_auth_destination
>>> 0.0.0.0/0  REJECT unauthorized client, please use our MX
>>>
>>>
>>> --
>>> Noel Jones
>>>
>>> --
>>> This message has been scanned for
>>> viruses and dangerous content by Accurate Anti-Spam Technologies
>>> and is believed to be clean.
>>>
>>>
>
>
> --
> This message has been scanned for
> viruses and dangerous content by Accurate Anti-Spam Technologies
> and is believed to be clean.
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Accep email onl from specific IP address(es)?

Noel Jones-2
Rick Duval wrote:

> Maybe i'm confused or I haven't explained it correctly. I don't want
> to relay mail through the server unless it's by auth sesssion which is
> already the case.
>
> I DONT want to ACCEPT mail for my local users UNLESS the connection
> delivering it is a specific IP address.
>
> Basically don't accept mail unless its to a local know address (like
> normal) AND it cam from IP 1.2.3.4
>
> Unless I'm mistaken the earlier code from Noel is about relaying mail
> for outbound sending isn't it?
>
> Rick

I suppose you missed the part about "please don't top post".

Yes, the example I showed will accept mail addressed to local
users only if it arrives from a specific IP.  You list those
IPs in a separate file, "/etc/postfix/auth_clients" in the
example. (you can name the file whatever you want, but it must
match the name you specify in main.cf.)

The lookup result I suggested in the auth_clients file is
"permit_auth_destination" which means accept mail for local
users, but don't allow relay access.

Additionally, users who authenticate to your server via SMTP
AUTH are allowed to send mail to either local or off-site
recipients. That's what permit_sasl_authenticated does.

Please spend some time reading the docs.
Here's a good starting place:
http://www.postfix.org/BASIC_CONFIGURATION_README.html
then move on to:
http://www.postfix.org/documentation.html

--
Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Accep email onl from specific IP address(es)?

Rick Duval
> I suppose you missed the part about "please don't top post".

Sorry but I'm using Gmail and it doesn't show me the earlier postings
in the reply unless specifically open it and look for it.

Thanks for your other info and detailed explanations. I'll try it as
you suggested.

Thanks
Reply | Threaded
Open this post in threaded view
|

Re: Accep email onl from specific IP address(es)?

Ville Walveranta
I have a similar setup in the works (the external spam filtering
hasn't been engaged yet, so I haven't tested this).

I'm thinking smtpd_client_restrictions would do the job, like so (the
excerpts are from main.cf):

smtpd_client_restrictions =
        permit_mynetworks
        permit_sasl_authenticated
        check_client_access hash:$config_directory/tables/client_access_maps
        reject

I've set the other restrictions are as follows (but limiting mail
reception only to a set of about five IPs is enforced by
smtpd_client_restrictions; the allowed IPs are defined in
client_access_maps table; local and SASL authenticated are allowed
also so that it's possible for the users of the system to send mail).

smtpd_helo_restrictions =
        reject_invalid_helo_hostname
        reject_non_fqdn_helo_hostname
        permit_mynetworks
        permit_sasl_authenticated
        reject_unknown_helo_hostname

smtpd_etrn_restrictions =
        permit_mynetworks
        reject

smtpd_recipient_restrictions =
        reject_non_fqdn_recipient
        reject_non_fqdn_sender
        reject_unknown_sender_domain
        reject_unknown_recipient_domain
        reject_unverified_recipient
        check_recipient_access pcre:$config_directory/tables/pcre_access_maps
        permit_mynetworks
        permit_sasl_authenticated
        reject_non_fqdn_hostname
        reject_invalid_hostname
        reject_unauth_destination

smtpd_data_restrictions =
        reject_multi_recipient_bounce
        reject_unauth_pipelining


---

Ville