GEO IP based restrictions?

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

GEO IP based restrictions?

@lbutlr
Has anyone implemented geo based restrictions for postfix login connections, or is this something that needs to be done in dovecot?

I was thinking someway to add most of Asia and Eastern Europe to postscreen checks would be useful?

--
"One of the great tragedies of life is the murder of a beautiful theory
by a gang of brutal facts." - Benjamin Franklin


Reply | Threaded
Open this post in threaded view
|

Re: GEO IP based restrictions?

John Peach
On 5/14/19 1:41 PM, @lbutlr wrote:
> Has anyone implemented geo based restrictions for postfix login connections, or is this something that needs to be done in dovecot?
>
> I was thinking someway to add most of Asia and Eastern Europe to postscreen checks would be useful?
>

You can always use access_client and reject based on TLD. I ban most of
the new TLDs that are used for nothing but spam and Eastern Europe......

I use the geo-ip extension to iptables for restricting IMAP access.



--
John
PGP Public Key: 412934AC
Reply | Threaded
Open this post in threaded view
|

Re: GEO IP based restrictions?

allenc
In reply to this post by @lbutlr

http://www.ipdeny.com publish IP address-lists sorted by country zones; a script
can quite easily derive a .cidr access-list (or perhaps a DNS zone file).

Alternatively, there is an RBL, zz.countries.nerd.dk, which will return a code
based on country of origin - or if you substitute a country code (eg
uk.countries.nerd.dk) it will return a yes/no response, to blacklist (or
whitelist) an individual country.  I don't know how robust these people are, but
they are certainly sufficient for a domestic server.

I have tried both methods to postscreen, with some success.

Hope this helps

Allen C


On 14/05/2019 18:41, @lbutlr wrote:
> Has anyone implemented geo based restrictions for postfix login connections, or is this something that needs to be done in dovecot?
>
> I was thinking someway to add most of Asia and Eastern Europe to postscreen checks would be useful?
>
Reply | Threaded
Open this post in threaded view
|

Re: GEO IP based restrictions?

Wietse Venema
In reply to this post by @lbutlr
@lbutlr:
> Has anyone implemented geo based restrictions for postfix login =
> connections, or is this something that needs to be done in dovecot?

Accodring to a search engine, with seach terms "postfix geoip", there
are many solutions. One uses postfwd with a geoip plugin to block
SASL login from too many different countries.

https://www.howtoforge.com/tutorial/blocking-of-international-spam-botnets-postfix-plugin/

No idea how well it works.

> I was thinking someway to add most of Asia and Eastern Europe to =
> postscreen checks would be useful?

Postscreen does not implement SASL and that is a good idea.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: GEO IP based restrictions?

@lbutlr
In reply to this post by John Peach


> On 14 May 2019, at 11:48, John Peach <[hidden email]> wrote:
>
> On 5/14/19 1:41 PM, @lbutlr wrote:
>> Has anyone implemented geo based restrictions for postfix login connections, or is this something that needs to be done in dovecot?
>> I was thinking someway to add most of Asia and Eastern Europe to postscreen checks would be useful?
>
> You can always use access_client and reject based on TLD. I ban most of the new TLDs that are used for nothing but spam and Eastern Europe......

Urd, I already do that for incoming mail via helo restrictions, but I haven't figured out how to do that effectively for the port 993.

> I use the geo-ip extension to iptables for restricting IMAP access.

I'll look at that, thanks.

On 14 May 2019, at 12:33, Allen Coates <[hidden email]> wrote:
> Alternatively, there is an RBL, zz.countries.nerd.dk, which will return a code based on country of origin - or if you substitute a country code (eg uk.countries.nerd.dk) it will return a yes/no response, to blacklist (or whitelist) an individual country.  I don't know how robust these people are, but they are certainly sufficient for a domestic server.

that also sounds promising.

--
Vampires have risen from the dead, the grave and the crypt, but have
never managed it from the cat. --Witches Abroad


Reply | Threaded
Open this post in threaded view
|

Re: GEO IP based restrictions?

@lbutlr
In reply to this post by @lbutlr
On 14 May 2019, at 11:41, @lbutlr <[hidden email]> wrote:
> Has anyone implemented geo based restrictions for postfix login connections, or is this something that needs to be done in dovecot?

This seemed to work pretty well

pfctl -t badguys -T add $(cat block.zone)

I can then flush and add when the CIDR file is updated.

block.zone is the combination of several countries from ipdeny.com and some other bad actors that have been problems in the past.

--
The whole thing that makes a mathematician's life worthwhile is
that he gets the grudging admiration of three or four colleagues


Reply | Threaded
Open this post in threaded view
|

Re: GEO IP based restrictions?

@lbutlr
On 14 May 2019, at 13:15, @lbutlr <[hidden email]> wrote:

> On 14 May 2019, at 11:41, @lbutlr <[hidden email]> wrote:
>> Has anyone implemented geo based restrictions for postfix login connections, or is this something that needs to be done in dovecot?
>
> This seemed to work pretty well
>
> pfctl -t badguys -T add $(cat block.zone)
>
> I can then flush and add when the CIDR file is updated.
>
> block.zone is the combination of several countries from ipdeny.com and some other bad actors that have been problems in the past.

(still looking for a way to block other IPs from just the specific services, but this list is, on reflection, small enough I can probably manage it manually in hosts.allow.)

--
The whole thing that makes a mathematician's life worthwhile is
that he gets the grudging admiration of three or four colleagues