Only allow incoming mails from specific IP-Range

classic Classic list List threaded Threaded
19 messages Options
Reply | Threaded
Open this post in threaded view
|

Only allow incoming mails from specific IP-Range

spiekey
Hello List,

how can i only allow incoming mail from a specific IP-Range?

We have got a E-mail Proxy set up (something like Postini or
Messagelabs) and would like to only accept mails from this Proxy/Net.

Thanks,
Mario
Reply | Threaded
Open this post in threaded view
|

Re: Only allow incoming mails from specific IP-Range

Noel Jones-2
[hidden email] wrote:
> Hello List,
>
> how can i only allow incoming mail from a specific IP-Range?
>
> We have got a E-mail Proxy set up (something like Postini or
> Messagelabs) and would like to only accept mails from this Proxy/Net.
>
> Thanks,
> Mario

This has been posted here before...

Something like:
# main.cf
mynetworks = 127.0.0.1
smtpd_recipient_restrictions =
   permit_mynetworks
   reject_unauth_destination
   ... other optional local UCE checks here ...
   check_client_access cidr:/etc/postfix/allowed_clients.cidr
   reject

# allowed_clients.cidr
ip.network.number.one/28  OK
ip.network.number.two/24  OK
ip.of.some.host/32  OK


--
Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Only allow incoming mails from specific IP-Range

Ralf Hildebrandt
In reply to this post by spiekey
* [hidden email] <[hidden email]>:
> Hello List,
>
> how can i only allow incoming mail from a specific IP-Range?

mynetworks = specific IP-Range

smtpd_recipient_restrictions =
   permit_mynetworks
   reject

--
Ralf Hildebrandt ([hidden email])          [hidden email]
Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de
The government is CLEARLY an out of control robot that has decided the
greatest danger to America is Americans.
Reply | Threaded
Open this post in threaded view
|

Re: Only allow incoming mails from specific IP-Range

Ralf Hildebrandt
In reply to this post by Noel Jones-2
* Noel Jones <[hidden email]>:

> mynetworks = 127.0.0.1
> smtpd_recipient_restrictions =
>   permit_mynetworks
>   reject_unauth_destination
>   ... other optional local UCE checks here ...
>   check_client_access cidr:/etc/postfix/allowed_clients.cidr
>   reject

That's wrong, since it will accept mail for domains listed in
mydestination, relay_domains, virtual_alias_domains, etc

--
Ralf Hildebrandt ([hidden email])          [hidden email]
Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de
Wenn die Leute mit dem Logfile die IT-Kompetenz von einem Kilo
Torfmoos an den Tag legen, ist dem Anschein nach davon auszugehen,
dass sie schlicht nicht faehig sind, die Logfiles entsprechend zu
verfaelschen. Bei Microsoft Exchange Admins ist das bezueglich SMTP
u.ae. leider des Oefteren der Fall. (Ja, es gibt viele Ausnahmen, aber
wer Kompetenz im Bezug auf E-Mail besitzt, setzt Exchange nicht direkt
am Internet ein.)
Reply | Threaded
Open this post in threaded view
|

Re: Only allow incoming mails from specific IP-Range

mouss-2
Ralf Hildebrandt wrote:

> * Noel Jones <[hidden email]>:
>
>  
>> mynetworks = 127.0.0.1
>> smtpd_recipient_restrictions =
>>   permit_mynetworks
>>   reject_unauth_destination
>>   ... other optional local UCE checks here ...
>>   check_client_access cidr:/etc/postfix/allowed_clients.cidr
>>   reject
>>    
>
> That's wrong, since it will accept mail for domains listed in
> mydestination, relay_domains, virtual_alias_domains, etc
>
>  

no, it will not. not enough coffee?

this approach is better than puting the IPs in mynetworks, because
mynetworks may be used elsewhere (in rewrite for example).
Reply | Threaded
Open this post in threaded view
|

Re: Only allow incoming mails from specific IP-Range

Ralf Hildebrandt
* mouss <[hidden email]>:

> Ralf Hildebrandt wrote:
>> * Noel Jones <[hidden email]>:
>>
>>  
>>> mynetworks = 127.0.0.1
>>> smtpd_recipient_restrictions =
>>>   permit_mynetworks
>>>   reject_unauth_destination
>>>   ... other optional local UCE checks here ...
>>>   check_client_access cidr:/etc/postfix/allowed_clients.cidr
>>>   reject
>>>    
>>
>> That's wrong, since it will accept mail for domains listed in
>> mydestination, relay_domains, virtual_alias_domains, etc
>>
>>  
>
> no, it will not. not enough coffee?

Ahhh shit, reject_unauth_destination will just REJECT relaying, but
let the rest slip through. After that
check_client_access cidr:/etc/postfix/allowed_clients.cidr
will take care of allowing...

--
Ralf Hildebrandt ([hidden email])          [hidden email]
Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de
Postfix sucks, we all use it because we are masochists!
Reply | Threaded
Open this post in threaded view
|

Re: Only allow incoming mails from specific IP-Range

spiekey
In reply to this post by Ralf Hildebrandt
Hello,

we are using some sort of E-Mail Proxy (something like Postini or Messagelabs) which we put in front of our real mailserver.
The proxy does some spam filtering and we also relay via this proxy (outgoing mails).
Now i was told to "change your firewall settings to block connections to port 25 which do not come from the proxy"
This is to avoid mails going to my e-mail server directly.

This can´t be right! Can it? i would not be able to connect to my Mailserver with my e-mail clients anymore, would i?

This is why i at first thought of setting up postfix this way. Any comments on this?

Thanks,
Mario



How can this be right? Then my

Ralf Hildebrandt schrieb:
* [hidden email] [hidden email]:
  
Hello List,

how can i only allow incoming mail from a specific IP-Range?
    

mynetworks = specific IP-Range

smtpd_recipient_restrictions =
   permit_mynetworks
   reject

  

Reply | Threaded
Open this post in threaded view
|

Re: Only allow incoming mails from specific IP-Range

Noel Jones-2
In reply to this post by Ralf Hildebrandt
Ralf Hildebrandt wrote:

> * Noel Jones <[hidden email]>:
>
>> mynetworks = 127.0.0.1
>> smtpd_recipient_restrictions =
>>   permit_mynetworks
>>   reject_unauth_destination
>>   ... other optional local UCE checks here ...
>>   check_client_access cidr:/etc/postfix/allowed_clients.cidr
>>   reject
>
> That's wrong, since it will accept mail for domains listed in
> mydestination, relay_domains, virtual_alias_domains, etc
>

Look closer. It is correct, safe, and flexible.

> mynetworks = specific IP-Range
>
> smtpd_recipient_restrictions =
>    permit_mynetworks
>    reject

This grants relay rights to the third-party proxy service,
which may not be appropriate.

--
Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Only allow incoming mails from specific IP-Range

Jimbo-3
In reply to this post by spiekey
[hidden email] wrote:

> Hello,
>
> we are using some sort of E-Mail Proxy (something like Postini or
> Messagelabs) which we put in front of our real mailserver.
> The proxy does some spam filtering and we also relay via this proxy
> (outgoing mails).
> Now i was told to "change your firewall settings to block connections
> to port 25 which do not come from the proxy"
> This is to avoid mails going to my e-mail server directly.
>
> This can´t be right! Can it? i would not be able to connect to my
> Mailserver with my e-mail clients anymore, would i?
>
> This is why i at first thought of setting up postfix this way. Any
> comments on this?
You could have Postfix listen on the submission port (587) with a
different set of restrictions and have your clients use it to relay
their mail.

Reply | Threaded
Open this post in threaded view
|

Re: Only allow incoming mails from specific IP-Range

Jason Pruim
In reply to this post by spiekey
Hi Mario,

I have a somewhat similar setup for spam filtering... My spam filter accepts the connections on Port 25 and then forwards it to port 26 on my mailserver. I also turned on the alternate submission port (Port 587) in postfix to get around the stupid wifi hotspots and ISP's blocking port 25. The setup has been working great for me for about 6 months. 

And chances are (Unless your setup is alot different then mine) your mail clients never connect to port 25 on your mail server, usually they'll do like 110 for POP3 or 148 (I think) for IMAP. But they don't actually use port 25... Only the other mail servers do.


On Jun 11, 2008, at 10:55 AM, [hidden email] wrote:

Hello,

we are using some sort of E-Mail Proxy (something like Postini or Messagelabs) which we put in front of our real mailserver.
The proxy does some spam filtering and we also relay via this proxy (outgoing mails).
Now i was told to "change your firewall settings to block connections to port 25 which do not come from the proxy"
This is to avoid mails going to my e-mail server directly.

This can´t be right! Can it? i would not be able to connect to my Mailserver with my e-mail clients anymore, would i?

This is why i at first thought of setting up postfix this way. Any comments on this?

Thanks,
Mario



How can this be right? Then my

Ralf Hildebrandt schrieb:
* [hidden email] [hidden email]:
  
Hello List,

how can i only allow incoming mail from a specific IP-Range?
    
mynetworks = specific IP-Range

smtpd_recipient_restrictions =
   permit_mynetworks
   reject

  


--

Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
3251 132nd ave
Holland, MI, 49424-9337



Reply | Threaded
Open this post in threaded view
|

Re: Only allow incoming mails from specific IP-Range

spiekey
In reply to this post by Noel Jones-2
Hello Everyone,

thanks for your help and hints. I have the feeling i did not describe my
setup properly so i will try again to be sure.

I have loads of E-Mail Clients using Outlook, Thunderbird, Webmail etc,
...all around the world. They collect the mail from the Mailserver
(IMAP+POP). They also send Mails via this Mailserver (using SMTP i guess).

Our E-Mailserver only sends and receives via this E-Mail Proxy. (using
mynetworks and relay_host).

Since this E-Mail server is not physically located behind the proxy,
mails could get to the mailserver directly. This is what i want to avoid.


Why cant i simply use a setup like this?:

smtpd_recipient_restrictions=
    permit_sasl_authenticated,
    permit_mynetworks,
    reject_unauth_destination,
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    reject_unknown_sender_domain,
    reject_unknown_recipient_domain,
    reject


Thanks,
Mario



Noel Jones schrieb:

> Ralf Hildebrandt wrote:
>> * Noel Jones <[hidden email]>:
>>
>>> mynetworks = 127.0.0.1
>>> smtpd_recipient_restrictions =
>>>   permit_mynetworks
>>>   reject_unauth_destination
>>>   ... other optional local UCE checks here ...
>>>   check_client_access cidr:/etc/postfix/allowed_clients.cidr
>>>   reject
>>
>> That's wrong, since it will accept mail for domains listed in
>> mydestination, relay_domains, virtual_alias_domains, etc
>>
>
> Look closer. It is correct, safe, and flexible.
>
>> mynetworks = specific IP-Range
>>
>> smtpd_recipient_restrictions =
>>    permit_mynetworks
>>    reject
>
> This grants relay rights to the third-party proxy service, which may
> not be appropriate.
>

Reply | Threaded
Open this post in threaded view
|

Re: Only allow incoming mails from specific IP-Range

mouss-2
[hidden email] wrote:

> Hello Everyone,
>
> thanks for your help and hints. I have the feeling i did not describe
> my setup properly so i will try again to be sure.
>
> I have loads of E-Mail Clients using Outlook, Thunderbird, Webmail
> etc, ...all around the world. They collect the mail from the
> Mailserver (IMAP+POP). They also send Mails via this Mailserver (using
> SMTP i guess).
>
> Our E-Mailserver only sends and receives via this E-Mail Proxy. (using
> mynetworks and relay_host).
>
> Since this E-Mail server is not physically located behind the proxy,
> mails could get to the mailserver directly. This is what i want to avoid.
>
>
> Why cant i simply use a setup like this?:
>
> smtpd_recipient_restrictions=
>    permit_sasl_authenticated,
>    permit_mynetworks,
>    reject_unauth_destination,
>    reject_non_fqdn_sender,
>    reject_non_fqdn_recipient,
>    reject_unknown_sender_domain,
>    reject_unknown_recipient_domain,
>    reject


if you take the time to think about it from a logic viewpoint, you'll
easily see that

    reject_foo
    reject_bar
    reject_blah
    reject

is the same as
    reject

because there is nothing there to do anything but reject.

so the restrictions you suggest have the same effect as:

smtpd_recipient_restrictions =
    permit_sasl_authenticated
    permit_mynetworks
    reject




Note that you should not reject mail from your proxy service. even
postini will store and forward if the final server is down. in which
case, rejection at the final server leads to backscatter.

Reply | Threaded
Open this post in threaded view
|

Re: Only allow incoming mails from specific IP-Range

Noel Jones-2
In reply to this post by spiekey
[hidden email] wrote:

> Hello Everyone,
>
> thanks for your help and hints. I have the feeling i did not describe my
> setup properly so i will try again to be sure.
>
> I have loads of E-Mail Clients using Outlook, Thunderbird, Webmail etc,
> ...all around the world. They collect the mail from the Mailserver
> (IMAP+POP). They also send Mails via this Mailserver (using SMTP i guess).
>
> Our E-Mailserver only sends and receives via this E-Mail Proxy. (using
> mynetworks and relay_host).
>
> Since this E-Mail server is not physically located behind the proxy,
> mails could get to the mailserver directly. This is what i want to avoid.
>
>
> Why cant i simply use a setup like this?:
>
> smtpd_recipient_restrictions=
>    permit_sasl_authenticated,
>    permit_mynetworks,
>    reject_unauth_destination,
>    reject_non_fqdn_sender,
>    reject_non_fqdn_recipient,
>    reject_unknown_sender_domain,
>    reject_unknown_recipient_domain,
>    reject
>
>
> Thanks,
> Mario
>
>
>
> Noel Jones schrieb:
>> Ralf Hildebrandt wrote:
>>> * Noel Jones <[hidden email]>:
>>>
>>>> mynetworks = 127.0.0.1
>>>> smtpd_recipient_restrictions =
>>>>   permit_mynetworks
>>>>   reject_unauth_destination
>>>>   ... other optional local UCE checks here ...
>>>>   check_client_access cidr:/etc/postfix/allowed_clients.cidr
>>>>   reject
>>>
>>> That's wrong, since it will accept mail for domains listed in
>>> mydestination, relay_domains, virtual_alias_domains, etc
>>>
>>
>> Look closer. It is correct, safe, and flexible.
>>
>>> mynetworks = specific IP-Range
>>>
>>> smtpd_recipient_restrictions =
>>>    permit_mynetworks
>>>    reject
>>
>> This grants relay rights to the third-party proxy service, which may
>> not be appropriate.
>>
>


Right.  The setup I described originally is exactly that, with
adding permit_sasl_authenticated and optional UCE controls.

I'm going to assume that your proxy service will reject (and
not bounce) mail if you reject it during a proxied
transaction.  You should verify that's the case as you don't
want them generating backscatter bounces on your behalf.

I would recommend NOT using reject_unknown_recipient_domain
because any unknown domains will be rejected already by
reject_unauth_destination.  So the only domain left to reject
is your own domain if your local DNS has a hiccup.

So your final setup will look like:

smtpd_recipient_restrictions =
   permit_sasl_authenticated
   permit_mynetworks
   reject_unauth_destination
   reject_non_fqdn_sender
   reject_non_fqdn_recipient
   reject_unknown_sender_domain
   check_client_access cidr:/etc/postfix/allowed_client.cidr
   reject

with the proxy service's IPs listed in allowed_clients.cidr as
detailed earlier.

--
Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Only allow incoming mails from specific IP-Range

Charles Marcus
In reply to this post by Jason Pruim
On 6/11/2008, Jason Pruim ([hidden email]) wrote:
> I also turned on the alternate submission port (Port 587) in postfix
> to get around the stupid wifi hotspots and ISP's blocking port 25

Sorry, but wi-fi and ISPs that DON'T block 25 are what is stupid. Port
587 is what you are *supposed* to use.

The ISPs/wi-f- hotspots that DON'T block outbound port 25 are the reason
that the netbots even exist.

--

Best regards,

Charles
Reply | Threaded
Open this post in threaded view
|

Re: Only allow incoming mails from specific IP-Range

spiekey
In reply to this post by mouss-2
Hi,

mouss schrieb:
>
> Note that you should not reject mail from your proxy service.
This wont happen, since the ip range of the proxy service is listed in
mynetworks, right?!

> even postini will store and forward if the final server is down. in
> which case, rejection at the final server leads to backscatter.
>
>


Thanks,
Mario
Reply | Threaded
Open this post in threaded view
|

Re: Only allow incoming mails from specific IP-Range

spiekey
In reply to this post by Noel Jones-2
Hello Noel,

Noel Jones schrieb:
>
>
> Right.  The setup I described originally is exactly that, with adding
> permit_sasl_authenticated and optional UCE controls.
>
> I'm going to assume that your proxy service will reject (and not
> bounce) mail if you reject it during a proxied transaction.  
Why would my proxy service reject or bounce mails? I dont quite
understand what you mean here. The connection between my E-Mail server
and its proxy?
> You should verify that's the case as you don't want them generating
> backscatter bounces on your behalf.
>
> I would recommend NOT using reject_unknown_recipient_domain because
> any unknown domains will be rejected already by
> reject_unauth_destination.  So the only domain left to reject is your
> own domain if your local DNS has a hiccup.
Okay.

>
> So your final setup will look like:
>
> smtpd_recipient_restrictions =
>   permit_sasl_authenticated
>   permit_mynetworks
>   reject_unauth_destination
>   reject_non_fqdn_sender
>   reject_non_fqdn_recipient
>   reject_unknown_sender_domain
>   check_client_access cidr:/etc/postfix/allowed_client.cidr
>   reject
>
> with the proxy service's IPs listed in allowed_clients.cidr as
> detailed earlier.
Since my proxy service is already listed in my_networks i guess i dont
need it in check_client_access cidr anymore?!

Thanks so much,
Mario

Reply | Threaded
Open this post in threaded view
|

Re: Only allow incoming mails from specific IP-Range

mouss-2
In reply to this post by spiekey
[hidden email] wrote:
> Hi,
>
> mouss schrieb:
>>
>> Note that you should not reject mail from your proxy service.
> This wont happen, since the ip range of the proxy service is listed in
> mynetworks, right?!

if you implement Noel suggestion, do not put the proxy IP in mynetworks,
but in the allowed_clients.cidr map instead.


if you put the proxy IP in mynetworks, then you don't need more than
smtpd_recipient_restrictions =
    permit_sasl_authenticated
    permit_mynetworks
    reject

That said, this allows the proxy to use you as a relay. while you can
trust the proxy service to be protected against attacks, why run the
risk. so implement Noel suggestion instead (proxy IP is not in mynetworks):

smtpd_recipient_restrictions =
    permit_sasl_authenticated
    permit_mynetworks
    reject_unauth_destination
    check_client_access cidr:/etc/postfix/allowed_clients.cidr
    reject

you don't need to add other uce checks except if the proxy service is
not supporting them already.
Reply | Threaded
Open this post in threaded view
|

Re: Only allow incoming mails from specific IP-Range

Charles Marcus
In reply to this post by spiekey
On 6/12/2008, [hidden email] ([hidden email]) wrote:
>> I'm going to assume that your proxy service will reject (and not
>> bounce) mail if you reject it during a proxied transaction.

> Why would my proxy service reject or bounce mails? I dont quite
> understand what you mean here. The connection between my E-Mail
> server and its proxy?

If the service you are using doesn't query your server for valid
recipients in real time BEFORE accepting the message for delivery (this
is what is meant by PROXY), then you later reject the message for
invalid recipients, you are engaging in backscatter.

You MUST make sure your service does one of two things:

1. Proxies the valid recipient check to your server AND your server is
properly configured to REJECT messages to invalid recipients, OR

2. Provides a way for you to keep an up-to-date list of valid recipients
on THEIR system that they will use to reject messages to invalid recipients.

--

Best regards,

Charles
Reply | Threaded
Open this post in threaded view
|

Re: Only allow incoming mails from specific IP-Range

Jason Pruim
In reply to this post by Charles Marcus

On Jun 11, 2008, at 4:38 PM, Charles Marcus wrote:

> On 6/11/2008, Jason Pruim ([hidden email]) wrote:
>> I also turned on the alternate submission port (Port 587) in postfix
>> to get around the stupid wifi hotspots and ISP's blocking port 25
>
> Sorry, but wi-fi and ISPs that DON'T block 25 are what is stupid.  
> Port 587 is what you are *supposed* to use.
>
> The ISPs/wi-f- hotspots that DON'T block outbound port 25 are the  
> reason that the netbots even exist.

Personally I blame the OS programmers more then the ISP's or the end  
users...Unless the end user is one of the people that is creating and  
selling the netbots :)


>
>
> --
>
> Best regards,
>
> Charles
>

--

Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
3251 132nd ave
Holland, MI, 49424-9337
www.raoset.com
[hidden email]