Only allow mail from a single IP?

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Only allow mail from a single IP?

Chris St Denis-4
I have postfix configured in master.cf to listen on 2 IPs.

One of them is for incoming mail from the outside world. I want to
restrict it to only the IP(s) of our Barracuda spam firewalls.
The other is for clients to send mail (authenticated with SASL or
trusted IPs)

I have used check_client_access to restrict the incoming IP to only a
single address, but it still seems to happily accept mail from my computer.


1.2.3.30:smtp      inet  n       -       n       -       -       smtpd
  -o check_client_access=hash:/usr/local/etc/postfix/barracuda_ips,reject

/usr/local/etc/postfix/barracuda_ips
1.2.3.103   OK



Is smtpd_recipient_restrictions being checked before
check_client_access? or am I doing something else wrong?
Reply | Threaded
Open this post in threaded view
|

Re: Only allow mail from a single IP?

Patrick Ben Koetter
* Chris St Denis <[hidden email]>:

> I have postfix configured in master.cf to listen on 2 IPs.
>
> One of them is for incoming mail from the outside world. I want to  
> restrict it to only the IP(s) of our Barracuda spam firewalls.
> The other is for clients to send mail (authenticated with SASL or  
> trusted IPs)
>
> I have used check_client_access to restrict the incoming IP to only a  
> single address, but it still seems to happily accept mail from my
> computer.
>
>
> 1.2.3.30:smtp      inet  n       -       n       -       -       smtpd
>  -o check_client_access=hash:/usr/local/etc/postfix/barracuda_ips,reject


1.2.3.30:smtp      inet  n       -       n       -       -       smtpd
 -o mynetworks=ip.from.bar.cuda/32


Additionally: Use a firewall to permit connections to your incomming SMTP
interface only from ip.from.bar.cuda/32.

p@rick



>
> /usr/local/etc/postfix/barracuda_ips
> 1.2.3.103   OK
>
>
>
> Is smtpd_recipient_restrictions being checked before  
> check_client_access? or am I doing something else wrong?

--
The Book of Postfix
<http://www.postfix-book.com>
saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
Reply | Threaded
Open this post in threaded view
|

Re: Only allow mail from a single IP?

Bug-6
In reply to this post by Chris St Denis-4


On Wed, Jun 25, 2008 at 5:25 PM, Chris St Denis <[hidden email]> wrote:
I have postfix configured in master.cf to listen on 2 IPs.

One of them is for incoming mail from the outside world. I want to restrict it to only the IP(s) of our Barracuda spam firewalls.
The other is for clients to send mail (authenticated with SASL or trusted IPs)

I have used check_client_access to restrict the incoming IP to only a single address, but it still seems to happily accept mail from my computer.


1.2.3.30:smtp      inet  n       -       n       -       -       smtpd
 -o check_client_access=hash:/usr/local/etc/postfix/barracuda_ips,reject

/usr/local/etc/postfix/barracuda_ips
1.2.3.103   OK



Is smtpd_recipient_restrictions being checked before check_client_access? or am I doing something else wrong?

Check the documentation for smtpd_client_restrictions. 

If you need more flexibility than something like permit_mynetworks, I do it this way:

    http://thelowedown.wordpress.com/2008/02/24/postfix-restricting-smtpd-client-access-by-domain/

-r

Reply | Threaded
Open this post in threaded view
|

Re: Only allow mail from a single IP?

mouss-2
In reply to this post by Chris St Denis-4
Chris St Denis wrote:

> I have postfix configured in master.cf to listen on 2 IPs.
>
> One of them is for incoming mail from the outside world. I want to
> restrict it to only the IP(s) of our Barracuda spam firewalls.
> The other is for clients to send mail (authenticated with SASL or
> trusted IPs)
>
> I have used check_client_access to restrict the incoming IP to only a
> single address, but it still seems to happily accept mail from my
> computer.
>
>
> 1.2.3.30:smtp      inet  n       -       n       -       -       smtpd
>  -o check_client_access=hash:/usr/local/etc/postfix/barracuda_ips,reject

where did you get this from? there is no check_client_access option.
>
> /usr/local/etc/postfix/barracuda_ips
> 1.2.3.103   OK
>
>
>
> Is smtpd_recipient_restrictions being checked before check_client_access?

there is no check_client_access option. check_client_access is a check
that is valid inside smtpd_*_restrictions. you want


    -o smtpd_client_restrictions=$only_barracuda

only_barracuda =
    check_client_access hash:/path/barracuda_ip
    reject

in your main.cf.

that said, a firewall rule is more effective...

> or am I doing something else wrong?
everybody is doing something _else_ wrong ;-p



Reply | Threaded
Open this post in threaded view
|

Re: Only allow mail from a single IP?

Chris St Denis-4
mouss wrote:

> Chris St Denis wrote:
>> I have postfix configured in master.cf to listen on 2 IPs.
>>
>> One of them is for incoming mail from the outside world. I want to
>> restrict it to only the IP(s) of our Barracuda spam firewalls.
>> The other is for clients to send mail (authenticated with SASL or
>> trusted IPs)
>>
>> I have used check_client_access to restrict the incoming IP to only a
>> single address, but it still seems to happily accept mail from my
>> computer.
>>
>>
>> 1.2.3.30:smtp      inet  n       -       n       -       -       smtpd
>>  -o check_client_access=hash:/usr/local/etc/postfix/barracuda_ips,reject
>
> where did you get this from? there is no check_client_access option.
>>
>> /usr/local/etc/postfix/barracuda_ips
>> 1.2.3.103   OK
>>
>>
>>
>> Is smtpd_recipient_restrictions being checked before
>> check_client_access?
>
> there is no check_client_access option. check_client_access is a check
> that is valid inside smtpd_*_restrictions. you want
>
>
>    -o smtpd_client_restrictions=$only_barracuda
>
> only_barracuda =
>    check_client_access hash:/path/barracuda_ip
>    reject
>
> in your main.cf.
>
> that said, a firewall rule is more effective...
I knew it was probably something simple.

A few related questions.

1. Can I provide a custom message in the reject?

2. can I use check_client_access with an IP directly specified instead
of using a hash file? I only expect to have a few IPs so don't really
want to bother with extra files. I looked at static maps, but they
appear to only allow one value where as access maps appear to require 2.

>
>> or am I doing something else wrong?
> everybody is doing something _else_ wrong ;-p
>
>
>


--
Chris St Denis
Programmer
SmarttNet (www.smartt.com)
Ph: 604-473-9700 Ext. 200
-------------------------------------------
"Smart Internet Solutions For Businesses"

Reply | Threaded
Open this post in threaded view
|

Re: Only allow mail from a single IP?

Noel Jones-2
Chris St Denis wrote:
> A few related questions.
>
> 1. Can I provide a custom message in the reject?
>
> 2. can I use check_client_access with an IP directly specified instead
> of using a hash file? I only expect to have a few IPs so don't really
> want to bother with extra files. I looked at static maps, but they
> appear to only allow one value where as access maps appear to require 2.

You can use a cidr: type map and get both 1 and 2.
1 - Cidr maps are "plain text"; they don't need to be indexed
with postmap before use.   2 - a "match all addresses" entry
at the end of the file can provide a custom reject message.
http://www.postfix.org/cidr_table.5.html

# barracuda_ip cidr table
# note: order matters! first match wins
192.1.0.3/32  OK
0.0.0.0/0  REJECT improper direct access - use our MX instead