Restrict clients (IP address) to send outbound email

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Restrict clients (IP address) to send outbound email

Burn Zero
Hi,

I need to restrict outbound email to the internet by client IP. i.e. if an IP is in a blocked list, it should only be allowed to be sent to local domains.  Is this possible? Please advise.

I read http://www.postfix.org/RESTRICTION_CLASS_README.html but it is only using the usernames and not the IP address.

Thank you.
Reply | Threaded
Open this post in threaded view
|

Re: Restrict clients (IP address) to send outbound email

Ansgar Wiechers
On 2021-01-06 Burn Zero wrote:
> I need to restrict outbound email to the internet by client IP. i.e.
> if an IP is in a blocked list, it should only be allowed to be sent to
> local domains.  Is this possible? Please advise.
>
> I read http://www.postfix.org/RESTRICTION_CLASS_README.html but it is
> only using the usernames and not the IP address.

Using check_client_access instead of check_sender_access should do what
you want:

----8<----
# /etc/postfix/main.cf
...
smtpd_recipient_restrictions =
  permit_mynetworks
  permit_sasl_authenticated
  reject_unauth_destination
  ...
  check_client_access cidr:/etc/postfix/restricted_clients.cidr
  ...

smtpd_restriction_classes = local_only
local_only =
  check_recipient_access hash:/etc/postfix/local_domains
  reject
...
---->8----

----8<----
# /etc/postfix/restricted_clients.cidr
192.168.23.42   local_only
192.168.17.0/24 local_only
...
---->8----

----8<----
# /etc/postfix/local_domains
foo.example.org OK
bar.example.org OK
...
---->8----

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq
Reply | Threaded
Open this post in threaded view
|

Re: Restrict clients (IP address) to send outbound email

Burn Zero
Hi Ansgar,

Thank you. It worked like a charm.

On Wed, 6 Jan 2021 at 16:16, Ansgar Wiechers <[hidden email]> wrote:
On 2021-01-06 Burn Zero wrote:
> I need to restrict outbound email to the internet by client IP. i.e.
> if an IP is in a blocked list, it should only be allowed to be sent to
> local domains.  Is this possible? Please advise.
>
> I read http://www.postfix.org/RESTRICTION_CLASS_README.html but it is
> only using the usernames and not the IP address.

Using check_client_access instead of check_sender_access should do what
you want:

----8<----
# /etc/postfix/main.cf
...
smtpd_recipient_restrictions =
  permit_mynetworks
  permit_sasl_authenticated
  reject_unauth_destination
  ...
  check_client_access cidr:/etc/postfix/restricted_clients.cidr
  ...

smtpd_restriction_classes = local_only
local_only =
  check_recipient_access hash:/etc/postfix/local_domains
  reject
...
---->8----

----8<----
# /etc/postfix/restricted_clients.cidr
192.168.23.42   local_only
192.168.17.0/24 local_only
...
---->8----

----8<----
# /etc/postfix/local_domains
foo.example.org OK
bar.example.org OK
...
---->8----

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq