SMTP filter using geo-localization

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

SMTP filter using geo-localization

Philippe - Forums
Hello,

I would like to filter SMTP access using geo-localization.

I have installed geoip-bin on my mailserver.

This tool works like nslookup with an IP (geoiplookup @IP) and give
geographic informations about this IP and especially the country (FR,
DE,...).

My purpose is to filter IPs out of my country to reject SMTP connection.


I must made a linux script, on bash (/usr/bin/policyd-geoip).

But I don't know how the script can tell to postfix if the IP is OK or
KO.


For postfix configuration I think that I must do that:

* master.cf:

   policy-geoip unix - n n - 0 spawn

   user=nobody argv=/usr/bin/policyd-geoip

* main.cf:

check_policy_service unix:private/policy-geoip


If someone can help me for this "project".


--
##################

Philippe - Forums
Reply | Threaded
Open this post in threaded view
|

Re: SMTP filter using geo-localization

Matt Anton
Hello,

A simpler solution would be using a cidr access map from <http://ipdeny.com/ipblocks/data/countries/> that match netblocks you allow in master.cf for submission (or smtps if using the legacy SMTPS service on port 465) service with smtpd_client_restrictions, eg.:


Long form for postfix >= 3.0 only:
-o { smtpd_client_restrictions = permit_mynetworks check_client_access cidr:$config_directory/submission_access.cidr permit_sasl_authenticated reject }


Short form for previous postfix < 3.0:
-o smtpd_client_restrictions=permit_mynetworks,check_client_access,cidr:$config_directory/submission_access.cidr,permit_sasl_authenticated,reject}


submission_access.cidr map:

<netblocks_allowed> OK
0.0.0.0/0   REJECT Submission not allowed from your country.

Be sure to update submission_access.cidr with a daily cronjob to have up to date netblocks then reload postfix to use the newly cidr map right away.

On 5 Jan 2019, at 22:26, Philippe - Forums wrote:

> Hello,
>
> I would like to filter SMTP access using geo-localization.
>
> I have installed geoip-bin on my mailserver.
>
> This tool works like nslookup with an IP (geoiplookup @IP) and give geographic informations about this IP and especially the country (FR, DE,...).
>
> My purpose is to filter IPs out of my country to reject SMTP connection.
>
>
> I must made a linux script, on bash (/usr/bin/policyd-geoip).
>
> But I don't know how the script can tell to postfix if the IP is OK or KO.
>
>
> For postfix configuration I think that I must do that:
>
> * master.cf:
>
>   policy-geoip unix - n n - 0 spawn
>
>   user=nobody argv=/usr/bin/policyd-geoip
>
> * main.cf:
>
> check_policy_service unix:private/policy-geoip
>
>
> If someone can help me for this "project".
>
>
> --
> ##################
>
> Philippe - Forums
--
matt [at] lv223.org
GPG key ID: 7D91A8CA

signature.asc (871 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: SMTP filter using geo-localization

John Fawcett
In reply to this post by Philippe - Forums
On 05/01/2019 22:26, Philippe - Forums wrote:
Hello,

I would like to filter SMTP access using geo-localization.

I have installed geoip-bin on my mailserver.

This tool works like nslookup with an IP (geoiplookup @IP) and give geographic informations about this IP and especially the country (FR, DE,...).

My purpose is to filter IPs out of my country to reject SMTP connection.


I must made a linux script, on bash (/usr/bin/policyd-geoip).

But I don't know how the script can tell to postfix if the IP is OK or KO.


For postfix configuration I think that I must do that:

* master.cf:

  policy-geoip unix - n n - 0 spawn

  user=nobody argv=/usr/bin/policyd-geoip

* main.cf:

check_policy_service unix:private/policy-geoip


If someone can help me for this "project".


You can find the info and an example policy script here:

http://www.postfix.org/SMTPD_POLICY_README.html

As for return values, "The policy server replies with any action that is allowed in a Postfix SMTPD access(5) table." (http://www.postfix.org/access.5.html)

I think you will want to reply with "dunno" for acceptable ips (so that then other checks following the check_policy_service restriction will be done, and with something like "reject" followed by some message such as "ip not allowed" in the case you want to reject the ip. 

John

Reply | Threaded
Open this post in threaded view
|

Re: SMTP filter using geo-localization

Matthew McGehrin
In reply to this post by Matt Anton
Hello,

Another solution is to use reject_rbl_client. Dnsbl.bit.nl maintains a
RBL by country code that is updated weekly. GeoIP data is sometimes
unreliable and can become stale.

See also:

https://noc.bit.nl/dnsbl/ascc/

"This zone contains data regarding the ISO3166 countrycode and BGP
Autonomous System for any given IPv4 or IPv6 address. Every wednesday,
RIR allocation statistics are downloaded for the RIPE, ARIN, APNIC,
LACNIC and AFRINIC regions and this data is combined with a route-dump
of the default free zone, as seen from AS12859."

IE:

  reject_rbl_client cn.ascc.dnsbl.bit.nl

Jan  5 16:52:42 c3p0 postfix/smtpd[54656]: NOQUEUE: reject: RCPT from
unknown[223.72.236.134]: 554 5.7.1 Service unavailable; Client host
[223.72.236.134] blocked using cn.ascc.dnsbl.bit.nl; AS=56048 CC=CN
URL=http://noc.bit.nl/dnsbl/ / AS=9808 CC=CN
URL=http://noc.bit.nl/dnsbl/; from=<[hidden email]>
to=<[hidden email]> proto=ESMTP helo=<cmbc.com.cn>

Matthew

On 1/5/2019 4:15 PM, Matt Anton wrote:
> Hello,
>
> A simpler solution would be using a cidr access map from <http://ipdeny.com/ipblocks/data/countries/> that match netblocks you allow in master.cf for submission (or smtps if using the legacy SMTPS service on port 465) service with smtpd_client_restrictions, eg.:
>
>
Reply | Threaded
Open this post in threaded view
|

Re: SMTP filter using geo-localization

Matus UHLAR - fantomas
In reply to this post by Philippe - Forums
On 05.01.19 22:26, Philippe - Forums wrote:
>I would like to filter SMTP access using geo-localization.

tried searching in your SW distribution?

% apt-cache search geoip postfix
mtpolicyd - modular policy daemon for postfix

https://www.mtpolicyd.org/

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease