how block specific ip address in Postfix

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

how block specific ip address in Postfix

Poliman - Serwis
Hello. I saw in logs that some non existent mailbox from client domain hosted on google tries send some mail to existing mailbox in this same domain. Non existent mailbox is used from IP's:
94.102.49.198
149.56.173.68
and both are blacklisted.
I need to block these IP addresses in Postfix and also I would like to add more blacklists to Postfix. I saw that Postfix uses zen.spamhaus.org:
reject_rbl_client zen.spamhaus.org

In log it looks like ([hidden email] doesn't exists on my client who has mail service
hosted on google):
Nov 16 06:10:50 s1 amavis[29248]: (29248-11) Passed CLEAN {RelayedOutbound}, LOCAL [127.0.0.1] <[hidden email]> -> <[hidden email]>, Message-ID: <[hidden email]>, mail_id: 9IS02YCv7FyA, Hits: -1.901, size: 937, queued_as: 50F1513C675, 1045 ms

Nov 16 18:21:43 s1 dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<[hidden email]>, method=PLAIN, rip=94.102.49.198, lip=54.38.202.128, session=<rh2TZst6HE5eZjHG>

Today I have deployed working spf with hardfail, dkim and dmarc for this domain. MX records points to google.

--
Pozdrawiam / Best Regards
Piotr Bracha
Reply | Threaded
Open this post in threaded view
|

Re: how block specific ip address in Postfix

Matus UHLAR - fantomas
On 19.11.18 11:24, Poliman - Serwis wrote:
>Hello. I saw in logs that some non existent mailbox from client domain
>hosted on google tries send some mail to existing mailbox in this same
>domain.

set
smtpd_reject_unlisted_sender=yes

this will reject mail from senders in your local domains, that do not exist.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
WinError #98652: Operation completed successfully.
Reply | Threaded
Open this post in threaded view
|

Re: how block specific ip address in Postfix

Bill Cole-3
In reply to this post by Poliman - Serwis
On 19 Nov 2018, at 5:24, Poliman - Serwis wrote:

> Hello. I saw in logs that some non existent mailbox from client domain
> hosted on google tries send some mail to existing mailbox in this same
> domain. Non existent mailbox is used from IP's:
> 94.102.49.198
> 149.56.173.68
> and both are blacklisted.
> I need to block these IP addresses in Postfix and also I would like to
> add
> more blacklists to Postfix.

The most absolute and direct way to block specific IP addresses in
Postfix is (if you are using postscreen) via postscreen_access_list:

main.cf:
   postscreen_access_list = cidr:/etc/postfix/postscreen-access
   postscreen_blacklist_action = enforce


postscreen-access:
   94.102.49.198/32  REJECT
   149.56.173.68/32  REJECT

(Although I'd personally reject all of 94.102.48.0/20, as I've seen no
evidence of that network operator generating anything but malicious
traffic.)

If you're using an antique version of Postfix or don't have postscreen
enabled, you can instead do this:

main.cf:
   smtpd_client_restrictions = [...],
check_client_access=cidr/etc/postfix/ip-access, [...]


/etc/postfix/ip-access:
   94.102.49.198/32  REJECT
   149.56.173.68/32  REJECT

Note that the "smtpd_client_restrictions" restriction list probably will
include other directives and that the order of directives in a
restriction list determines which ones actually act: a "PERMIT" or
"REJECT" from any directive causes Postfix to skip the rest of that list
and "REJECT" causes it to skip the logically subsequent restriction
lists.


Reply | Threaded
Open this post in threaded view
|

Re: how block specific ip address in Postfix

Poliman - Serwis


2018-11-19 16:57 GMT+01:00 Bill Cole <[hidden email]>:
On 19 Nov 2018, at 5:24, Poliman - Serwis wrote:

Hello. I saw in logs that some non existent mailbox from client domain
hosted on google tries send some mail to existing mailbox in this same
domain. Non existent mailbox is used from IP's:
94.102.49.198
149.56.173.68
and both are blacklisted.
I need to block these IP addresses in Postfix and also I would like to add
more blacklists to Postfix.

The most absolute and direct way to block specific IP addresses in Postfix is (if you are using postscreen) via postscreen_access_list:

main.cf:
  postscreen_access_list = cidr:/etc/postfix/postscreen-access
  postscreen_blacklist_action = enforce


postscreen-access:
  94.102.49.198/32  REJECT
  149.56.173.68/32  REJECT

(Although I'd personally reject all of 94.102.48.0/20, as I've seen no evidence of that network operator generating anything but malicious traffic.)

If you're using an antique version of Postfix or don't have postscreen enabled, you can instead do this:

main.cf:
  smtpd_client_restrictions = [...], check_client_access=cidr/etc/postfix/ip-access, [...]


/etc/postfix/ip-access:
  94.102.49.198/32  REJECT
  149.56.173.68/32  REJECT

Note that the "smtpd_client_restrictions" restriction list probably will include other directives and that the order of directives in a restriction list determines which ones actually act: a "PERMIT" or "REJECT" from any directive causes Postfix to skip the rest of that list and "REJECT" causes it to skip the logically subsequent restriction lists.



Thank you for answers. I use Postfix -> mail_version = 3.1.0

--
Pozdrawiam / Best Regards
Piotr Bracha