smtpd_client_restrictions
in [Postfix]
|
Prev: up'd Fedora from 10->11, now postmap won't query pgsql db
Next: postfix rejects e-mails (User unknown in local recipient table)
From: vtzan on 11 Dec 2009 06:26 Hello all, I need to reject smtp connection from certain ip inside my network (SPAMMER). I have configured the following according http://www.postfix.org/access.5.html and it doesn't work. I just want to deny an ip address to send mails to the outside world! smtpd_client_restrictions = check_client_access hash:/etc/postfix/access, permit_mynetworks, permit_sasl_authenticated access =========== ipaddress REJECT Thanks in advance Bill
From: Stan Hoeppner on 11 Dec 2009 08:02 vtzan put forth on 12/11/2009 5:46 AM: > thanks for your fast reply. But that was my PLAN B ;-) > any idea for PLAN A? > > thanks alot > Bill Hay Bill, First off, please keep all replies on the postfix-users list. 2nd, send your 'postconf -n' output and the relevant contents of /etc/postfix/access. 3rd, it might be tricky doing what you are asking because, if I understand you correctly, the IP you want to block with smtpd is within mynetworks. -- Stan
From: Noel Jones on 11 Dec 2009 11:00 On 12/11/2009 7:02 AM, Stan Hoeppner wrote: > vtzan put forth on 12/11/2009 5:46 AM: > >> thanks for your fast reply. But that was my PLAN B ;-) >> any idea for PLAN A? >> >> thanks alot >> Bill > > Hay Bill, > > First off, please keep all replies on the postfix-users list. 2nd, send > your 'postconf -n' output and the relevant contents of > /etc/postfix/access. 3rd, it might be tricky doing what you are asking > because, if I understand you correctly, the IP you want to block with > smtpd is within mynetworks. > > -- > Stan > http://www.postfix.org/postconf.5.html#mynetworks It's easy enough to exclude the IP from mynetworks, just use something like: mynetworks = !192.168.1.not-this-host 192.168.1.0/24 Although if there is a machine in mynetworks sending out spam (virus zombie?) I think I would just firewall it until I could identify it and either 2x4 the user or fix the PC (or maybe both if I'm in a mood). -- Noel Jones
From: vtzan on 14 Dec 2009 02:08 Stan Hoeppner wrote: > vtzan put forth on 12/11/2009 5:46 AM: > > >> thanks for your fast reply. But that was my PLAN B ;-) >> any idea for PLAN A? >> >> thanks alot >> Bill >> > > Hay Bill, > > First off, please keep all replies on the postfix-users list. 2nd, send > your 'postconf -n' output and the relevant contents of > /etc/postfix/access. 3rd, it might be tricky doing what you are asking > because, if I understand you correctly, the IP you want to block with > smtpd is within mynetworks. > > -- > Stan > > > Hello Stan, 1.sorry forgot to "reply-all". Yes this that is true, the IP i want to block is withing $mynetworks. ;-) here is the postconf -n (XXXX was replaced for obvious reasons.) alias_maps = hash:/etc/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix default_destination_concurrency_limit = 50 default_process_limit = 200 disable_vrfy_command = no html_directory = /usr/share/doc/postfix-2.5.4-documentation/html inet_interfaces = all local_destination_concurrency_limit = 50 local_recipient_maps = $alias_maps unix:passwd.byname $virtual_mailbox_maps mail_owner = postfix mailbox_size_limit = 0 mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, $transport_maps mydomain = XXXX.gr myhostname = mail.XXXX.gr mynetworks = 1X0.1X0.0.0/16, 127.0.0.0/8 myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.5.4-documentation/readme recipient_bcc_maps = hash:/etc/postfix/recipient_bcc recipient_delimiter = + relayhost = [XXXX.XXXX.gr] relocated_maps = hash:/etc/postfix/relocated sample_directory = /usr/share/doc/postfix-2.3.3/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_banner = $myhostname mail.XXXX.gr smtpd_client_connection_count_limit = 50 smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated smtpd_delay_reject = yes smtpd_hard_error_limit = ${stress?1}${stress:20} smtpd_helo_required = no smtpd_helo_restrictions = warn_if_reject, reject_invalid_helo_hostname, warn_if_reject, reject_non_fqdn_helo_hostname, warn_if_reject, reject_unknown_helo_hostname smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_relay_domains smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = smtpd smtpd_sasl_security_options = noanonymous smtpd_sasl_type = cyrus smtpd_sender_login_maps = $virtual_alias_maps smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_sender_domain, warn_if_reject, reject_sender_login_mismatch, warn_if_reject, reject_unauthenticated_sender_login_mismatch smtpd_timeout = ${stress?10}${stress:300} smtpd_tls_CAfile = /etc/postfix/certs/ipsCA.pem smtpd_tls_cert_file = /etc/postfix/certs/mail.pem smtpd_tls_key_file = /etc/postfix/certs/mail.key smtpd_tls_loglevel = 1 smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache transport_maps = hash:/etc/postfix/transport virtual_alias_maps = hash:/etc/postfix/virtual, proxy:ldap:/etc/postfix/ldap/ldapmailfwonly.cf, proxy:ldap:/etc/postfix/ldap/ldapalias.cf virtual_gid_maps = static:102 virtual_mailbox_base = / virtual_mailbox_limit = 0 virtual_mailbox_maps = proxy:ldap:/etc/postfix/ldap/ldapaccounts.cf virtual_minimum_uid = 100 virtual_uid_maps = static:103 thanks in advance for your help. Bill
From: vtzan on 14 Dec 2009 02:17
Hello noel, thanks for you response but it didn't worked! thanks Bill Noel Jones wrote: > On 12/11/2009 7:02 AM, Stan Hoeppner wrote: >> vtzan put forth on 12/11/2009 5:46 AM: >> >>> thanks for your fast reply. But that was my PLAN B ;-) >>> any idea for PLAN A? >>> >>> thanks alot >>> Bill >> >> Hay Bill, >> >> First off, please keep all replies on the postfix-users list. 2nd, send >> your 'postconf -n' output and the relevant contents of >> /etc/postfix/access. 3rd, it might be tricky doing what you are asking >> because, if I understand you correctly, the IP you want to block with >> smtpd is within mynetworks. >> >> -- >> Stan >> > > http://www.postfix.org/postconf.5.html#mynetworks > It's easy enough to exclude the IP from mynetworks, just use something > like: > mynetworks = > !192.168.1.not-this-host > 192.168.1.0/24 > > Although if there is a machine in mynetworks sending out spam (virus > zombie?) I think I would just firewall it until I could identify it > and either 2x4 the user or fix the PC (or maybe both if I'm in a mood). > > -- Noel Jones > |