How do I block certain senders in Postfix?
Further to my post a few weeks or so ago, how do I block emails from being accepted by postfix. The emails in particular are from one of 2 different IP addresses. I suppose I could block only those 2, or perhaps the entire range if need be. I read a bit on this in the docs, but am unsure if I should make a "hash" for it, or use canonical, and if so, how. I do have a hash for check_recipient_access which is working great. But I don't know how to block a particular IP address for a sender. I'm running Suse 10.0, mostly standard postfix. Many thanks for any pointers. Jim Flanagan
Jim Flanagan wrote:
Further to my post a few weeks or so ago, how do I block emails from being accepted by postfix. The emails in particular are from one of 2 different IP addresses. I suppose I could block only those 2, or perhaps the entire range if need be.
I read a bit on this in the docs, but am unsure if I should make a "hash" for it, or use canonical, and if so, how.
It doesn't really matter what type of lookup table you are using as long as your version of postfix knows how to handle the type. "postconf -m" shows all supported lookup table types.
I do have a hash for check_recipient_access which is working great. But I don't know how to block a particular IP address for a sender.
Careful, "sender" in Postfix terms is the sender address in the smtp envelope in the MAIL FROM command. If you want to check the hostname or ip address of the sending server, use check_client_access.
I'm running Suse 10.0, mostly standard postfix. Many thanks for any pointers.
check_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_client_access hash:/etc/postfix/client_blacklist /etc/postfix/client_blacklist: 1.2.3.4 554 rejected host due to amount of spam! This example does not work if the sending client is in $mynetworks. Execute "postmap hash:/etc/postfix/client_blacklist" each time you edit the source file /etc/postfix/client_blacklist. Execute "postfix reload" each time you edit main.cf or master.cf. Sandy -- List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com
Sandy Drobic wrote:
Jim Flanagan wrote:
Further to my post a few weeks or so ago, how do I block emails from being accepted by postfix. The emails in particular are from one of 2 different IP addresses. I suppose I could block only those 2, or perhaps the entire range if need be.
I read a bit on this in the docs, but am unsure if I should make a "hash" for it, or use canonical, and if so, how.
It doesn't really matter what type of lookup table you are using as long as your version of postfix knows how to handle the type.
"postconf -m" shows all supported lookup table types.
I do have a hash for check_recipient_access which is working great. But I don't know how to block a particular IP address for a sender.
Careful, "sender" in Postfix terms is the sender address in the smtp envelope in the MAIL FROM command. If you want to check the hostname or ip address of the sending server, use check_client_access.
I'm running Suse 10.0, mostly standard postfix. Many thanks for any pointers.
check_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_client_access hash:/etc/postfix/client_blacklist
/etc/postfix/client_blacklist: 1.2.3.4 554 rejected host due to amount of spam!
This example does not work if the sending client is in $mynetworks. Execute "postmap hash:/etc/postfix/client_blacklist" each time you edit the source file /etc/postfix/client_blacklist. Execute "postfix reload" each time you edit main.cf or master.cf.
Sandy Thanks Sandy,
I'll try this and report back. many thanks for the good advice. Jim Flanagan
Sandy Drobic wrote:
Jim Flanagan wrote:
Further to my post a few weeks or so ago, how do I block emails from being accepted by postfix. The emails in particular are from one of 2 different IP addresses. I suppose I could block only those 2, or perhaps the entire range if need be.
I read a bit on this in the docs, but am unsure if I should make a "hash" for it, or use canonical, and if so, how.
It doesn't really matter what type of lookup table you are using as long as your version of postfix knows how to handle the type.
"postconf -m" shows all supported lookup table types.
I do have a hash for check_recipient_access which is working great. But I don't know how to block a particular IP address for a sender.
Careful, "sender" in Postfix terms is the sender address in the smtp envelope in the MAIL FROM command. If you want to check the hostname or ip address of the sending server, use check_client_access.
I'm running Suse 10.0, mostly standard postfix. Many thanks for any pointers.
check_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_client_access hash:/etc/postfix/client_blacklist
/etc/postfix/client_blacklist: 1.2.3.4 554 rejected host due to amount of spam!
This example does not work if the sending client is in $mynetworks. Execute "postmap hash:/etc/postfix/client_blacklist" each time you edit the source file /etc/postfix/client_blacklist. Execute "postfix reload" each time you edit main.cf or master.cf.
Sandy I don't know if it is proper to start a new thread on this, or follow up on this old one, so I'll try the follow up first.
I did as you indicated above, and that seems to be working fine. Would it also be correct to reject a block of IP numbers in the format of 1.2.3.4-5.6.7.8?? It this correct? Many thanks again, Jim F
Jim Flanagan wrote:
/etc/postfix/client_blacklist: 1.2.3.4 554 rejected host due to amount of spam!
This example does not work if the sending client is in $mynetworks. Execute "postmap hash:/etc/postfix/client_blacklist" each time you edit the source file /etc/postfix/client_blacklist. Execute "postfix reload" each time you edit main.cf or master.cf.
I did as you indicated above, and that seems to be working fine. Would it also be correct to reject a block of IP numbers in the format of 1.2.3.4-5.6.7.8?? It this correct?
No, you can't do that in Postfix. Postfix can handle ip address ranges only in certain ways. hash: Hash tables can only match the whole string regexp/pcre: Lots of ways to match string parts, but not ip specific cidr Match against address classes in cidr notation So either use a pcre map like: /1\.2\.3/ 554 blacklisted ip range or use a cidr map like: 1.2.3.0/24 554 blacklisted ip range With a cidr map you need to describe the address ranges in cidr notation, in neccessary, break down the desired ip range into several cidr notations. Sandy -- List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com
Sandy Drobic wrote:
Jim Flanagan wrote:
/etc/postfix/client_blacklist: 1.2.3.4 554 rejected host due to amount of spam!
This example does not work if the sending client is in $mynetworks. Execute "postmap hash:/etc/postfix/client_blacklist" each time you edit the source file /etc/postfix/client_blacklist. Execute "postfix reload" each time you edit main.cf or master.cf.
I did as you indicated above, and that seems to be working fine. Would it also be correct to reject a block of IP numbers in the format of 1.2.3.4-5.6.7.8?? It this correct?
No, you can't do that in Postfix. Postfix can handle ip address ranges only in certain ways.
hash: Hash tables can only match the whole string regexp/pcre: Lots of ways to match string parts, but not ip specific cidr Match against address classes in cidr notation
So either use a pcre map like: /1\.2\.3/ 554 blacklisted ip range
or use a cidr map like: 1.2.3.0/24 554 blacklisted ip range
With a cidr map you need to describe the address ranges in cidr notation, in neccessary, break down the desired ip range into several cidr notations.
Sandy
Thanks Sandy, Will read up on IP nomenclature and proceed with this. Many thanks for the great help. Jim F
Jim Flanagan wrote:
Sandy Drobic wrote:
Jim Flanagan wrote:
/etc/postfix/client_blacklist: 1.2.3.4 554 rejected host due to amount of spam!
This example does not work if the sending client is in $mynetworks. Execute "postmap hash:/etc/postfix/client_blacklist" each time you edit the source file /etc/postfix/client_blacklist. Execute "postfix reload" each time you edit main.cf or master.cf.
I did as you indicated above, and that seems to be working fine. Would it also be correct to reject a block of IP numbers in the format of 1.2.3.4-5.6.7.8?? It this correct?
No, you can't do that in Postfix. Postfix can handle ip address ranges only in certain ways.
hash: Hash tables can only match the whole string regexp/pcre: Lots of ways to match string parts, but not ip specific cidr Match against address classes in cidr notation
So either use a pcre map like: /1\.2\.3/ 554 blacklisted ip range
Little correction here: /^1\.2\.3/ 554 blacklisted ip range Otherwise you might also catch any address ending in xxx.1.2.3 with that expression.
or use a cidr map like: 1.2.3.0/24 554 blacklisted ip range
With a cidr map you need to describe the address ranges in cidr notation, in neccessary, break down the desired ip range into several cidr notations.
Sandy
Thanks Sandy,
Will read up on IP nomenclature and proceed with this. Many thanks for the great help.
For this case the cidr notation is the most appropriate. Sandy -- List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com
participants (2)
-
Jim Flanagan -
Sandy Drobic