On 2011-11-02 11:43 AM, Keith Steensma <ke...@airways-consulting.com> wrote:
It's been a long time since I have participated in this list (goes to
show how good Postfiix is when it can run for years with so few
problems). Our company has decided to start using an outside SPAM
filtering service. Overall, this is doing a very good job. But we are
getting SPAM directly into out system and I need to block all outside
SMTP connections except the connections from a group of 8 IP address'.
CIDR notation: 199.89.0.0/21
Netmask notation: 199.89.0.0 with a netmask of 255.255.248.0
Address range: 199.89.0.0 through 199.89.7.255
I tried (from "Getting selective with SMTP access restriction lists" web
page)
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
mynetworks = 127.0.0.0/8, 192.168.1.0/24, 199.89.0.0/21
But that only solved half the problem. Mail is still getting in from
from IP's (like from 203.200.235.214 by 125.160.50.143)
Can anyone offer a suggestion how to fix this problem the right way?
We use webroot for anti-spam filtering...
Do it with check_client_access restriction like so:
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
check_client_access cidr:/etc/postfix/maps/cidr/allowed_clients.cidr,
etc...
where allowed_clients.cidr contains something like:
# allow webmail/localhost
#
127.0.0.1 permit
192.168.1.4 permit
192.168.1.250 permit
#
# allowed IP blocks, with subsequent checks
#
# to disallow subsequent checks, use permit_auth_destination instead of
# dunno
#
# webroot netblocks
208.87.136.0/23 dunno
203.100.58.0/24 dunno
194.116.198.0/23 dunno
#
# reject all clients not matching anything above, and be damn sure
# to comment out the last reject under recipient_restrictions
#
0.0.0.0/0 reject unauthorized client, please use our MX
That last line is what blocks all other connections from unapproved hosts.
I also duplicate this on our firewall, just for an added layer of
protection.
--
Best regards,
Charles
