On 12/17/2011 2:32 PM, Ansgar Wiechers wrote: > On 2011-12-17 Tolga wrote: >> I've been getting a lot of Chinese spam. I've googled and come across >> a guide that advises to use a cidr file and tell postfix to use it. I >> got the file, edited it, and told postfix to use it. However, it >> doesn't seem to be working (I tested it by putting in my own IP >> address). How can I fix it? Below is my postconf -n: >> >> [root@bilgisayarciniz ~]# postconf -n > [...] >> smtpd_client_restrictions = check_client_access >> cidr:/etc/postfix/sinokorea.cidr > > Move the check_client_access restriction to $smtpd_recipient_restrictions.
This alone won't help. The OP said he tested by plugging his own IP address into the CIDR table. If he inserts this restriction after permit_mynetworks his test still won't work. This is not a valid way to test a CIDR table BTW. Tolga, first, are you certain this "Chinese spam" is coming from Chinese IP addresses? Check your mail log for connections from one of these addresses and confirm the IP is assigned to a Chinese entity, using the whois command. Then plug that IP address into postmap and post the output of that command here. For example, I block all Chinese IP space using ipdeny.com lists in a CIDR table. A sample test of my CIDR table: /etc/postfix/cidr_files$ postmap -q 58.99.128.128 cidr:countries REJECT Mail not accepted from China If you confirmed the IP is Chinese, and you have that Chinese network in your CIDR table, and the postmap test is successful, you know the table is working. If you get an error, post the error here. If the postmap test is successful and you still aren't rejecting connections from Chinese IP addresses then something else is wrong. One possible cause is a NAT router that rewrites the source address of the TCP packet. Your mail logs will tell you instantly if that is the case as all connections will be from the same IP address on the private side of the router. In that case a CIDR table is useless until you get a new router that does NAT correctly. Last, it would be helpful if you post a link to your CIDR table, or at least show 50 lines or so of its contents, so we can make sure you've created it correctly. It should look something like this: 58.14.0.0/15 REJECT Mail not accepted from China 58.16.0.0/13 REJECT Mail not accepted from China 58.24.0.0/15 REJECT Mail not accepted from China 58.30.0.0/15 REJECT Mail not accepted from China 58.32.0.0/11 REJECT Mail not accepted from China 58.66.0.0/15 REJECT Mail not accepted from China 58.68.128.0/17 REJECT Mail not accepted from China 58.82.0.0/15 REJECT Mail not accepted from China 58.87.64.0/18 REJECT Mail not accepted from China 58.99.128.0/17 REJECT Mail not accepted from China 58.100.0.0/15 REJECT Mail not accepted from China 58.116.0.0/14 REJECT Mail not accepted from China 58.128.0.0/13 REJECT Mail not accepted from China 58.144.0.0/16 REJECT Mail not accepted from China 58.154.0.0/15 REJECT Mail not accepted from China 58.192.0.0/11 REJECT Mail not accepted from China 58.240.0.0/12 REJECT Mail not accepted from China -- Stan
