On 8/22/2013 6:51 AM, Charles Marcus wrote: > The simple fact is, we do not have any users based *anywhere* but the > US, so, is what is the simplest way to block any/all non-US based client > connections on my submission port?
Use the us.zone ipdeny file to build a CIDR table to accept any US client IPs and reject everything else. http://ipdeny.com/ipblocks/data/countries/us.zone But not now as it's currently broken. Already notified the OPs. Not sure how this happened. This is a big deal as automated systems rely on this data. I'd think it'll be fixed today, within hours. Anyway, your solution should be as simple as something like this: submission inet n - - - - smtpd ... -o smtpd_client_restrictions=check_client_access\ /etc/postfix/us.cidr, reject You could do the reverse and reject the rest of the world with your table, however building an maintaining that CIDR file is a massive PITA. If you have personnel traveling in other countries they use a VPN client to get into your network. That's what roaming VPN clients are for. You can setup a FLOSS VPN server for no cost but your labor/learning curve. Or simply enable/configure it on your edge router if it has VPN capability. -- Stan
