On 8/24/2013 1:18 PM, LuKreme wrote: > > On 22 Aug 2013, at 21:28 , Stan Hoeppner <s...@hardwarefreak.com> wrote: > >> ~$ wget http://ipdeny.com/ipblocks/data/countries/us.zone >> ~$ sed 's/$/ OK/g' us.zone > us.cidr >> ~$ cp us.cidr /etc/postfix >> ~$ postfix reload >> >> and you're off to the races. > > Interesting idea. I'm in much the same boat. Although I do have international > users, they all use webmail to access mail, so I'm interested in trying this. > > A couple of questions: > > 1) I wouldn't think that CIDR list changes very often, but how often should > it be refreshed?
How often does APNIC reassign, for example, a /22 from an entity in Vietnam to one in Japan, if ever? I don't have the answer to that. But this is the only type of situation that would prompt you to refresh, now that all IPv4 space has been allocated to the RIRs. We now know every IP by region, but what country it is assigned in may or may not change in future. And BTW, it's better to do this at the firewall if at all practical. > 2) If I did this I also would like to log these rejections to a separate > file, possible? Not directly. You'd specify a custom reject code then parse your mail log for that, pipe to another file. If you do it at the firewall it would depend on the firewall's features. > Under 2.10, would it make sense to put those restriction in the > smtpd_relay_restrictions if port 25 is open for connections? In the other half of the instructions I gave, which you cut, I show that this needs to be done in master.cf. smtpd_foo_restrictions in main.cf are global. You want this restriction only on the submission port, not the public smtp port. -- Stan
