Hello, What about using iptables or other firewall ruling to rule out connections for SMTP from those CIDR ranges?
Atenciosamente, --- Fernando Maciel Souto Maior Projetos e Soluções de Tecnologia (31) 9226-9440 TIM On Tue, Sep 2, 2014 at 8:45 AM, Noel Jones <njo...@megan.vbhcs.org> wrote: > On 9/2/2014 5:39 AM, Lubomir Majersky wrote: > > Hi, > > > > sorry for my english. I would like to allow access for clients > > who are already authenticated (SMTP AUTH SASL), but from specified > > IP address ranges only. > > > > In the Internet I found various posts. I found something that > > interested me: > > > http://serverfault.com/questions/476451/postfix-allow-smtp-auth-only-from-specified-ip-address-ranges > > > > > > Scenario is the same as the URL above. Postfix mail server that > > receives mails from all over the Internet. But the server doesn't > > only receive mails, it also allows its authenticated users to send > > mails to internal users or to external ones... > > > > Facts: > > - I can not disable port 25 > > - Fail2ban can not be applied, use a different type of firewall > > > > This is not about it me to block 'LOGIN authentication failed', > > but I want to block subnets from Asia and so on. Sometimes it > > happens that my legitimate user has an infected computer and occurs > > leak credentials, for example to Asia and then the attacker from > > Asia through my server sends e-mails, because he is successfully > > authenticated. > > > > I used parameter: > > > > smtpd_sasl_exceptions_networks = !195.98.0.0/19, !212.26.160.0/19, > > !...., 0.0.0.0/0 > > > > It works as I imagine, but I need to allow about 1000 subnets in > > CIDR format, but I'm not sure the correct entry. Based on the > > documentation: > > > > http://www.postfix.org/SASL_README.html > > > > If I'm not mistaken, does not allow parameter > > 'smtpd_sasl_exceptions_networks' lookup tables. Is it possible to > > enroll 1,000 subnets, for example: > > > > smtpd_sasl_exceptions_networks = !1.1.1.0/8, !2.2.1.0/8, > > !3.1.0.0/16, !55.62.0.0/16, \ > > !78.41.168.0/21, !..., !..., !..., !..., !94.136.128.0/19, !..., > > !..., \ > > !..., !..., !..., \ > > !..., !..., !..., \ > > !..., !..., !..., \ > > 0.0.0.0/0 > > > > Thank you very much > > To answer your question above about 1000 entries in the main.cf > parameter, that sounds like a bad idea. It probably wouldn't give > an error, but would likely make smtpd slow to start, maybe > significantly so. I doubt it's ever been tested with that many entries. > > > The SASL_README is an overview. The complete docs for that > parameter can be found in > http://www.postfix.org/postconf.5.html#smtpd_sasl_exceptions_networks > which does indeed list type:table as valid. > > A cidr: table with 1000 entries should work as expected, with > acceptable performance. > > > -- Noel Jones >