CT put forth on 4/15/2010 4:43 PM:
> I have several boxes that "check" my relay every 40 seconds to
> check that the server is up.
>
> After multiple attempts to get the number of checks reduced I would
> like the know the preferred way to block specific IP addresses in Postfix.
>
> I have no issue with checks.. but every 40 seconds is ridiculous.
To accomplish the task in Postfix, blocking only SMTP connections from those
IP addresses:
edit: /etc/postfix/main.cf
smtpd_[client/recipient]_restrictions =
...
check_client_access hash:/etc/postfix/blacklist
...
# [client/recipient] selection depends on whether you use the "everything
under smtpd_recipient_restrictions" style main.cf layout.
create: /etc/postfix/blacklist
...
1.2.3.4 REJECT
4.3.2.1 REJECT
3.2.1.4 REJECT
...
/$ postmap /etc/postfix/blacklist
/$ postfix reload
Simply eh?
Or to deny all port access from those IPs, if using Linux, use Netfilter:
/$ iptables -I INPUT -s 1.2.3.4 -j DROP
/$ iptables -I INPUT -s 4.3.2.1 -j DROP
/$ iptables -I INPUT -s 3.2.1.4 -j DROP
iptables inputs are non persistent across reboots. Without knowing what
OS/distro you're using, I'll give generic instructions on running this at
system startup instead of rc.* instructions.
As root, create something like /usr/bin/load_iptables.sh and make sure the
execute bit is set.
#! /bin/sh
iptables -I INPUT -s 1.2.3.4 -j DROP
iptables -I INPUT -s 4.3.2.1 -j DROP
iptables -I INPUT -s 3.2.1.4 -j DROP
As root create this crontab entry usually with "crontab -e"
@reboot /usr/bin/load_iptables.sh
Now all packets from those IPs will be dropped. Hope this helps.
--
Stan
