Re: Block/allow incoming IP only for SOME domains

Fri, 23 Jul 2010 14:12:01 -0700 

Hello Brian,

Le 23.07.2010 16:49, Brian Evans - Postfix List a écrit :

Yesterday I succeeded into blocking some IP (or more exactly allowing
only some) to connect to one of my server and send email via SMTP.

Now for another server, I need something a little more complicated and
I would be happy if someone could direct me to the right method.

I would like to activate this functionality ONLY for some domains :
* Some (recipient) domains should accept emails from any IP
* Some other (recipient) domains should accept emails only from IP in
the list

This is my working config to allow emails only from some IP, for all
domains :

> 1. Added this in main.cf :
> smtpd_client_restrictions = check_client_access
cidr:/etc/postfix/access
>
> 2. Added this to /etc/postfix/access :
> 216.82.240.0/20 OK
> 213.213.213.213 REJECT
>
> 3. Command line :
> postmap access
> /etc/init.d/postfix reload

How can I therefore decide for which domains this config is active and
for which domains all incoming IP are accepted ?

Easy example, more can be found at
http://www.postfix.org/RESTRICTION_CLASS_README.html
(Note, you may wish to make the cidr access table name something more
informative to you. Postfix does not require it to be called access).

denybyip = check_client_access cidr:/etc/postfix/access
smtpd_restriction_classes = denybyip
smtpd_recipient_restrictions =
permit_mynetworks,
reject_unauth_destination,
....
check_recipient_access hash:/etc/postfix/domainipcheck


/etc/postfix/domainipcheck:

example.com denybyip
example.net denybyip
Thank you very much ! I tried your suggestion, with a small change, "smtpd_client_restrictions" instead of smtpd_recipient_restrictions and it seems to be working very well.
But now I have another problem, with that config, I have a problem, it's not possible to send emails anymore, because something is missing : we should allow any authenticated user to send emails ? Something like permit_auth_users ?
Should I simply add "permit_sasl_authenticated, permit_mynetworks," BEFORE check_recipient_access hash:/etc/postfix/domainipcheck ?
(I think it is correct because I tried and it seems to work, but I prefer to have your confirmation) 

Thanks a lot !

Denis

Reply via email to