Re: Block/allow incoming IP only for SOME domains

Fri, 23 Jul 2010 19:41:10 -0700 

On 7/23/2010 4:11 PM, Denis BUCHER wrote:

Hello Brian,

Le 23.07.2010 16:49, Brian Evans - Postfix List a écrit :

Yesterday I succeeded into blocking some IP (or more
exactly allowing
only some) to connect to one of my server and send email
via SMTP.

Now for another server, I need something a little more
complicated and
I would be happy if someone could direct me to the right
method.

I would like to activate this functionality ONLY for some
domains :
* Some (recipient) domains should accept emails from any IP
* Some other (recipient) domains should accept emails only
from IP in
the list

This is my working config to allow emails only from some
IP, for all
domains :

> 1. Added this in main.cf :
> smtpd_client_restrictions = check_client_access
cidr:/etc/postfix/access
>
> 2. Added this to /etc/postfix/access :
> 216.82.240.0/20 OK
> 213.213.213.213 REJECT
>
> 3. Command line :
> postmap access
> /etc/init.d/postfix reload

How can I therefore decide for which domains this config is
active and
for which domains all incoming IP are accepted ?

Easy example, more can be found at
http://www.postfix.org/RESTRICTION_CLASS_README.html
(Note, you may wish to make the cidr access table name
something more
informative to you. Postfix does not require it to be called
access).

denybyip = check_client_access cidr:/etc/postfix/access
smtpd_restriction_classes = denybyip
smtpd_recipient_restrictions =
permit_mynetworks,
reject_unauth_destination,
....
check_recipient_access hash:/etc/postfix/domainipcheck


/etc/postfix/domainipcheck:

example.com denybyip
example.net denybyip


Thank you very much ! I tried your suggestion, with a small
change, "smtpd_client_restrictions" instead of
smtpd_recipient_restrictions and it seems to be working very
well.

But now I have another problem, with that config, I have a
problem, it's not possible to send emails anymore, because
something is missing : we should allow any authenticated user
to send emails ? Something like permit_auth_users ?

Should I simply add "permit_sasl_authenticated,
permit_mynetworks," BEFORE check_recipient_access
hash:/etc/postfix/domainipcheck ?

(I think it is correct because I tried and it seems to work,
but I prefer to have your confirmation)
Yes, that's the correct solution, but it must be in smtpd_recipient_restrictions. Make sure you leave smtpd_delay_reject at the default "yes" value for this to work correctly. 

  -- Noel Jones

Reply via email to