Re: deflecting attacks

[Luigi Rosa]

Roderick A. Anderson said the following on 23/08/2009 1.04:


I use fail2ban with ipf on Solaris 10. When a host produces to many 5xx
errors or sends to much spam it is banned in the firewall.

failregex = reject: RCPT from (.*)\[\]: 5\d\d
ban time 1h

failregex = Passed SPAM, \[\]
ban time 10m


While fail2ban is an excellent tool (as is the recent module in
iptables), don't go overboard. For example, keep in mind that SMTP is a
very different animal than SSH or HTTP when determining sane amounts of
time to block a host. It's relatively safe to block repeat offenders
from SSH/HTTP because they usually represent connections from individual
clients (although you might catch a proxy or network behind a NAT). But
legitimate SMTP connections tend to come from a shared resource, such as
an MTA representing thousands of clients. Don't set yourself up for a
DoS by allowing someone to easily block Gmail, AOL, etc. at your site
simply by sending a few spam messages.


Good point.  I didn't think of it in this context.


In my personal experience is not like that. DoS and spam flood never come from 
gmail, AOL, Yahoo! and sites like that.


The point is to write a good filter, not to filter connections.

I recently have been under SPAM and SMTP DoS attack in one of my servers. 
Fail2Ban and some Postfix sttings were successful in deflecting such attacks.


Here the rules I implemented to block attacks and spammers:

failregex = reject: RCPT from (.*)\[\]: 450

This rule (checked for 10 or more occurrences) blocks programs hammering the 
server that has a greylisting protection (policyd in my case).



failregex = NOQUEUE: reject: RCPT from (.*)\[\]: 5\d\d

This rule (checked for 3 occurrences) blocks IPs blocked bi RBL lookups that 
keep connecting even if they receive a "permanent failure" kind of error.




In my (quite long) experience, there is no silver bullet, nor a rule that can be 
applied to every SMTP server. I have customers that exchange legitimate mails 
with Russia and other spam-intensive areas, in that case I have to relax rules 
on their server.



My two cents.



Ciao,
luigi

--
/
+--[Luigi Rosa]--
\

Interface: The opposite of 'Get out of my face.'

Re: rbl checks, best place + ipv6?

[Dave Täht]

mouss  writes:

> Dave a écrit :
>> Hello,
>>  I'm running postfix, amavisd-new and spamassassin. Currently in my
>> postfix smtpd_recipient_restrictions right at the end last thing i have some
>> rbl checks. I'm wondering if that's the best place for them or should i
>> disable that and activate them in spamassassin? Suggestions welcome.
>> Thanks.
>> Dave.
>> 
>
> think defense in depth. at each oignon layer, get rid of part of the
> unwanted traffic.
>
> - at the firewall level, get rid of those "hopeless networks".
>
> - at postfix level, reject transactions that should not "occur"
> (independently of content)
>
> - at SA, tag mail based on its content.
>
>
> at postfix level, use zen.spamhaus.org. it is safe and effective. you
> can also use spamcop and korea.services.net but these won't catch a lot
> of junk. other lists are better used in SA.

Thank you, I just added that to my rbl list and watched my spam drop
dramatically. (I was using an old rbl list, I'm surprised it was working
at all) 

I have been doing weird stuff with ipv6, as well as certs. I am curious if
there is a list of mail servers out there running various common smtp
servers (postfix, sendmail, exim, exchange, etc) that I could ping via
email and have them, according to their rules, filters, etc, send a
reply (either back or to an address I'd define)

I am painfully aware I don't have reverse DNS working on my ipv6 clients
(yet), for example, and also am concerned that TLS negotiation may not
work correctly for some ipv4 hosts, and have an on-going concern that
any future changes I make to my mail configuration be easily testable.

What I found after fighting with an exchange server that what seems to
work best is assigning my first mx host to be ipv6 only, and my fallback
to be a mx ipv6 and ipv4 host. 

>

-- 
Dave Taht
http://the-edge.blogspot.com

Re: Building milter in PHP

[rank1seeker]

- Original Message -
From: wie...@porcupine.org (Wietse Venema)
To: Postfix users 
Date: Sat, 22 Aug 2009 19:18:19 -0400 (EDT)
Subject: Re: Building milter in PHP

> none none:
> > I've setup postfix for before queue
> > I have not chosen to install milter but to create my own.
> > 
> > I did that in PHP.
> > 
> > Now, I am at a part, where my PHP milter has to communicate with 
postfix.
> > 
> > Aim is to get string from postfix, evaluate it and send it back to 
postfix.
> > So I started to read as a first action.
> > 
> > Errors I did received were:
> > "can't read SMFIC_OPTNEG reply packet header: Operation timed out"
> 
> The Sendmail MILTER protocol is completely different from SMTP.  
> 
> PHP already comes with a SAPI (server API) that supports this protocol,
> and you should probably build your application that way.
> 
> See, for example: http://www.google.com/search?q=php+milter
> 
>   Wietse
>

It did, but not anymore.
It is now depreciated.(php-milter)

I use PHP 5.3 and already have working filter.

To finalise it, I just need a list and description of milter commands.
Those milter commands works for any type of coding language

Up to now I've found out these but without explanation or examples
  connect
  helo
  envfrom
  envrcpt
  header
  eoh
  body
  eom
  abort
  close

Re: Building milter in PHP

[Wietse Venema]

none none:
> I've setup postfix for before queue
> I have not chosen to install milter but to create my own.
> 
> I did that in PHP.
> 
> Now, I am at a part, where my PHP milter has to communicate with postfix.
> 
> Aim is to get string from postfix, evaluate it and send it back to postfix.
> So I started to read as a first action.
> 
> Errors I did received were:
> "can't read SMFIC_OPTNEG reply packet header: Operation timed out"

The Sendmail MILTER protocol is completely different from SMTP.  

PHP already comes with a SAPI (server API) that supports this protocol,
and you should probably build your application that way.

See, for example: http://www.google.com/search?q=php+milter

Wietse

Re: Any C api to access Postfix programmatically?

[Wietse Venema]

? ???:
> Hi !
> 
> Is there any Programming Interface (api) , so that a Postfix instance
> could be accessed programmaticaly, say, a C program?

Currently,  all the SUPPORTED interfaces require that non-Postfix
code communicates with Postfix via some protocol:  examples are
the SMTP protocol, the pipe-to-command protocol, the SMTPD policy
protocol, the Milter protocol, and a simple TCP-based lookup table.

> for example, connect to a Postfix instance and validate if an e-mail
> address is a valid recipient  for the specific instance...

You can already do this with the existing SMTP interface.

Wietse

Re: deflecting attacks

[Roderick A. Anderson]

Jorey Bump wrote:

Martijn de Munnik wrote, at 08/22/2009 02:06 PM:


I use fail2ban with ipf on Solaris 10. When a host produces to many 5xx
errors or sends to much spam it is banned in the firewall.

failregex = reject: RCPT from (.*)\[\]: 5\d\d
ban time 1h

failregex = Passed SPAM, \[\]
ban time 10m

When a host is banned multiple short times it gets banned for 1 day. It
should be easy to get this working with iptables.


While fail2ban is an excellent tool (as is the recent module in
iptables), don't go overboard. For example, keep in mind that SMTP is a
very different animal than SSH or HTTP when determining sane amounts of
time to block a host. It's relatively safe to block repeat offenders
from SSH/HTTP because they usually represent connections from individual
clients (although you might catch a proxy or network behind a NAT). But
legitimate SMTP connections tend to come from a shared resource, such as
an MTA representing thousands of clients. Don't set yourself up for a
DoS by allowing someone to easily block Gmail, AOL, etc. at your site
simply by sending a few spam messages.


Good point.  I didn't think of it in this context.


Rod
--

Re: rbl checks, best place

[/dev/rob0]

On Friday 21 August 2009 00:23:07 Olivier Nicole wrote:
> > > This is a difficult question.
> >
> > I disagree.
>
> Just that because you disagree makes the question not simple :)

Perhaps you didn't understand. I tried to explain why the choice of
pre-DATA reject_rbl_client lookups should be preferred to doing them
through content filters. Yes, I made the exception of untrustworthy
lists. If you look back, you'll possibly see that I was proposing
responsible, informed use of DNSBLs.

The rest of this mail consisted of straw man arguments, not worthy of
reply. None of the arguments put forth suggested how DNSBL use in
content filters might be superior to pre-DATA reject_rbl_client.

I think blind reliance on content filtering is ill-advised, based on
poor logic and lack of understanding of the nature of spam. SA and
other content filters will be checking the same DNSBL as I am, with
addition of some that I'd consider less trustworthy. Furthermore, by
virtue of having accepted the DATA, a MTA assumes responsibility for
these few messages amidst all the spam garbage.

I'm not opposed to content filtering; on the contrary, I know it's
an important third or fourth line of defense for many sites. Those
sites which are using it as the first line get what they deserve.
-- 
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header

Building milter in PHP

[none none]

I've setup postfix for before queue
I have not chosen to install milter but to create my own.

I did that in PHP.

Now, I am at a part, where my PHP milter has to communicate with postfix.

Aim is to get string from postfix, evaluate it and send it back to postfix.
So I started to read as a first action.

Errors I did received were:
"can't read SMFIC_OPTNEG reply packet header: Operation timed out"

At that point I've figured out that PHP milter has to say something to postfix
So I've sent string "Hello! Killer here, send me a victim!"


"unreasonable packet length: 1265200236 > 1073741823"
At that point I've figured out that PHP milter is sending to long
"welcome" message.

Then I've sent just a dot "."


EOF while reading command code: Operation timed out
A-ha!
So here is a catch! COMMAND!

postfix and each milter, have some string commands, they use to comunicate.

So please can anyone give me a link to those command(Something to do with DEV)
;)

So I could finish my PHP milter(DA KILLA!)

Re: Any C api to access Postfix programmatically?

[/dev/rob0]

On Saturday 22 August 2009 15:12:45 Δημήτριος Καραπιπέρης wrote:
> Is there any Programming Interface (api) , so that a Postfix
> instance could be accessed programmaticaly, say, a C program?

Maybe just speak SMTP to it? I'm sure there are SMTP libraries
already written and available.

> for example, connect to a Postfix instance and validate if an
> e-mail address is a valid recipient  for the specific instance...

I think for this, you would do better to simply consult whatever
backend the Postfix instance is using for recipient validation.
-- 
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header

Re: deflecting attacks

[Terry Carmen]

> AMP Admin wrote:
>> Does anyone use iptables or something to defend against attacks?  Like
>> if x amount of requests per x amount of time send away.  If so I would
>> love some examples.  Thanks!
>
> Probably based on Glenn English's work (in another email) I found this
> during a brute force search with Google.  It blocks the ssh
> script-kiddies really well.
>
> You may be able to modify for your purposes.
>
> I have used denyhosts and fail2ban but found this did the most good with
> the least effort.  I'm thinking of modifying it to use TARPIT instead of
> DROP to make the script-kiddies pay more for even trying.
>

I've had excellent results with fail2ban, although I only use it for clearly
unwanted actions like relay attempts, extended dictionary attacks, or
bounce-back spam attempts.

OTOH, I'd never use it for generally "spammy" looking mail, since some
legitimate emails get huge spam scores until the system "learns" them.

Terry

Re: deflecting attacks

[Jorey Bump]

Martijn de Munnik wrote, at 08/22/2009 02:06 PM:

> I use fail2ban with ipf on Solaris 10. When a host produces to many 5xx
> errors or sends to much spam it is banned in the firewall.
> 
> failregex = reject: RCPT from (.*)\[\]: 5\d\d
> ban time 1h
> 
> failregex = Passed SPAM, \[\]
> ban time 10m
> 
> When a host is banned multiple short times it gets banned for 1 day. It
> should be easy to get this working with iptables.

While fail2ban is an excellent tool (as is the recent module in
iptables), don't go overboard. For example, keep in mind that SMTP is a
very different animal than SSH or HTTP when determining sane amounts of
time to block a host. It's relatively safe to block repeat offenders
from SSH/HTTP because they usually represent connections from individual
clients (although you might catch a proxy or network behind a NAT). But
legitimate SMTP connections tend to come from a shared resource, such as
an MTA representing thousands of clients. Don't set yourself up for a
DoS by allowing someone to easily block Gmail, AOL, etc. at your site
simply by sending a few spam messages.

Re: deflecting attacks

[Roderick A. Anderson]

AMP Admin wrote:
Does anyone use iptables or something to defend against attacks?  Like 
if x amount of requests per x amount of time send away.  If so I would 
love some examples.  Thanks!


Probably based on Glenn English's work (in another email) I found this 
during a brute force search with Google.  It blocks the ssh 
script-kiddies really well.


You may be able to modify for your purposes.

I have used denyhosts and fail2ban but found this did the most good with 
the least effort.  I'm thinking of modifying it to use TARPIT instead of 
DROP to make the script-kiddies pay more for even trying.



-N SSH_WHITELIST

# Pretend this is my workstation's IP.  You can add similar liens for
# more IPs
-A SSH_WHITELIST -s 10.10.3.21 -m recent --remove --name SSH -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -m recent 
--set --name SSH


-A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -j 
SSH_WHITELIST


-A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -m recent 
--update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP




 

 

Any C api to access Postfix programmatically?

[Δημήτριος Καραπιπέ ρης]

Hi !

Is there any Programming Interface (api) , so that a Postfix instance
could be accessed programmaticaly, say, a C program?

for example, connect to a Postfix instance and validate if an e-mail
address is a valid recipient  for the specific instance...

thanks
Dimitrios Karapiperis

Re: deflecting attacks

[Martijn de Munnik]

On Aug 22, 2009, at 8:16 PM, AMP Admin wrote:

Ø  Does anyone use iptables or something to defend against attacks?   
Like if x amount of requests per x amount of time send away.  If so  
I would love some examples.  Thanks!



Thanks for the tips guys.  How does that do with search engine  
bots?  It doesn’t block them, right?


Not sure what you mean? I only block port 25 (smtp).

Re: Country IP block list

[Mikael Bak]

Security Admin (NetSec) wrote:
> Could someone provide links to sites where IP addresses are grouped by
> country?  ASNs would work too but would prefer IP lists that I could put
> in a file that my postfix mail gateway could read.  Obvious countries
> like China and Brazil I would like to block wholesale.  Thanks in advance!
> 

I know it's OT, becase it doesn't involve postfix, but I use
RelayCountry plugin in SA to score some countries higher.

I find this a safer solution than cut off some countries entirely.

Mikael

Re: deflecting attacks

[ghe]

On Aug 22, 2009, at 11:53 AM, AMP Admin wrote:

Does anyone use iptables or something to defend against attacks?   
Like if x amount of requests per x amount of time send away.  If so  
I would love some examples.  Thanks!



There's also a cool feature in iptables called "recent". It allows you  
to specify the number of hits on a rule, in a specified length of  
time, from a single IP. If that's exceeded, it drops everything from  
that IP until they stop.


http://www.snowman.net/projects/ipt_recent/

--
Glenn English
g...@slsware.com

RE: deflecting attacks

[AMP Admin]

Ø  Does anyone use iptables or something to defend against attacks?  Like if
x amount of requests per x amount of time send away.  If so I would love
some examples.  Thanks!

 

 

Thanks for the tips guys.  How does that do with search engine bots?  It
doesn’t block them, right?

Re: deflecting attacks

[Martijn de Munnik]

On Aug 22, 2009, at 7:53 PM, AMP Admin wrote:

Does anyone use iptables or something to defend against attacks?   
Like if x amount of requests per x amount of time send away.  If so  
I would love some examples.  Thanks!


Hi,

I use fail2ban with ipf on Solaris 10. When a host produces to many  
5xx errors or sends to much spam it is banned in the firewall.


failregex = reject: RCPT from (.*)\[\]: 5\d\d
ban time 1h

failregex = Passed SPAM, \[\]
ban time 10m

When a host is banned multiple short times it gets banned for 1 day.  
It should be easy to get this working with iptables.


--
Martijn

RE: deflecting attacks

[Dudi Goldenberg]

>Does anyone use iptables or something to defend against attacks?  Like if x 
>>amount of requests per x amount of time send away.  If so I would love some 
>>examples.  Thanks!

Have a look at fail2ban, http://www.fail2ban.org/wiki/index.php/Main_Page

Regards,

D.

deflecting attacks

[AMP Admin]

Does anyone use iptables or something to defend against attacks?  Like if x
amount of requests per x amount of time send away.  If so I would love some
examples.  Thanks!

 

 

Re: Country IP block list

[ghe]

On Aug 22, 2009, at 10:31 AM, Roderick A. Anderson wrote:


Thanks.  I would (coming in late to this thread) be interested.



GOTO http://www.slsware.com/asia-blk.html

And thanks for 'encouraging' me to tidy things up a bit :-)

--
Glenn English
g...@slsware.com

Re: Country IP block list

[Roderick A. Anderson]

ghe wrote:


On Aug 22, 2009, at 9:56 AM, Security Admin (NetSec) wrote:

Could someone provide links to sites where IP addresses are grouped by 
country?  ASNs would work too but would prefer IP lists that I could 
put in a file that my postfix mail gateway could read.  Obvious 
countries like China and Brazil I would like to block wholesale.  
Thanks in advance!


I haven't done anything but Asia yet, and I've implemented that with a 
perl / shell script that downloads the assignments from Apnic, filters 
on country code, and builds a shell script to block the nets in a Linux 
packet filter chain. It never gets to Postfix.


If you're interested in that approach, I'd be happy to share the code...


Thanks.  I would (coming in late to this thread) be interested.


\\||/
Rod
--

Re: Country IP block list

[Daniel V. Reinhardt]

 






From: Security Admin (NetSec) 
To: "postfix-users@postfix.org" 
Sent: Saturday, August 22, 2009 3:56:28 PM
Subject: Country IP block list

 
Could someone provide links to sites where IP addresses are
grouped by country?  ASNs would work too but would prefer IP lists that I
could put in a file that my postfix mail gateway could read.  Obvious
countries like China and Brazil I would like to block wholesale.  Thanks
in advance!
-


http://www.blockacountry.com/ it puts the IP/Subnets in a .htaccess file you 
can save and copy content out of.

Daniel Reinhardt
Website: www.cryptodan.com
Email: crypto...@yahoo.com
Junior Network Security Engineer


  

Re: Country IP block list

[ghe]

On Aug 22, 2009, at 9:56 AM, Security Admin (NetSec) wrote:

Could someone provide links to sites where IP addresses are grouped  
by country?  ASNs would work too but would prefer IP lists that I  
could put in a file that my postfix mail gateway could read.   
Obvious countries like China and Brazil I would like to block  
wholesale.  Thanks in advance!


I haven't done anything but Asia yet, and I've implemented that with a  
perl / shell script that downloads the assignments from Apnic, filters  
on country code, and builds a shell script to block the nets in a  
Linux packet filter chain. It never gets to Postfix.


If you're interested in that approach, I'd be happy to share the code...

--
Glenn English
g...@slsware.com

Re: Country IP block list

[J.D. Bronson]

How about this site for a start:

http://www.okean.com/antispam/sinokorea.html


--
J.D. Bronson

Re: Country IP block list

[Bill Landry]

Security Admin (NetSec) wrote:
> Could someone provide links to sites where IP addresses are grouped by
> country?  ASNs would work too but would prefer IP lists that I could put
> in a file that my postfix mail gateway could read.  Obvious countries
> like China and Brazil I would like to block wholesale.  Thanks in advance!

Take a look at http://countries.nerd.dk/

Bill

RE: MS-Exchange fails when receiving postfix has smtpd_enforce_tls=true

[Security Admin (NetSec)]

I have been using Exchange 2007 with postfix mail gateway for almost 3 years 
now; both outbound and inbound are encrypted and have had minimal issues (due 
to my own stupidity) with communications.  I posted a few years ago when I was 
running Exchange 2003 which did not do encryption properly and you had to make 
mods to postfix to make it work right.  The following works for me (note I use 
same root CA for both postfix and Exchange 2007):

smtpd_use_tls = yes
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_auth_only = no
smtp_tls_security_level = may
smtpd_tls_key_file = /etc/postfix/ssl/server.key
smtpd_tls_cert_file = /etc/postfix/ssl/server_selfsign.crt
smtpd_tls_CAfile = /etc/postfix/ssl/server_selfsign.crt
smtp_tls_CAfile = /etc/postfix/exchange.pem
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtpd_tls_mandatory_ciphers = high
smtpd_tls_loglevel = 14
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache

-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of Victor Duchovni
Sent: Friday, August 21, 2009 2:28 PM
To: postfix-users@postfix.org
Subject: Re: MS-Exchange fails when receiving postfix has smtpd_enforce_tls=true

On Fri, Aug 21, 2009 at 10:54:49PM +0200, gmx wrote:

> Hi Victor,
> 
> In http://marc.info/?l=postfix-users&m=116171112425304&w=2 you described
> problems with ciphers when connecting from MS-Exchange to postfix. Has there
> been any improvement in the last almost-3 years?

AFAIK, the problem is resolved in Vista at the latest SP levels.  XP,
and perhaps Server 2003 are AFAIK still broken for ciphers other than RC4.

> In a similar vein, we are having problems to mandatorily send TLS encrypted
> mails from an MS-Exchange to a postfix.
> 
> We always get a 
> 
> <<530 5.0.0 Permanent message delivery failure - 530 5.7.0 Must issue a
> STARTTLS command first (in reply to end of DATA command))>>

This is logged by the Postfix SMTP client, when sending mail out, not
the SMTP server. Perhaps you are inadvertantly enforcing TLS post
content filter, ...

> Postfix 2.4.6 settings are
> smtpd_tls_cipherlist = MEDIUM:HIGH:!MD5:!aNULL

This parameter is not used in 2.3 or later, and this setting is not wise
in any case.

> smtpd_tls_mandatory_ciphers=medium
> smtpd_tls_exclude_ciphers=aNULL

This is fine.

> smtpd_enforce_tls = yes

Ignored.

> smtpd_tls_security_level=encrypt

This makes the former unnecessary.

> When we turn off the last 2, it all works fine, and the received header
> still claims that the message had 
> 
> >  (using TLSv1 with cipher RC4-MD5 (128/128 bits))
> >  (No client certificate requested)
> >  (Authenticated sender: umbricht...@sig.privasphere.com)
> 
> but AFAIK without the last 2, we cannot prevent sending-side omissions of
> TLS from the receiving side and we would really like to ensure that as
> receivers.

Sure looks like you are having trouble forwarding mail received from
Exchange, not receiving from Exchange.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

-- 
This mail was scanned by BitDefender
For more informations please visit http://www.bitdefender.com

Re: openldap-2.3.39 crash

[Stefan Förster]

Hello 承磊,

* 承磊  wrote:
> I have been using postfix since a few weeks. The setup is currently: Redhat
> As4.4 (Linux 2.6.9-42 SMP), Postfix 2.3.39, openldap-2.3.39, BerkeleyDB 4.5.
> 20 , courier-authlib-0.56.
> Now, the ldap service crashes frequently once the ldap connection raises
> about 300(the database engine is bdb).

you can try whether using the proxymap(8) service to access you LDAP lookup
tables (with an appropriate process limit defined in master.cf) solves
your problem:

http://www.postfix.org/proxymap.8.html


Cheers
Stefan

Country IP block list

[Security Admin (NetSec)]

Could someone provide links to sites where IP addresses are grouped by country? 
 ASNs would work too but would prefer IP lists that I could put in a file that 
my postfix mail gateway could read.  Obvious countries like China and Brazil I 
would like to block wholesale.  Thanks in advance!

Re: postfix listen on a particular IP

[Noel Jones]

On 8/22/2009 10:34 AM, K bharathan wrote:

i've got a host with 2 network interfaces with two IPs (192.168.2.100
and 192.168.2.101)
want postfix listen only to 192.168.2.101 (mail.example.com
)
can i put in main.cf 
intet_interfaces = IP or mail.exmaple.com 

help appreciated



http://www.postfix.org/postconf.5.html#inet_interfaces

  -- Noel Jones

postfix listen on a particular IP

[K bharathan]

i've got a host with 2 network interfaces with two IPs (192.168.2.100 and
192.168.2.101)
want postfix listen only to 192.168.2.101 (mail.example.com)
can i put in main.cf
intet_interfaces = IP or mail.exmaple.com

help appreciated