Block ip ranges in postfix

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
manu67a
Posts: 5
Joined: Tue Jul 14, 2015 9:27 am

Block ip ranges in postfix

Postby manu67a » Tue Jul 14, 2015 9:36 am

Hello,



Based on the following information in the wiki  regarding New Features in ZCS_8.5 and especially the section about the ability to blacklist specific IP addresses, i would like to do this but based on ip ranges in CIDR format.



I read that for instance this works in postfix using the following:


smtpd_client_restrictions = 
check_client_access cidr:/etc/postfix/cidr_client_access

and having in the file the following format:

192.168.1.0/24 REJECT

Is this supported in Zimbra 8.5 or 8.6 ?

Thanks in advance.


Fabio S. Schmidt
Advanced member
Advanced member
Posts: 183
Joined: Fri Apr 25, 2014 12:42 pm

Block ip ranges in postfix

Postby Fabio S. Schmidt » Tue Jul 14, 2015 10:51 am

Hi,



I think that CIDR is supported since it is included in Postfix since its version 2.1. To confirm run 'postconf -m' and the cidr should be in the results.



Source: http://www.postfix.org/cidr_table.5.html
manu67a
Posts: 5
Joined: Tue Jul 14, 2015 9:27 am

Block ip ranges in postfix

Postby manu67a » Fri Jul 17, 2015 7:49 am

Hi Fabio,



Thanks this is indeed available so I used CIDR for my list of ip ranges to reject.



Kind regards,



Manuel
Fabio S. Schmidt
Advanced member
Advanced member
Posts: 183
Joined: Fri Apr 25, 2014 12:42 pm

Block ip ranges in postfix

Postby Fabio S. Schmidt » Fri Jul 17, 2015 8:17 am

Hi Manuel,


I'm glad that it helped you.

manu67a
Posts: 5
Joined: Tue Jul 14, 2015 9:27 am

Block ip ranges in postfix

Postby manu67a » Mon Jul 20, 2015 4:05 am

Hi,



so just for the records to document what I did:



creation of the cidr file to reject ip ranges:

nano /opt/zimbra/conf/postfix_blacklist_cidr



the content if formatted the following way:



A.B.C.D/xx REJECT



postmap the file:



postmap /opt/zimbra/conf/postfix_blacklist_cid



edit the smtpd_recipient_restrictions.cf file

nano /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf



add the following on second line:

%%contains VAR:zimbraMtaRestriction check_client_access cidr:/opt/zimbra/conf/postfix_blacklist_cidr%%



add the following the the configuragation:

zmprov mcf +zimbraMtaRestriction 'check_client_access cidr:/opt/zimbra/conf/postfix_blacklist_cidr'



restarts your server:

zmcontrol restart



you should now be able to see rejected ips like:



NOQUEUE: reject: RCPT from xxxxxx[A:B:C:D]: 554 5.7.1 <xxxxxxxxx[A:B:C:D]>: Client host rejected: Access denied; from=<sender@domain.com> to=<recepient@domain.com> proto=ESMTP helo=<sender_hostname>



Enjoy

Return to “Administrators”

Who is online

Users browsing this forum: fnortech and 13 guests