Need help to block/allow incoming connections based on IP
in [Postfix]
|
Prev: Feature request: postsuper release but don't delete (cloning?)
Next: Need help to block/allow incoming connections basedon IP
From: Denis BUCHER on 22 Jul 2010 06:54 Dear all, After hours of reading websites and this mailing list, and after many unsuccessful tries, I would be happy if someone could help me. I want to allow some incoming networks to be allowed to connect to our servers and all the rest to be blocked. This is the solution that I ended with (but it doesn't work) : 1. I added this in main.cf : smtpd_client_restrictions = check_client_access cidr:/etc/postfix/access 2. I added this to /etc/postfix/access : 216.82.240.0/20 OK 213.213.213.213 REJECT 3. I did : postmap access /etc/init.d/postfix reload 4. But now when I try a "telnet (this machine) 25" from 213.213.213.213 I get "Welcome" and I am not rejected ? Could someone tell me what I did wrong ? Thanks a lot in advance for any help Denis
From: Mark Goodge on 22 Jul 2010 07:10
On 22/07/2010 11:54, Denis BUCHER wrote: > Dear all, > > After hours of reading websites and this mailing list, and after many > unsuccessful tries, I would be happy if someone could help me. > > I want to allow some incoming networks to be allowed to connect to our > servers and all the rest to be blocked. > > This is the solution that I ended with (but it doesn't work) : > > 1. I added this in main.cf : > smtpd_client_restrictions = check_client_access cidr:/etc/postfix/access > > 2. I added this to /etc/postfix/access : > 216.82.240.0/20 OK > 213.213.213.213 REJECT > > 3. I did : > postmap access > /etc/init.d/postfix reload > > 4. But now when I try a "telnet (this machine) 25" from 213.213.213.213 > I get "Welcome" and I am not rejected ? > > Could someone tell me what I did wrong ? It will be rejected if you attempt to send a mail. For example: telnet my.server 25 Trying my.server... Connected to my.server. Escape character is '^]'. 220 my.server ESMTP Postfix <- you're expecting it to reject here HELO other.server 250 my.server MAIL FROM: <me(a)example.com> 250 Ok RCPT TO: <me(a)my.server> 554 <[213.213.213.213]>: Client host rejected: Access denied If you don't want the server to even respond on port 25 for those addresses, then you need to block it further upstream. Mark -- http://mark.goodge.co.uk |