Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

How to block postfix connection to a specific ip address

There are a handful of sites that continuously send SPAM to my server and seem to avoid getting listed on the blacklist servers. I'm trying to set up POSTFIX to refuse connections from these sever's IP addresses. Here is how I set up smtpd_client_restrictions in main.cf:


smtpd_client_restrictions =

check_client_access hash:/Library/Server/Mail/Config/postfix/client_checks

permit_mynetworks

permit_sasl_authenticated

reject_rbl_client bl.spamcop.net

reject_rbl_client zen.spamhaus.org

permit


The content of /Library/Server/Mail/Config/postfix/client_checks:


94.242.161.0/24 REJECT Your IP range is spammer

141.255.161.0/24 REJECT Your IP range is spammer

192.95.54.0/24 REJECT Your IP range is spammer

198.50.229.0/24 REJECT Your IP range is spammer

198.50.171.0/24 REJECT Your IP range is spammer


For some reason POSTFIX isn't blocking SMTP connections from these IP addresses.


Is there some other command that I need to specify for smtpd_client_restrictions to get processed?


Is the syntax of my client check incorrect?

Mac mini, OS X Server, 10.8.4 Mountain Lion Server

Posted on Sep 30, 2013 9:34 AM

Reply
Question marked as Best reply

Posted on Oct 1, 2013 11:31 PM

You should be seeing the answer as to why in your logs, what have you seen in mail.log ?


You'll need to issue


sudo postmap /Library/Server/Mail/Config/postfix/client_checks


each & any time you edit that file.

5 replies

Oct 2, 2013 11:45 AM in response to Paul Derby

If you are running the adaptive firewall (its not enabled by default), then you can simply issue:


sudo afctl -a 94.242.161.0/24

and the IP/subnet will be blocked by the firewall.. postfix never answers.


No reloading of postfix.


the adaptive firewall has many other benefits, including automatic blacklisting of IPs that try to brute force a service. its very effective.

Oct 2, 2013 12:04 PM in response to Paul Derby

Thanks davidh, I've been watching the logs and not able to see why the restriction isn't enforced. I may have to change the logging detail to a higher level so that Postfix will report each step of the SMTP connection.


UptimeJeff.... great idea. That seems even better than messing with Postfix for these problematic sites.


I'll read up on the adaptive firewall and set it going... thanks so much.

Oct 2, 2013 4:25 PM in response to Paul Derby

I've been using fail2ban with 10.6.8 server, and my initial tests with 10.8 showed that it should work.



http://thefragens.com/2009/09/fail2ban-on-leopard-server/

It might be nice to have it tie into pf & pfctl (maybe with a dedicated table) but the (existing) Mac OS X-specific adaptions leverage ipfw and that's still present and supported in 10.8. Shouldn't be difficult, looks like the primary modification(s) would need to be a minor adjustment to Andy Fragen's action.d/ipfw.conf file.

Oct 4, 2013 7:36 PM in response to Paul Derby

Figured out what the problem was in getting PostFix to use the check_client_access file for SMTP connections to reject. Seems that PostFIx doesn't understand CIDR notation in the file so these entries are just ignored and no entry is made in the SMTP Log which makes it even harder to figure out what is going on. Changing the contents of the file from:


94.242.161.0/24 REJECT Your IP range is spammer

141.255.161.0/24 REJECT Your IP range is spammer

192.95.54.0/24 REJECT Your IP range is spammer

198.50.229.0/24 REJECT Your IP range is spammer

198.50.171.0/24 REJECT Your IP range is spammer


to only listing the leading octets of the IP address works. Now the REJECT message appears in the SMTP log and the connection from these IP address ranges are dropped on connection and the irritating spam that is missed by the blacklist servers in gone. Nice!!!


# Restricts which clients this system accepts SMTP connections from.


94.242 REJECT Your IP range is spammer

141.255 REJECT Your IP range is spammer

192.95.54 REJECT Your IP range is spammer

198.50.229 REJECT Your IP range is spammer

23.89.158 REJECT Your IP range is spammer

216.55.165 REJECT Your IP range is spammer

How to block postfix connection to a specific ip address

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.