Postfix: Allow SMTP AUTH only from specified IP address ranges

postfix smtp authentication ip-address smtp-auth
18,148

Solution 1

How about putting your SMTP AUTH on another port like 587, and using iptables to restrict access to that port? 587 isn't a hidden port, it's an RFC defined mail submission port. Mail to you arrives on 25, mail through you needs to go over 587.

https://www.rfc-editor.org/rfc/rfc6409

Solution 2

You want to use a negated form of smtpd_sasl_exceptions_networks.

smtpd_sasl_exceptions_networks = !134.500.0.0/16 !134.700.42.0/24 !134.800.133.7

You might also be interested in smtpd_client_connection_rate_limit.

Solution 3

Pretty old question, but if you like me come here from Google - this can be done via smtpd_discard_ehlo_keyword_address_maps feature.

You just add parameter

smtpd_discard_ehlo_keyword_address_maps = cidr:/etc/postfix/discard_ehlo_keyword

to your Postfix main.cf config (usually located at /etc/postfix/main.cf) where /etc/postfix/discard_ehlo_keyword is a path to Postfix lookup table.

Next let's create a file via e.g. sudo nano /etc/postfix/discard_ehlo_keyword and put content inside it:

# this is your trusted ip ranges you want to send AUTH:
134.500.0.0/16      silent-discard 
134.700.42.0/24     silent-discard
# and this is another world you don't want to send AUTH to:
0.0.0.0/0           silent-discard, auth 
::/0                silent-discard, auth

After save run sudo postmap /etc/postfix/discard_ehlo_keyword to generate Postfix lookup table (you should do this after every edit of /etc/postfix/discard_ehlo_keyword).

And don't forget to restart Postfix!

Share:
18,148

Related videos on Youtube

MrSnrub
Author by

MrSnrub

Hello, my name is Mr. Snrub. And I come from, uh... someplace far away. (Yes, that'll do.) Anyway, I... I say we invest that money back in the nuclear plant!

Updated on September 18, 2022

Comments

  • MrSnrub
    MrSnrub almost 2 years

    can one implement an IP address based restriction for SMTP AUTH in Postfix?

    Scenario: I'm running a Postfix mail server that receives mails from all over the Internet. But the server doesn't only receive mails, it also allows its authenticated users to send mails to internal users or to external ones. So far no problem.

    Unfortunately, I'm always getting a little scared when reading the log files. There are thousands of unsuccessful, illegal login attempts every day from IP addresses from all over the world.

    But actually the legitimate sender hosts only come from a handful of known ip address ranges. So I know only someone from (for example)

    • 134.500.0.0/16
    • 134.700.42.0/24
    • 134.800.133.7

    might even be a legitimate sender at all. (I know that the IP address given in the example above are malformed. I just don't wanted to unveil the real ones.)

    So if the sender comes from a different ip range, he's for sure none of my users and therfore not allowed to relay anything.

    I don't want someone from outside of these subnets to be able to relay even if he figures out a valid username/password combination for SMTP AUTH. If he's from a non-white-listed ip address range, he mustn't send. Under no circumstances. So permit_sasl_authenticated alone is not enough. As long as someone from "certain" countries (I don't want to name them explicitly...) is able to login with stolen/brute-forced/spyed credentials, it's not secure enough. :-) (Think of social engineering, trojan keyloggers that steal account data, lightheaded users with easy-to-guess passwords, etc.)

    => So is it possible to implement an ip address restriction for SMTP AUTH login attempts? (The receiving of incoming mails must not be affected by this. For that I have policyd-weight etc. Here it's only about outgoing / to be relayed mails.)

    Solutions that won't work:

    • iptables firewall restriction. As I want to be able to receive mails from all over the Internet on port 25, I cannot implement restrictions on transport layer level. - Moreover, I want the legitimate users to be able to connect on port 25 to admit new outgoing mails into the server. So allowing mail sending only via a subnet restricted-mystery tcp port, e.g. 24343, is no solution, too.
    • permit_mynetworks: Not everybody from the known ip ranges is a legitimate user. So I can't allow everybody from there to send. SMTP AUTH login is necessary to determine whether someone is an authorized user.
  • Michael Hampton
    Michael Hampton over 11 years
    Hopefully he has already set this up.
  • serge
    serge about 8 years
    I'm know I'm a bit late, but how do I move smtp auth to another port and disable smtp auth on 25?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Postfix + SASL = "Relay Access Denied" when sending from outside the network
Telnet to SMTP gets no 220 response unless user is specified
Postfix only allow authenticated users
Postfix sender address rejected / using multiple addresses
Postfix on Ubuntu won't send emails "No such file or directory '/etc/postfix/cacert.pem'"
Postfix rejecting mail from authenticated clients
How to set the username and password for smtpd in Postfix?
How can I configure my postfix server so reject_sender_login_mismatch doesn't block aliases of the main account?
Can't get SASL auxprop/sasldb working with postfix/Ubuntu 12.04
postfix sasl "cannot connect to saslauthd server: No such file or directory"