Postfix: Allow SMTP AUTH only from specified IP address ranges
Solution 1
How about putting your SMTP AUTH on another port like 587, and using iptables to restrict access to that port? 587 isn't a hidden port, it's an RFC defined mail submission port. Mail to you arrives on 25, mail through you needs to go over 587.
https://www.rfc-editor.org/rfc/rfc6409
Solution 2
You want to use a negated form of smtpd_sasl_exceptions_networks
.
smtpd_sasl_exceptions_networks = !134.500.0.0/16 !134.700.42.0/24 !134.800.133.7
You might also be interested in smtpd_client_connection_rate_limit
.
Solution 3
Pretty old question, but if you like me come here from Google - this can be done via smtpd_discard_ehlo_keyword_address_maps feature.
You just add parameter
smtpd_discard_ehlo_keyword_address_maps = cidr:/etc/postfix/discard_ehlo_keyword
to your Postfix main.cf
config (usually located at /etc/postfix/main.cf
) where /etc/postfix/discard_ehlo_keyword
is a path to Postfix lookup table.
Next let's create a file via e.g. sudo nano /etc/postfix/discard_ehlo_keyword
and put content inside it:
# this is your trusted ip ranges you want to send AUTH:
134.500.0.0/16 silent-discard
134.700.42.0/24 silent-discard
# and this is another world you don't want to send AUTH to:
0.0.0.0/0 silent-discard, auth
::/0 silent-discard, auth
After save run sudo postmap /etc/postfix/discard_ehlo_keyword
to generate Postfix lookup table (you should do this after every edit of /etc/postfix/discard_ehlo_keyword
).
And don't forget to restart Postfix!
Related videos on Youtube
MrSnrub
Hello, my name is Mr. Snrub. And I come from, uh... someplace far away. (Yes, that'll do.) Anyway, I... I say we invest that money back in the nuclear plant!
Updated on September 18, 2022Comments
-
MrSnrub almost 2 years
can one implement an IP address based restriction for SMTP AUTH in Postfix?
Scenario: I'm running a Postfix mail server that receives mails from all over the Internet. But the server doesn't only receive mails, it also allows its authenticated users to send mails to internal users or to external ones. So far no problem.
Unfortunately, I'm always getting a little scared when reading the log files. There are thousands of unsuccessful, illegal login attempts every day from IP addresses from all over the world.
But actually the legitimate sender hosts only come from a handful of known ip address ranges. So I know only someone from (for example)
- 134.500.0.0/16
- 134.700.42.0/24
- 134.800.133.7
might even be a legitimate sender at all. (I know that the IP address given in the example above are malformed. I just don't wanted to unveil the real ones.)
So if the sender comes from a different ip range, he's for sure none of my users and therfore not allowed to relay anything.
I don't want someone from outside of these subnets to be able to relay even if he figures out a valid username/password combination for SMTP AUTH. If he's from a non-white-listed ip address range, he mustn't send. Under no circumstances. So
permit_sasl_authenticated
alone is not enough. As long as someone from "certain" countries (I don't want to name them explicitly...) is able to login with stolen/brute-forced/spyed credentials, it's not secure enough. :-) (Think of social engineering, trojan keyloggers that steal account data, lightheaded users with easy-to-guess passwords, etc.)=> So is it possible to implement an ip address restriction for SMTP AUTH login attempts? (The receiving of incoming mails must not be affected by this. For that I have
policyd-weight
etc. Here it's only about outgoing / to be relayed mails.)Solutions that won't work:
iptables
firewall restriction. As I want to be able to receive mails from all over the Internet on port 25, I cannot implement restrictions on transport layer level. - Moreover, I want the legitimate users to be able to connect on port 25 to admit new outgoing mails into the server. So allowing mail sending only via a subnet restricted-mystery tcp port, e.g. 24343, is no solution, too.permit_mynetworks
: Not everybody from the known ip ranges is a legitimate user. So I can't allow everybody from there to send. SMTP AUTH login is necessary to determine whether someone is an authorized user.
-
Michael Hampton over 11 yearsHopefully he has already set this up.
-
serge about 8 yearsI'm know I'm a bit late, but how do I move smtp auth to another port and disable smtp auth on 25?