Block ip ranges in postfix

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
manu67a
Posts: 6
Joined: Tue Jul 14, 2015 9:27 am

Block ip ranges in postfix

Post by manu67a »

Hello,

Based on the following information in the wiki  regarding New Features in ZCS_8.5 and especially the section about the ability to blacklist specific IP addresses, i would like to do this but based on ip ranges in CIDR format.

I read that for instance this works in postfix using the following:
smtpd_client_restrictions =
check_client_access cidr:/etc/postfix/cidr_client_access

and having in the file the following format:

192.168.1.0/24 REJECT

Is this supported in Zimbra 8.5 or 8.6 ?

Thanks in advance.
Fabio S. Schmidt
Advanced member
Advanced member
Posts: 183
Joined: Fri Apr 25, 2014 12:42 pm

Block ip ranges in postfix

Post by Fabio S. Schmidt »

Hi,



I think that CIDR is supported since it is included in Postfix since its version 2.1. To confirm run 'postconf -m' and the cidr should be in the results.



Source: http://www.postfix.org/cidr_table.5.html
manu67a
Posts: 6
Joined: Tue Jul 14, 2015 9:27 am

Block ip ranges in postfix

Post by manu67a »

Hi Fabio,



Thanks this is indeed available so I used CIDR for my list of ip ranges to reject.



Kind regards,



Manuel
Fabio S. Schmidt
Advanced member
Advanced member
Posts: 183
Joined: Fri Apr 25, 2014 12:42 pm

Block ip ranges in postfix

Post by Fabio S. Schmidt »

Hi Manuel,
I'm glad that it helped you.
manu67a
Posts: 6
Joined: Tue Jul 14, 2015 9:27 am

Block ip ranges in postfix

Post by manu67a »

Hi,



so just for the records to document what I did:



creation of the cidr file to reject ip ranges:

nano /opt/zimbra/conf/postfix_blacklist_cidr



the content if formatted the following way:



A.B.C.D/xx REJECT



postmap the file:



postmap /opt/zimbra/conf/postfix_blacklist_cid



edit the smtpd_recipient_restrictions.cf file

nano /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf



add the following on second line:

%%contains VAR:zimbraMtaRestriction check_client_access cidr:/opt/zimbra/conf/postfix_blacklist_cidr%%



add the following the the configuragation:

zmprov mcf +zimbraMtaRestriction 'check_client_access cidr:/opt/zimbra/conf/postfix_blacklist_cidr'



restarts your server:

zmcontrol restart



you should now be able to see rejected ips like:



NOQUEUE: reject: RCPT from xxxxxx[A:B:C:D]: 554 5.7.1 <xxxxxxxxx[A:B:C:D]>: Client host rejected: Access denied; from=<sender@domain.com> to=<recepient@domain.com> proto=ESMTP helo=<sender_hostname>



Enjoy
onrblt
Posts: 3
Joined: Sun May 10, 2020 7:32 pm

Re: Block ip ranges in postfix

Post by onrblt »

manu67a wrote:Hi,



so just for the records to document what I did:



creation of the cidr file to reject ip ranges:

nano /opt/zimbra/conf/postfix_blacklist_cidr



the content if formatted the following way:



A.B.C.D/xx REJECT



postmap the file:



postmap /opt/zimbra/conf/postfix_blacklist_cid



edit the smtpd_recipient_restrictions.cf file

nano /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf



add the following on second line:

%%contains VAR:zimbraMtaRestriction check_client_access cidr:/opt/zimbra/conf/postfix_blacklist_cidr%%



add the following the the configuragation:

zmprov mcf +zimbraMtaRestriction 'check_client_access cidr:/opt/zimbra/conf/postfix_blacklist_cidr'



restarts your server:

zmcontrol restart



you should now be able to see rejected ips like:



NOQUEUE: reject: RCPT from xxxxxx[A:B:C:D]: 554 5.7.1 <xxxxxxxxx[A:B:C:D]>: Client host rejected: Access denied; from=<sender@domain.com> to=<recepient@domain.com> proto=ESMTP helo=<sender_hostname>



Enjoy
Works. Thx.
Post Reply