DevHeads.net

check IP before permit_sasl_authenticated

I'd like to block certain IP's from attempting to authenticate on my submission port.

This is what I have now:

#master.cf
#port 587
submission inet n - n - - smtpd
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o smtpd_sasl_auth_enable=yes

Is it possible to configure to use an access list before the permit_sasl_authenticated?

Where the access file contains:
#
Somedomain.com 550 reject
45.227.253.216 550 reject

Is this right? Want to be sure I'm configuring it correctly and not opening some hole:

#master.cf
#port 587
submission inet n - n - - smtpd
-o smtpd_recipient_restrictions= check_client_access hash:/etc/postfix/access, permit_sasl_authenticated,reject
-o smtpd_sasl_auth_enable=yes

Comments

Re: check IP before permit_sasl_authenticated

By LuKreme at 08/14/2019 - 07:29

On 13 Aug 19, at 09:19 , Scott Techlist < ... at msws dot org> wrote:
You cannot prevent them from attempting to authenticate, at least not via postfix. You would need to firewall them or do something in hosts.allow for that.

You can allow them from losing in successfully, regardless of credentials, but you can’t keep them from connecting and trying to login.

Re: check IP before permit_sasl_authenticated

By Wietse Venema at 08/13/2019 - 10:57

Scott Techlist:
Your -o name=value contains spaces, therefore use {} like this:

submission inet n - n - - smtpd
-o { smtpd_recipient_restrictions =
check_client_access hash:/etc/postfix/access,
permit_sasl_authenticated, reject }

(this requires Postfix version 3.0 or later).

You are right to place check_client_access before permit_sasl_authenticated.

Wietse

RE: check IP before permit_sasl_authenticated

By techlist06 at 08/13/2019 - 12:03

Thanks Wietse.

Is there a workaround for the space in v2.2 (old server, working on migrating)?

submission inet n - n - - smtpd
-o smtpd_recipient_restrictions=check_client_access hash:/etc/postfix/access,permit_sasl_authenticated,reject

RE: check IP before permit_sasl_authenticated

By techlist06 at 08/13/2019 - 12:15

I found a post where someone said this was valid workaround in master.cf, replacing the single space with a comma:
-o smtpd_recipient_restrictions=check_client_access,hash:/etc/postfix/send_access,permit_sasl_authenticated, reject

Hopefully that is correct.

Re: check IP before permit_sasl_authenticated

By Noel Jones at 08/13/2019 - 12:19

On 8/13/2019 12:15 PM, Scott Techlist wrote:

Yes, that's correct, use a comma instead of space. Note in the
above example you still have a space in ", reject"

Also note this won't prevent intruders from attempting to AUTH, but
it will prevent them from abusing your server if they are successful.

-- Noel Jones