check IP before permit_sasl_authenticated

I'd like to block certain IP's from attempting to authenticate on my submission port.

This is what I have now:
#port 587
submission inet n - n - - smtpd
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o smtpd_sasl_auth_enable=yes

Is it possible to configure to use an access list before the permit_sasl_authenticated?

Where the access file contains:
# 550 reject 550 reject

Is this right? Want to be sure I'm configuring it correctly and not opening some hole:
#port 587
submission inet n - n - - smtpd
-o smtpd_recipient_restrictions= check_client_access hash:/etc/postfix/access, permit_sasl_authenticated,reject
-o smtpd_sasl_auth_enable=yes


Re: check IP before permit_sasl_authenticated

By Wietse Venema at 08/13/2019 - 11:57

Scott Techlist:
Your -o name=value contains spaces, therefore use {} like this:

submission inet n - n - - smtpd
-o { smtpd_recipient_restrictions =
check_client_access hash:/etc/postfix/access,
permit_sasl_authenticated, reject }

(this requires Postfix version 3.0 or later).

You are right to place check_client_access before permit_sasl_authenticated.


RE: check IP before permit_sasl_authenticated

By techlist06 at 08/13/2019 - 13:03

Thanks Wietse.

Is there a workaround for the space in v2.2 (old server, working on migrating)?

submission inet n - n - - smtpd
-o smtpd_recipient_restrictions=check_client_access hash:/etc/postfix/access,permit_sasl_authenticated,reject