GEO IP based restrictions?

Has anyone implemented geo based restrictions for postfix login connections, or is this something that needs to be done in dovecot?

I was thinking someway to add most of Asia and Eastern Europe to postscreen checks would be useful?


Re: GEO IP based restrictions?

By Wietse Venema at 05/14/2019 - 14:36

Accodring to a search engine, with seach terms "postfix geoip", there
are many solutions. One uses postfwd with a geoip plugin to block
SASL login from too many different countries.

<a href="" title=""></a>

No idea how well it works.

Postscreen does not implement SASL and that is a good idea.


Re: GEO IP based restrictions?

By allenc at 05/14/2019 - 14:33

<a href="" title=""></a> publish IP address-lists sorted by country zones; a script
can quite easily derive a .cidr access-list (or perhaps a DNS zone file).

Alternatively, there is an RBL,, which will return a code
based on country of origin - or if you substitute a country code (eg it will return a yes/no response, to blacklist (or
whitelist) an individual country. I don't know how robust these people are, but
they are certainly sufficient for a domestic server.

I have tried both methods to postscreen, with some success.

Hope this helps

Allen C

On 14/05/2019 18:41, @lbutlr wrote:

Re: GEO IP based restrictions?

By John Peach at 05/14/2019 - 13:48

On 5/14/19 1:41 PM, @lbutlr wrote:
You can always use access_client and reject based on TLD. I ban most of
the new TLDs that are used for nothing but spam and Eastern Europe......

I use the geo-ip extension to iptables for restricting IMAP access.

Re: GEO IP based restrictions?

By LuKreme at 05/14/2019 - 14:38

Urd, I already do that for incoming mail via helo restrictions, but I haven't figured out how to do that effectively for the port 993.

I'll look at that, thanks.

On 14 May 2019, at 12:33, Allen Coates < ... at cidercounty dot> wrote:
that also sounds promising.