DevHeads.net

GEO IP based restrictions?

Has anyone implemented geo based restrictions for postfix login connections, or is this something that needs to be done in dovecot?

I was thinking someway to add most of Asia and Eastern Europe to postscreen checks would be useful?

Comments

Re: GEO IP based restrictions?

By Wietse Venema at 05/14/2019 - 14:36

Accodring to a search engine, with seach terms "postfix geoip", there
are many solutions. One uses postfwd with a geoip plugin to block
SASL login from too many different countries.

<a href="https://www.howtoforge.com/tutorial/blocking-of-international-spam-botnets-postfix-plugin/" title="https://www.howtoforge.com/tutorial/blocking-of-international-spam-botnets-postfix-plugin/">https://www.howtoforge.com/tutorial/blocking-of-international-spam-botne...</a>

No idea how well it works.

Postscreen does not implement SASL and that is a good idea.

Wietse

Re: GEO IP based restrictions?

By allenc at 05/14/2019 - 14:33

<a href="http://www.ipdeny.com" title="http://www.ipdeny.com">http://www.ipdeny.com</a> publish IP address-lists sorted by country zones; a script
can quite easily derive a .cidr access-list (or perhaps a DNS zone file).

Alternatively, there is an RBL, zz.countries.nerd.dk, which will return a code
based on country of origin - or if you substitute a country code (eg
uk.countries.nerd.dk) it will return a yes/no response, to blacklist (or
whitelist) an individual country. I don't know how robust these people are, but
they are certainly sufficient for a domestic server.

I have tried both methods to postscreen, with some success.

Hope this helps

Allen C

On 14/05/2019 18:41, @lbutlr wrote:

Re: GEO IP based restrictions?

By John Peach at 05/14/2019 - 13:48

On 5/14/19 1:41 PM, @lbutlr wrote:
You can always use access_client and reject based on TLD. I ban most of
the new TLDs that are used for nothing but spam and Eastern Europe......

I use the geo-ip extension to iptables for restricting IMAP access.

Re: GEO IP based restrictions?

By LuKreme at 05/14/2019 - 14:38

Urd, I already do that for incoming mail via helo restrictions, but I haven't figured out how to do that effectively for the port 993.

I'll look at that, thanks.

On 14 May 2019, at 12:33, Allen Coates < ... at cidercounty dot org.uk> wrote:
that also sounds promising.