GEO IP based restrictions?

Has anyone implemented geo based restrictions for postfix login connections, or is this something that needs to be done in dovecot?

I was thinking someway to add most of Asia and Eastern Europe to postscreen checks would be useful?


Re: GEO IP based restrictions?

By LuKreme at 05/14/2019 - 15:15

On 14 May 2019, at 11:41, @lbutlr < ... at kreme dot com> wrote:
This seemed to work pretty well

pfctl -t badguys -T add $(cat

I can then flush and add when the CIDR file is updated. is the combination of several countries from and some other bad actors that have been problems in the past.

Re: GEO IP based restrictions?

By LuKreme at 05/14/2019 - 15:18

On 14 May 2019, at 13:15, @lbutlr < ... at kreme dot com> wrote:
(still looking for a way to block other IPs from just the specific services, but this list is, on reflection, small enough I can probably manage it manually in hosts.allow.)

Re: GEO IP based restrictions?

By Wietse Venema at 05/14/2019 - 14:36

Accodring to a search engine, with seach terms "postfix geoip", there
are many solutions. One uses postfwd with a geoip plugin to block
SASL login from too many different countries.

<a href="" title=""></a>

No idea how well it works.

Postscreen does not implement SASL and that is a good idea.


Re: GEO IP based restrictions?

By allenc at 05/14/2019 - 14:33

<a href="" title=""></a> publish IP address-lists sorted by country zones; a script
can quite easily derive a .cidr access-list (or perhaps a DNS zone file).

Alternatively, there is an RBL,, which will return a code
based on country of origin - or if you substitute a country code (eg it will return a yes/no response, to blacklist (or
whitelist) an individual country. I don't know how robust these people are, but
they are certainly sufficient for a domestic server.

I have tried both methods to postscreen, with some success.

Hope this helps

Allen C

On 14/05/2019 18:41, @lbutlr wrote:

Re: GEO IP based restrictions?

By John Peach at 05/14/2019 - 13:48

On 5/14/19 1:41 PM, @lbutlr wrote:
You can always use access_client and reject based on TLD. I ban most of
the new TLDs that are used for nothing but spam and Eastern Europe......

I use the geo-ip extension to iptables for restricting IMAP access.

Re: GEO IP based restrictions?

By LuKreme at 05/14/2019 - 14:38

Urd, I already do that for incoming mail via helo restrictions, but I haven't figured out how to do that effectively for the port 993.

I'll look at that, thanks.

On 14 May 2019, at 12:33, Allen Coates < ... at cidercounty dot> wrote:
that also sounds promising.