{"id":668,"date":"2017-01-23T09:27:33","date_gmt":"2017-01-23T07:27:33","guid":{"rendered":"http:\/\/helia.ee\/koolitus\/?page_id=668"},"modified":"2017-01-23T09:27:33","modified_gmt":"2017-01-23T07:27:33","slug":"debian-8-postfix-blocking-sender-ips-in-postfix","status":"publish","type":"page","link":"https:\/\/helia.ee\/koolitus\/?page_id=668","title":{"rendered":"Debian 8 – Postfix – Blocking sender IPs in Postfix"},"content":{"rendered":"
\n

Blocking sender IPs in Postfix<\/h1>\n<\/header>\n
\n

Despite all I\u2019ve done to filter junk mail, I recently noticed one consistent spammer who was bypassing all of my safeguards. Notably, this source has a host who\u2019s tolerant enough that the spammer\u00a0went so far as to set SPF headers, to give their messages some \u201ccredibility.\u201d<\/p>\n

<\/span>The sender\u2019s IPs were, fortunately, confined to a single \/24<\/code>.\u00a0Thanks to hosting my own email<\/a>, I\u2019m able to block their entire range until spam filters catch up.<\/p>\n

It\u2019s important to note that I confirmed, using IP lookup\u00a0services from the appropriate regional IP registries<\/a>, that the IPs and ranges I blocked were specific enough to not reject\u00a0otherwise-innocuous messages. One could easily ban\u00a0too-broad a subnet and lose\u00a0many legitimate emails.<\/p>\n

IP Blacklist<\/h2>\n

First, create a client_checks<\/code> file in \/etc\/postfix<\/code>. To it, add one or more of the following\u00a0(depending on your needs)\u00a0replacing the IPs or ranges with what you\u2019ve observed in your logs, email headers, etc.:<\/p>\n

\n
\n\n\n\n
\n
1<\/div>\n
2<\/div>\n<\/td>\n
\n
\n
123.456.789.123\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 REJECT Your IP is spam<\/code><\/div>\n
123.456.789.0\/24\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 REJECT Your IP range is spam<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

Domains and subdomains could also be specified, as noted in the first tutorial linked in the\u00a0References<\/em><\/a>, but for my purposes, domains are rarely consistent enough to bother filtering that way.<\/p>\n

Hash the blacklist<\/h2>\n

Next, the client_checks<\/code> file must be converted to a database that Postfix can read. This must be done every time<\/em> client_checks<\/code> is updated1<\/a><\/sup>.<\/p>\n

\n
\n\n\n\n
\n
1<\/div>\n<\/td>\n
\n
\n
postmap \/etc\/postfix\/client_checks<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

smtpd_recipient_restrictions<\/code><\/h2>\n

After that, update smtpd_recipient_restrictions<\/code> in \/etc\/postfix\/main.cf<\/code>so that Postfix is aware of\u00a0the block list.<\/p>\n

\n
\n\n\n\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n<\/td>\n
\n
\n
smtpd_recipient_restrictions =<\/code><\/div>\n
\u00a0\u00a0\u00a0<\/code>check_client_access hash:\/etc\/postfix\/client_checks,<\/code><\/div>\n
\u00a0\u00a0\u00a0<\/code>...<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

Placing the block list at the beginning\u00a0of the smtpd_recipient_restrictions<\/code> parameter ensures that the IP blocks are obeyed above all other processing,\u00a0but just as\u00a0importantly, prevents\u00a0more-expensive operations,\u00a0such as virus scanning and spam\u00a0scoring, from running when the outcome is predetermined.<\/p>\n

Wrapping up<\/h2>\n

Lastly, restart Postfix and check mail.log<\/code> to confirm that there weren\u2019t any errors reading the new configuration. Regardless of if spam volume subsides,\u00a0revisit the log to confirm that the changes had the intended effect and aren\u2019t blocking legitimate messages.<\/p>\n

References:<\/strong><\/p>\n