How to restrict IP Address to use postfix smtp relay

In this tutorial we will cover below questions:

  • How can I restrict my postfix relay server to be used by only certain IP Address
  • How to restrict relay with postfix to certain IP Network
  • How can I allow only certain networks address to send mails through the relay in postfix
  • How can I blacklist certain network from accessing the postfix relay server

 

Lab Environment

I have setup my intranet Postfix relay server using named chroot DNS on CentOS 8 Linux. Below are the node details for server and client:

  • Postfix relay server: 192.168.43.154 (mail.example.com)
  • Postfix Client-1: 192.168.43.48 (client-1.example.com)
  • Postfix Client-2: 192.168.43.148 (client-2.example.com)

nslookup output for my relay server

# nslookup mail.example.com
Server:         192.168.43.154
Address:        192.168.43.154#53

mail.example.com        canonical name = server.example.com.
Name:   server.example.com
Address: 192.168.43.154

 

Define subnets allowed to use smtp relay server

In postfix we have two variables which controls this behaviour to permit relay

  • mynetworks_style
  • mynetworks

 

mynetworks_style

The method to generate the default value for the mynetworks parameter. This is the list of trusted networks for relay access control etc.

  • Specify "mynetworks_style = host" when Postfix should "trust" only the local machine.
  • Specify "mynetworks_style = subnet" when Postfix should "trust" remote SMTP clients in the same IP subnetworks as the local machine.
  • Specify "mynetworks_style = class" when Postfix should "trust" remote SMTP clients in the same IP class A/B/C networks as the local machine.

 

mynetworks

  • The list of "trusted" remote SMTP clients that have more privileges than "strangers"
  • In particular, "trusted" SMTP clients are allowed to relay mail through Postfix
  • You can specify the list of "trusted" network addresses by hand or you can let Postfix do it for you (which is the default)
  • If you specify the mynetworks list by hand, Postfix ignores the mynetworks_style setting.
  • Specify a list of network addresses or network/netmask patterns, separated by commas and/or whitespace. Continue long lines by starting the next line with whitespace.
  • The list is matched left to right, and the search stops on the first match.
  • Specify "!pattern" to exclude an address or network block from the list.

For example:

mynetworks = 127.0.0.0/8 168.100.189.0/28
mynetworks = !192.168.0.1, 192.168.0.0/28

 

Existing behaviour before implementing restriction

In my environment currently my relay server is configured to allow below subnets

mynetworks = 192.168.43.0/24, 127.0.0.0/8

Let us send a mail from client-1.example.com to client-2.example.com using our relay server mail.example.com

# mail root@client-2.example.com
Subject: Test message
Hello
.
EOT

Logs on client-1.example.com

Aug 02 00:33:09 client-1.example.com postfix/smtp[926]: 2C14D5FDFA: to=<root@client-2.example.com>, relay=mail.example.com[192.168.43.154]:25, delay=0.51, delays=0.12/0.12/0.21/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as A3EAD5FB32)

Logs on mail.example.com

Aug 02 11:10:56 mail.example.com postfix/smtp[21464]: A3EAD5FB32: to=<root@client-2.example.com>, relay=client-2.example.com[192.168.43.148]:25, delay=0.21, delays=0.03/0.04/0.1/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 85A1C5FBDC)

Logs on client-2.example.com

Aug 02 00:33:09 client-2.example.com postfix/local[21349]: 85A1C5FBDC: to=<root@client-2.example.com>, relay=local, delay=0.08, delays=0.04/0/0/0.04, dsn=2.0.0, status=sent (delivered to maildir)

So our mail was successfully sent using my postfix relay server i.e. mail.example.com

 

Restrict Postfix SMTP Relay (smtpd_relay_restrictions)

  • Access restrictions for mail relay control that the Postfix SMTP server applies in the context of the RCPT TO command, before smtpd_recipient_restrictions
  • With Postfix versions before 2.10, the rules for relay permission and spam blocking were combined under smtpd_recipient_restrictions, resulting in error-prone configuration
  • As of Postfix 2.10, relay permission rules are preferably implemented with smtpd_relay_restrictions, so that a permissive spam blocking policy under smtpd_recipient_restrictions will no longer result in a permissive mail relay policy.

By default, the Postfix SMTP server accepts:

  • Mail from clients whose IP address matches $mynetworks, or:
  • Mail to remote destinations that match $relay_domains, except for addresses that contain sender-specified routing (user@elsewhere@domain), or:
  • Mail to local destinations that match $inet_interfaces or $proxy_interfaces, $mydestination, $virtual_alias_domains, or $virtual_mailbox_domains.

 

Blacklist single IP Address to access relay server

We will use smtpd_relay_restrictions to restrict client-1.example.com from using this relay server

Make the following changes on the relay server in /etc/postfix/main.cf

mynetworks = !192.168.43.48, 192.168.43.0/24, 127.0.0.0/8

Add the following (Or modify the existing value if already defined in main.cf)

smtpd_relay_restrictions = permit_mynetworks, reject

So here we are rejecting request from any other network other than what is defined in mynetworks and additionally in mynetworks I have blacklisted my client's IP address

Reload the postfix service

# systemctl reload postfix

Now we try to send mail from our client-1.example.com

# mail root@client-2.example.com
Subject: Test message
Check bounce
.
EOT

Logs on client-1.example.com

Aug 02 00:35:35 client-1.example.com postfix/smtp[926]: 970F25FDF4: to=<root@client-2.example.com>, relay=mail.example.com[192.168.43.154]:25, delay=0.44, delays=0.08/0/0.25/0.11, dsn=5.7.1, status=bounced (host mail.example.com[192.168.43.154] said: 554 5.7.1 <root@client-2.example.com>: Recipient address rejected: Access denied (in reply to RCPT TO command))

Logs on client-2.example.com

No logs on client-2.example.com as the mail didn't reached here

Logs on mail.example.com

Aug 02 11:13:10 mail.example.com postfix/smtpd[21642]: NOQUEUE: reject: RCPT from client-1[192.168.43.48]: 554 5.7.1 <root@client-2.example.com>: Recipient address rejected: Access denied; from=<root@client-1.example.com> to=<root@client-2.example.com> proto=ESMTP helo=<client-1.example.com>

So our configuration to blacklist single IP Address from using SMTP relay server is working as expected.

 

Allow specific network address to use relay server

Similarly we can modify mynetworks value to allow all the network subnets to use our relay server for sending mails.

mynetworks = 192.168.43.0/24, 127.0.0.0/8

Now we allow all the IP Address in 192.168.43.0/24 subnet to be able to use our relay server for sending mails.

Reload the postfix service to activate our changes

# systemctl reload postfix

Now let's verify this configuration by sending mail from our client-1.example.com

Aug 01 13:14:21 client-1.example.com sendmail[10202]: 0717iL9A010202: to=root@mail.example.com, ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30231, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (Ok: queued as 1E91F5FDDE)
Aug 01 13:14:21 client-1.example.com postfix/smtpd[10203]: disconnect from localhost[127.0.0.1] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Aug 01 13:14:21 client-1.example.com postfix/smtp[10207]: 1E91F5FDDE: to=<root@mail.example.com>, relay=mail.example.com[192.168.43.154]:25, delay=0.21, delays=0.06/0.04/0.08/0.03, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 4B8745FCE3)

So this time the relay server allowed us to send mail from the client in 192.168.43.0/24 subnet

 

Conclusion

In this tutorial we learned to allow or blacklist specified range of IP address or networks to allow or blacklist from using our postfix relay server. You can modify mynetworks value or use mynetworks_style to define your network. We may also choose to defer the mails instead of reject so that the mail goes to queue and will be sent later.

Lastly I hope the steps from the article to restrict access for postfix smtp relay server for certain IP address or network on Linux was helpful. So, let me know your suggestions and feedback using the comment section.

 

References

I have used below external references for this tutorial guide
postfix allow relay from ip
man page postconf

 

Leave a Comment

Please use shortcodes <pre class=comments>your code</pre> for syntax highlighting when adding code.