In this tutorial we will cover below questions:
- How can I restrict my postfix relay server to be used by only certain IP Address
- How to restrict relay with postfix to certain IP Network
- How can I allow only certain networks address to send mails through the relay in postfix
- How can I blacklist certain network from accessing the postfix relay server
Lab Environment
I have setup my intranet Postfix relay server using named chroot DNS on CentOS 8 Linux. Below are the node details for server and client:
- Postfix relay server:
192.168.43.154
(mail.example.com
) - Postfix Client-1:
192.168.43.48
(client-1.example.com
) - Postfix Client-2:
192.168.43.148
(client-2.example.com
)
nslookup output for my relay server
# nslookup mail.example.com
Server: 192.168.43.154
Address: 192.168.43.154#53
mail.example.com canonical name = server.example.com.
Name: server.example.com
Address: 192.168.43.154
Define subnets allowed to use smtp relay server
In postfix we have two variables which controls this behaviour to permit relay
mynetworks_style
mynetworks
mynetworks_style
The method to generate the default value for the mynetworks parameter. This is the list of trusted networks for relay access control etc.
- Specify "
mynetworks_style = host
" when Postfix should "trust
" only the local machine. - Specify "
mynetworks_style = subnet
" when Postfix should "trust
" remote SMTP clients in the same IP subnetworks as the local machine. - Specify "
mynetworks_style = class
" when Postfix should "trust
" remote SMTP clients in the same IP class A/B/C networks as the local machine.
mynetworks
- The list of "
trusted
" remote SMTP clients that have more privileges than "strangers
" - In particular, "
trusted
" SMTP clients are allowed to relay mail through Postfix - You can specify the list of "
trusted
" network addresses by hand or you can let Postfix do it for you (which is the default) - If you specify the
mynetworks
list by hand, Postfix ignores themynetworks_style
setting. - Specify a list of network addresses or network/netmask patterns, separated by commas and/or whitespace. Continue long lines by starting the next line with whitespace.
- The list is matched left to right, and the search stops on the first match.
- Specify "
!pattern
" to exclude an address or network block from the list.
For example:
mynetworks = 127.0.0.0/8 168.100.189.0/28
mynetworks = !192.168.0.1, 192.168.0.0/28
Existing behaviour before implementing restriction
In my environment currently my relay server is configured to allow below subnets
mynetworks = 192.168.43.0/24, 127.0.0.0/8
Let us send a mail from client-1.example.com
to client-2.example.com
using our relay server mail.example.com
# mail root@client-2.example.com
Subject: Test message
Hello
.
EOT
Logs on client-1.example.com
Aug 02 00:33:09 client-1.example.com postfix/smtp[926]: 2C14D5FDFA: to=<root@client-2.example.com>, relay=mail.example.com[192.168.43.154]:25, delay=0.51, delays=0.12/0.12/0.21/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as A3EAD5FB32)
Logs on mail.example.com
Aug 02 11:10:56 mail.example.com postfix/smtp[21464]: A3EAD5FB32: to=<root@client-2.example.com>, relay=client-2.example.com[192.168.43.148]:25, delay=0.21, delays=0.03/0.04/0.1/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 85A1C5FBDC)
Logs on client-2.example.com
Aug 02 00:33:09 client-2.example.com postfix/local[21349]: 85A1C5FBDC: to=<root@client-2.example.com>, relay=local, delay=0.08, delays=0.04/0/0/0.04, dsn=2.0.0, status=sent (delivered to maildir)
So our mail was successfully sent using my postfix relay server i.e. mail.example.com
Restrict Postfix SMTP Relay (smtpd_relay_restrictions)
- Access restrictions for mail relay control that the Postfix SMTP server applies in the context of the
RCPT TO
command, beforesmtpd_recipient_restrictions
- With Postfix versions before 2.10, the rules for relay permission and spam blocking were combined under
smtpd_recipient_restrictions
, resulting in error-prone configuration - As of Postfix 2.10, relay permission rules are preferably implemented with
smtpd_relay_restrictions
, so that a permissive spam blocking policy undersmtpd_recipient_restrictions
will no longer result in a permissive mail relay policy.
By default, the Postfix SMTP server accepts:
- Mail from clients whose IP address matches
$mynetworks
, or: - Mail to remote destinations that match
$relay_domains
, except for addresses that contain sender-specified routing (user@elsewhere@domain
), or: - Mail to local destinations that match
$inet_interfaces
or$proxy_interfaces
,$mydestination
,$virtual_alias_domains
, or$virtual_mailbox_domains
.
Blacklist single IP Address to access relay server
We will use smtpd_relay_restrictions
to restrict client-1.example.com
from using this relay server
Make the following changes on the relay server in /etc/postfix/main.cf
mynetworks = !192.168.43.48, 192.168.43.0/24, 127.0.0.0/8
192.168.43.0/24
because postfix will perform lookup left to right so if 192.168.43.0/24
is placed before the blacklisted IP, the provided IP will match in 192.168.43.0/24
subnet and will allow the relay, hence our setting will not work.Add the following (Or modify the existing value if already defined in main.cf
)
smtpd_relay_restrictions = permit_mynetworks, reject
So here we are rejecting request from any other network other than what is defined in mynetworks
and additionally in mynetworks
I have blacklisted my client's IP address
Reload the postfix service
# systemctl reload postfix
Now we try to send mail from our client-1.example.com
# mail root@client-2.example.com
Subject: Test message
Check bounce
.
EOT
Logs on client-1.example.com
Aug 02 00:35:35 client-1.example.com postfix/smtp[926]: 970F25FDF4: to=<root@client-2.example.com>, relay=mail.example.com[192.168.43.154]:25, delay=0.44, delays=0.08/0/0.25/0.11, dsn=5.7.1, status=bounced (host mail.example.com[192.168.43.154] said: 554 5.7.1 <root@client-2.example.com>: Recipient address rejected: Access denied (in reply to RCPT TO command))
Logs on client-2.example.com
No logs on client-2.example.com as the mail didn't reached here
Logs on mail.example.com
Aug 02 11:13:10 mail.example.com postfix/smtpd[21642]: NOQUEUE: reject: RCPT from client-1[192.168.43.48]: 554 5.7.1 <root@client-2.example.com>: Recipient address rejected: Access denied; from=<root@client-1.example.com> to=<root@client-2.example.com> proto=ESMTP helo=<client-1.example.com>
So our configuration to blacklist single IP Address from using SMTP relay server is working as expected.
Allow specific network address to use relay server
Similarly we can modify mynetworks
value to allow all the network subnets to use our relay server for sending mails.
mynetworks = 192.168.43.0/24, 127.0.0.0/8
Now we allow all the IP Address in 192.168.43.0/24
subnet to be able to use our relay server for sending mails.
Reload the postfix service to activate our changes
# systemctl reload postfix
Now let's verify this configuration by sending mail from our client-1.example.com
Aug 01 13:14:21 client-1.example.com sendmail[10202]: 0717iL9A010202: to=root@mail.example.com, ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30231, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (Ok: queued as 1E91F5FDDE) Aug 01 13:14:21 client-1.example.com postfix/smtpd[10203]: disconnect from localhost[127.0.0.1] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7 Aug 01 13:14:21 client-1.example.com postfix/smtp[10207]: 1E91F5FDDE: to=<root@mail.example.com>, relay=mail.example.com[192.168.43.154]:25, delay=0.21, delays=0.06/0.04/0.08/0.03, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 4B8745FCE3)
So this time the relay server allowed us to send mail from the client in 192.168.43.0/24
subnet
Conclusion
In this tutorial we learned to allow or blacklist specified range of IP address or networks to allow or blacklist from using our postfix relay server. You can modify mynetworks
value or use mynetworks_style
to define your network. We may also choose to defer the mails instead of reject so that the mail goes to queue and will be sent later.
Lastly I hope the steps from the article to restrict access for postfix smtp relay server for certain IP address or network on Linux was helpful. So, let me know your suggestions and feedback using the comment section.
References
I have used below external references for this tutorial guide
postfix allow relay from ip
man page postconf