How to restrict IP Address to use postfix smtp relay

In this tutorial we will cover below questions:

  • How can I restrict my postfix relay server to be used by only certain IP Address
  • How to restrict relay with postfix to certain IP Network
  • How can I allow only certain networks address to send mails through the relay in postfix
  • How can I blacklist certain network from accessing the postfix relay server


Lab Environment

I have setup my intranet Postfix relay server using named chroot DNS on CentOS 8 Linux. Below are the node details for server and client:

  • Postfix relay server: (
  • Postfix Client-1: (
  • Postfix Client-2: (

nslookup output for my relay server

# nslookup
Address:        canonical name =


Define subnets allowed to use smtp relay server

In postfix we have two variables which controls this behaviour to permit relay

  • mynetworks_style
  • mynetworks



The method to generate the default value for the mynetworks parameter. This is the list of trusted networks for relay access control etc.

  • Specify "mynetworks_style = host" when Postfix should "trust" only the local machine.
  • Specify "mynetworks_style = subnet" when Postfix should "trust" remote SMTP clients in the same IP subnetworks as the local machine.
  • Specify "mynetworks_style = class" when Postfix should "trust" remote SMTP clients in the same IP class A/B/C networks as the local machine.



  • The list of "trusted" remote SMTP clients that have more privileges than "strangers"
  • In particular, "trusted" SMTP clients are allowed to relay mail through Postfix
  • You can specify the list of "trusted" network addresses by hand or you can let Postfix do it for you (which is the default)
  • If you specify the mynetworks list by hand, Postfix ignores the mynetworks_style setting.
  • Specify a list of network addresses or network/netmask patterns, separated by commas and/or whitespace. Continue long lines by starting the next line with whitespace.
  • The list is matched left to right, and the search stops on the first match.
  • Specify "!pattern" to exclude an address or network block from the list.

For example:

mynetworks =
mynetworks = !,


Existing behaviour before implementing restriction

In my environment currently my relay server is configured to allow below subnets

mynetworks =,

Let us send a mail from to using our relay server

# mail
Subject: Test message

Logs on

Aug 02 00:33:09 postfix/smtp[926]: 2C14D5FDFA: to=<>,[]:25, delay=0.51, delays=0.12/0.12/0.21/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as A3EAD5FB32)

Logs on

Aug 02 11:10:56 postfix/smtp[21464]: A3EAD5FB32: to=<>,[]:25, delay=0.21, delays=0.03/0.04/0.1/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 85A1C5FBDC)

Logs on

Aug 02 00:33:09 postfix/local[21349]: 85A1C5FBDC: to=<>, relay=local, delay=0.08, delays=0.04/0/0/0.04, dsn=2.0.0, status=sent (delivered to maildir)

So our mail was successfully sent using my postfix relay server i.e.


Restrict Postfix SMTP Relay (smtpd_relay_restrictions)

  • Access restrictions for mail relay control that the Postfix SMTP server applies in the context of the RCPT TO command, before smtpd_recipient_restrictions
  • With Postfix versions before 2.10, the rules for relay permission and spam blocking were combined under smtpd_recipient_restrictions, resulting in error-prone configuration
  • As of Postfix 2.10, relay permission rules are preferably implemented with smtpd_relay_restrictions, so that a permissive spam blocking policy under smtpd_recipient_restrictions will no longer result in a permissive mail relay policy.

By default, the Postfix SMTP server accepts:

  • Mail from clients whose IP address matches $mynetworks, or:
  • Mail to remote destinations that match $relay_domains, except for addresses that contain sender-specified routing (user@elsewhere@domain), or:
  • Mail to local destinations that match $inet_interfaces or $proxy_interfaces, $mydestination, $virtual_alias_domains, or $virtual_mailbox_domains.


Blacklist single IP Address to access relay server

We will use smtpd_relay_restrictions to restrict from using this relay server

Make the following changes on the relay server in /etc/postfix/

mynetworks = !,,

Add the following (Or modify the existing value if already defined in

smtpd_relay_restrictions = permit_mynetworks, reject

So here we are rejecting request from any other network other than what is defined in mynetworks and additionally in mynetworks I have blacklisted my client's IP address

Reload the postfix service

# systemctl reload postfix

Now we try to send mail from our

# mail
Subject: Test message
Check bounce

Logs on

Aug 02 00:35:35 postfix/smtp[926]: 970F25FDF4: to=<>,[]:25, delay=0.44, delays=0.08/0/0.25/0.11, dsn=5.7.1, status=bounced (host[] said: 554 5.7.1 <>: Recipient address rejected: Access denied (in reply to RCPT TO command))

Logs on

No logs on as the mail didn't reached here

Logs on

Aug 02 11:13:10 postfix/smtpd[21642]: NOQUEUE: reject: RCPT from client-1[]: 554 5.7.1 <>: Recipient address rejected: Access denied; from=<> to=<> proto=ESMTP helo=<>

So our configuration to blacklist single IP Address from using SMTP relay server is working as expected.


Allow specific network address to use relay server

Similarly we can modify mynetworks value to allow all the network subnets to use our relay server for sending mails.

mynetworks =,

Now we allow all the IP Address in subnet to be able to use our relay server for sending mails.

Reload the postfix service to activate our changes

# systemctl reload postfix

Now let's verify this configuration by sending mail from our

Aug 01 13:14:21 sendmail[10202]: 0717iL9A010202:, ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30231, relay=[] [], dsn=2.0.0, stat=Sent (Ok: queued as 1E91F5FDDE)
Aug 01 13:14:21 postfix/smtpd[10203]: disconnect from localhost[] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Aug 01 13:14:21 postfix/smtp[10207]: 1E91F5FDDE: to=<>,[]:25, delay=0.21, delays=0.06/0.04/0.08/0.03, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 4B8745FCE3)

So this time the relay server allowed us to send mail from the client in subnet



In this tutorial we learned to allow or blacklist specified range of IP address or networks to allow or blacklist from using our postfix relay server. You can modify mynetworks value or use mynetworks_style to define your network. We may also choose to defer the mails instead of reject so that the mail goes to queue and will be sent later.

Lastly I hope the steps from the article to restrict access for postfix smtp relay server for certain IP address or network on Linux was helpful. So, let me know your suggestions and feedback using the comment section.



I have used below external references for this tutorial guide
postfix allow relay from ip
man page postconf


Views: 556

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to

Thank You for your support!!

Leave a Comment