[Postfix] Allows to filter connection to smtp based on client IP.

2020-05-17 13:28:32 +02:00 · 2020-05-17 13:28:32 +02:00 · bb9ce4fb57
parent 9f15e2115c
commit bb9ce4fb57
6 changed files with 24 additions and 3 deletions
--- a/roles/postfix/handlers/main.yml
+++ b/roles/postfix/handlers/main.yml
@ -6,3 +6,4 @@
    - /etc/postfix/recipient_access
    - /etc/postfix/sender_login_maps
    - /etc/postfix/transport
+    - /etc/postfix/client_checks
--- a/roles/postfix/tasks/main.yml
+++ b/roles/postfix/tasks/main.yml
@ -24,5 +24,6 @@
    - sender_login_maps
    - postscreen_access.cidr
    - sasl/smtpd.conf
+    - client_checks
  notify:
    - generate postmaps
--- a/roles/postfix/templates/postfix/client_checks.j2
+++ b/roles/postfix/templates/postfix/client_checks.j2
@ -0,0 +1,3 @@
+{{ ansible_header | comment }}
+
+185.50.149.0/24 REJECT Spammers are not welcome here!
--- a/roles/postfix/templates/postfix/main.cf.j2
+++ b/roles/postfix/templates/postfix/main.cf.j2
@ -117,6 +117,16 @@ smtpd_helo_required = yes
 smtpd_helo_restrictions = permit_mynetworks
                          reject_invalid_helo_hostname
                          reject_non_fqdn_helo_hostname
+# Vérifie que le client n'est pas dans un / d'ips blacklistées
+                          check_client_access cidr:/etc/postfix/client_checks
+{% endif %}
+{% if postfix.primary %}
+submission_client_restrictions =
+			  check_client_access cidr:/etc/postfix/client_checks
+submission_relay_restrictions =
+			  permit_sasl_authenticated
+			  reject
+
 {% endif %}
 ## Limitation des messages envoyés par minute
 # On n'ignore que les messages venant d'adresses "protégées"
--- a/roles/postfix/templates/postfix/master.cf.j2
+++ b/roles/postfix/templates/postfix/master.cf.j2
@ -87,14 +87,17 @@ dnsblog   unix  -       -       -       -       0       dnsblog
 submission inet n       -       -       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
-  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+  -o smtpd_delay_reject=no
+  -o smtpd_client_restrictions=$submission_client_restrictions
+  -o smtpd_relay_restrictions=$submission_relay_restrictions
  -o milter_macro_daemon_name=ORIGINATING
 smtps     inet  n       -       -       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
-  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+  -o smtpd_delay_reject=no
+  -o smtpd_client_restrictions=$submission_client_restrictions
+  -o smtpd_relay_restrictions=$submission_relay_restrictions
 {% endif %}
-#628      inet  n       -       -       -       -       qmqpd
 pickup    fifo  n       -       -       60      1       pickup
 cleanup   unix  n       -       -       -       0       cleanup
 qmgr      fifo  n       -       -       300     1       qmgr
--- a/roles/postfix/templates/postfix/postscreen_access.cidr.j2
+++ b/roles/postfix/templates/postfix/postscreen_access.cidr.j2
@ -59,3 +59,6 @@
 # Non, nous ne voulons pas traiter l'alcoolisme à l'insu du patient.
 94.242.206.15                             reject
 91.188.222.33                             reject
+
+# Et les russes ils dégagent aussi
+185.50.149.0/24                           reject