From bb9ce4fb57afbc595eb2576f589c1b8ea0d070f7 Mon Sep 17 00:00:00 2001 From: Bombar Maxime Date: Sun, 17 May 2020 13:28:32 +0200 Subject: [PATCH] [Postfix] Allows to filter connection to smtp based on client IP. --- roles/postfix/handlers/main.yml | 1 + roles/postfix/tasks/main.yml | 1 + roles/postfix/templates/postfix/client_checks.j2 | 3 +++ roles/postfix/templates/postfix/main.cf.j2 | 10 ++++++++++ roles/postfix/templates/postfix/master.cf.j2 | 9 ++++++--- .../templates/postfix/postscreen_access.cidr.j2 | 3 +++ 6 files changed, 24 insertions(+), 3 deletions(-) create mode 100644 roles/postfix/templates/postfix/client_checks.j2 diff --git a/roles/postfix/handlers/main.yml b/roles/postfix/handlers/main.yml index c3ed56a0..e705858e 100644 --- a/roles/postfix/handlers/main.yml +++ b/roles/postfix/handlers/main.yml @@ -6,3 +6,4 @@ - /etc/postfix/recipient_access - /etc/postfix/sender_login_maps - /etc/postfix/transport + - /etc/postfix/client_checks diff --git a/roles/postfix/tasks/main.yml b/roles/postfix/tasks/main.yml index 2320a253..1144cecb 100644 --- a/roles/postfix/tasks/main.yml +++ b/roles/postfix/tasks/main.yml @@ -24,5 +24,6 @@ - sender_login_maps - postscreen_access.cidr - sasl/smtpd.conf + - client_checks notify: - generate postmaps diff --git a/roles/postfix/templates/postfix/client_checks.j2 b/roles/postfix/templates/postfix/client_checks.j2 new file mode 100644 index 00000000..7b4fced4 --- /dev/null +++ b/roles/postfix/templates/postfix/client_checks.j2 @@ -0,0 +1,3 @@ +{{ ansible_header | comment }} + +185.50.149.0/24 REJECT Spammers are not welcome here! diff --git a/roles/postfix/templates/postfix/main.cf.j2 b/roles/postfix/templates/postfix/main.cf.j2 index 98dede97..bcc1d5bb 100644 --- a/roles/postfix/templates/postfix/main.cf.j2 +++ b/roles/postfix/templates/postfix/main.cf.j2 @@ -117,6 +117,16 @@ smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks reject_invalid_helo_hostname reject_non_fqdn_helo_hostname +# Vérifie que le client n'est pas dans un / d'ips blacklistées + check_client_access cidr:/etc/postfix/client_checks +{% endif %} +{% if postfix.primary %} +submission_client_restrictions = + check_client_access cidr:/etc/postfix/client_checks +submission_relay_restrictions = + permit_sasl_authenticated + reject + {% endif %} ## Limitation des messages envoyés par minute # On n'ignore que les messages venant d'adresses "protégées" diff --git a/roles/postfix/templates/postfix/master.cf.j2 b/roles/postfix/templates/postfix/master.cf.j2 index 791ca805..a2792718 100644 --- a/roles/postfix/templates/postfix/master.cf.j2 +++ b/roles/postfix/templates/postfix/master.cf.j2 @@ -87,14 +87,17 @@ dnsblog unix - - - - 0 dnsblog submission inet n - - - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes - -o smtpd_client_restrictions=permit_sasl_authenticated,reject + -o smtpd_delay_reject=no + -o smtpd_client_restrictions=$submission_client_restrictions + -o smtpd_relay_restrictions=$submission_relay_restrictions -o milter_macro_daemon_name=ORIGINATING smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes - -o smtpd_client_restrictions=permit_sasl_authenticated,reject + -o smtpd_delay_reject=no + -o smtpd_client_restrictions=$submission_client_restrictions + -o smtpd_relay_restrictions=$submission_relay_restrictions {% endif %} -#628 inet n - - - - qmqpd pickup fifo n - - 60 1 pickup cleanup unix n - - - 0 cleanup qmgr fifo n - - 300 1 qmgr diff --git a/roles/postfix/templates/postfix/postscreen_access.cidr.j2 b/roles/postfix/templates/postfix/postscreen_access.cidr.j2 index fb8869f5..14dde5ec 100644 --- a/roles/postfix/templates/postfix/postscreen_access.cidr.j2 +++ b/roles/postfix/templates/postfix/postscreen_access.cidr.j2 @@ -59,3 +59,6 @@ # Non, nous ne voulons pas traiter l'alcoolisme à l'insu du patient. 94.242.206.15 reject 91.188.222.33 reject + +# Et les russes ils dégagent aussi +185.50.149.0/24 reject