# [solved] postfix / restrict incoming mailserver connection

## Teardrop

i have look around the forum for a few hours but haven't found the right answer to my problem.

what i want to do:

restrict my postfix server from excepting mail only from a certain ip range of mail servers (anti spam solution) but still excepting authenticated connections from clients outside my network.

at the moment i restricted the smtp connections on my firewall to the certain ip range but that rejects the authenticated clients too...

thanks for your help of pointing me in the right direction.

best regards,

teardropLast edited by Teardrop on Mon Jun 02, 2008 8:48 pm; edited 1 time in total

----------

## vad3r

Your answer may be "smtpd_recipient_restrictions". Check official documentation or "man 5 postconf" for more details.

----------

## Teardrop

Hello

Thank you for your answer. I check the specific document but I am not sure if that is really what i want. Because atm i have the following restrictions applied:

```
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination

```

but still every email server can send me emails directly. Now i just want that one mail server (let's say it's antispam.server.com) can send or relay all its emails (because it collects all of them) to my server. Atm i block everything else on my firewall but that is no permanent solution because the permit_sasl_authenticated is blocked in this case too. Perhaps the solution is there but i didn't find it. Any more help would be appreciated.

Thank you very muche.

Best regards,

Teardrop

----------

## jmbsvicetto

Hi.

From your description, you might want to change the MX record for your domain to point to your "antispam.server.com" server. You seem to want to block connections to your SMTP port - which is expected for a mail server.

----------

## Teardrop

Hi jmbsvicetto

It already is pointing to that server (or better range of servers) and those servers are delivering it to my server. Now I want that my server only excepts connections to the SMTP port from those servers (to recieve mail) AND successfully authenticated users so that they can send their email over my server. The first alone would be easy to accomplish with a iptables rule for port 25 but it blocks the authenticated user what isn't really what i want.

best regards,

Teardrop

----------

## jmbsvicetto

If I'm understanding you correctly, you can't do that.

In order to be able to authenticate users, you first need to allow them to connect. Thus, you can't prevent people from connecting to the SMTP port. If you really don't want outside connections unless from certain users, the only choice I see is for you to have a VPN server that allows those users to connect locally to the server.

----------

## Teardrop

Strange, so I can restrict who can send (relay) email over my server but i can't restrict from who I want to recieve email? Perfect would be something similar like $my_networks where i just can put in the servers i wan't to recieve emails from and the rest would be declined. But if you say so in that case i isn't possible so I have to thing of another solution. It must be possible somehow.

Thank you very much anyway for your insight.

Best regards,

Teardrop

----------

## Mr.C.

You can use your firewall access rules to allow only certain IPs from access your mail server.

You can use check_client_access to whitelist certain IPs and reject all others:

```
man 5 postconf | less +/check_client_access
```

----------

## Teardrop

Thanks for that tip. Firewall is a no-go (i have it like this atm) because i still want the authenticated users to be able to send email from there laptops wherever they are (changing IP) but i will look into the check_client_access. That sounds promising with something like "permit_authenticated permit_mynetworks check_client_access reject_rest". Will post my result.

Best regards.

Teardrop

----------

## Mr.C.

Setup the submission port (587) for your authenticating users.

Make sure not to create an open relay inadvertently when you set up your client_checks.  See:

http://www.postfix.org/SMTPD_ACCESS_README.html#danger

MrC

----------

## Teardrop

pefect idea. did it. is working perfect now. thx a lot.

best regards,

Teardrop

----------

