1 (edited by rombosgt 2020-04-27 15:17:50)

Topic: How to prohibit connections from IP address?

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.9
- Deployed with iRedMail Easy or the downloadable installer? Downloadable installer
- Linux/BSD distribution name and version: Debian 9.8.0
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MariaDB
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hi, in /var/log/mail.log I see attempts from IP's 37.49.230.118 and 37.49.230.131 to connect to our server:

postfix/submission/smtpd[23641]: connect from unknown [37.49.230.118]
postfix/submission/smtpd[23641]: disconnect from unknown[37.49.230.118] ehlo=1 auth=0/1 rset=0/1 quit=1 command=2/4
postfix/submission/smtpd[23641]: connect from unknown [37.49.230.131]
postfix/submission/smtpd[23641]: disconnect from unknown[37.49.230.131] ehlo=1 auth=0/1 rset=0/1 quit=1 command=2/4
postfix/submission/smtpd[23731]: connect from unknown [37.49.230.118]
postfix/submission/smtpd[23731]: disconnect from unknown[37.49.230.118] ehlo=1 auth=0/1 rset=0/1 quit=1 command=2/4
postfix/submission/smtpd[23731]: connect from unknown [37.49.230.131]
postfix/submission/smtpd[23731]: disconnect from unknown[37.49.230.131] ehlo=1 auth=0/1 rset=0/1 quit=1 command=2/4
postfix/submission/smtpd[23803]: connect from unknown [37.49.230.131]
postfix/submission/smtpd[23803]: disconnect from unknown[37.49.230.131] ehlo=1 auth=0/1 rset=0/1 quit=1 command=2/4
postfix/submission/smtpd[23803]: connect from unknown [37.49.230.118]
postfix/submission/smtpd[23803]: disconnect from unknown[37.49.230.118] ehlo=1 auth=0/1 rset=0/1 quit=1 command=2/4
postfix/submission/smtpd[23803]: connect from unknown [37.49.230.131]
postfix/submission/smtpd[23803]: disconnect from unknown[37.49.230.131] ehlo=1 auth=0/1 rset=0/1 quit=1 command=2/4

I added 37.49.230.118 and 37.49.230.131 to blacklist

python wblist_admin.py --add --blacklist 37.49.230.118
python wblist_admin.py --add --blacklist 37.49.230.131

Restart iRedAPD

service iredapd restart

But I still see how they trying to connect. Is there any way to prohibit connections from these IP's?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: How to prohibit connections from IP address?

Block them with iptables firewall.

3 (edited by rombosgt 2020-04-28 03:33:35)

Re: How to prohibit connections from IP address?

ZhangHuangbin wrote:

Block them with iptables firewall.

I used these commands. Right?

iptables -I INPUT -s 37.49.230.118 -j DROP
iptables -I INPUT -s 37.49.230.131 -j DROP

Sorry, I'm not very good at it. Do I need to enter any other commands to apply these rules? I asked because command /sbin/iptables-save doesn't work for me.

4

Re: How to prohibit connections from IP address?

Yes these 2 iptables commands should work for you.
You can save them in /etc/default/iptables (note: rule in this file doesn't need the prefixed "iptables " command), then restart iptables service.

5 (edited by rombosgt 2020-04-29 00:43:37)

Re: How to prohibit connections from IP address?

ZhangHuangbin wrote:

Yes these 2 iptables commands should work for you.
You can save them in /etc/default/iptables (note: rule in this file doesn't need the prefixed "iptables " command), then restart iptables service.

Something doesn't work out with me because command "service iptables" does not exist and I have not been worked with iptables before.

So I installed UFW (Uncomplicated Firewall), its has not been installed before. Allow all incoming and outgoing traffic (because we already have a pfsense firewall in our company) and block connections with commands:

ufw deny from 37.49.230.118
ufw deny from 37.49.230.131

Seems like it really block connections from these IP's. I will see what happens next. Thanks for help