1

Topic: Restrict incoming to specific IP's

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.8
- Deployed with iRedMail Easy or the downloadable installer? Download
- Linux/BSD distribution name and version: CentOS 7.6.1810
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): PGSQL
- Web server (Apache or Nginx) Nginx
- Manage mail accounts with iRedAdmin-Pro? NO
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hello,
We have employed a cloud based email gateway to our server. I am trying to get our iredMail server to only accept incoming email from the gateway ip addresses. I've modified the postfix main.cf file, in /etc/posfix, with these 2 lines:

mynetworks = 127.0.0.1 [::1] 1x.x2z.34.abc 99.abc.mn.yz
smtp_client_restrictions = permit_mynetworks, reject

Restarted postfix but still seeing connections from other IP's. Is there another location in iredMail to add the restriction, or have I just done this wrong?

Thanks much!

2

Re: Restrict incoming to specific IP's

tplancon wrote:

but still seeing connections from other IP's.

What's the original Postfix log lines?

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

3

Re: Restrict incoming to specific IP's

This is some lines from maillog showing IP's outside of mynetworks:

Jun 29 15:41:00 puffin postfix/smtpd[16153]: connect from dcrmfdpe29.verizon.com[140.108.1.69]
Jun 29 15:41:00 puffin postfix/smtpd[16153]: Anonymous TLS connection established from dcrmfdpe29.verizon.com[140.108.1.69]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

Jun 29 15:42:43 puffin postfix/postscreen[16513]: CONNECT from [208.75.123.228]:4033 to [10.10.10.248]:25
Jun 29 15:42:43 puffin postfix/postscreen[16513]: PASS OLD [208.75.123.228]:4033
Jun 29 15:42:43 puffin postfix/smtpd[16153]: connect from ccm32.constantcontact.com[208.75.123.228]
Jun 29 15:42:43 puffin postfix/smtpd[16153]: Anonymous TLS connection established from ccm32.constantcontact.com[208.75.123.228]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

Jun 29 15:44:27 puffin postfix/submission/smtpd[16829]: connect from c-98-229-213-23.hsd1.ma.comcast.net[98.229.213.23]
Jun 29 15:44:27 puffin postfix/submission/smtpd[16829]: Anonymous TLS connection established from c-98-229-213-23.hsd1.ma.comcast.net[98.229.213.23]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Jun 29 15:44:27 puffin postfix/submission/smtpd[16829]: D67D5CBCC6: client=c-98-229-213-23.hsd1.ma.comcast.net[98.229.213.23], sasl_method=PLAIN, sasl_username=username@bxxxxxhs.com

4

Re: Restrict incoming to specific IP's

tplancon wrote:

mynetworks = 127.0.0.1 [::1] 1x.x2z.34.abc 99.abc.mn.yz

Did you try with IP address instead of hostnames?

tplancon wrote:

smtp_client_restrictions = permit_mynetworks, reject

In /etc/postfix/master.cf, submission service has its own "smtp_client_restrictions" setting, it will be used instead of the one defined in /etc/postfix/main.cf.

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee