postfix and CIDR blocklisting


I have discovered the joy of Postfix CIDR block lists.  If you run Postfix, and want to block all mail from China and Korea, here's what you need to do (as root):

  1. Download the Okean CIDR list for China, Korea, or both.  I used the list with both.
  2. Substitute the word "REJECT" for "China" and "Korea" in the list. You can add a message to each line to make it clear what's happening; this appears in mail logs and in the rejection messages. My config file lines look like this: REJECT Source IP blocked China58.29.0.0/16 REJECT Source IP blocked Korea
  3. Copy the file to /etc/postfix/sinokorea.cidr.
  4. Add the following line to /etc/postfix/ (or modify the existing line to include):smtpd_client_restrictions = check_client_access cidr:/etc/postfix/sinokorea.cidr
  5. Run "postfix reload".

That's it.  If you want to update the list of IP addresses, just repeat steps 1-3.  For testing purposes you can insert "warn_if_reject" before "check_client_access".  This will allow the mail to be delivered, but write a reject_warning message to /var/log/maillog.

(You should probably run "postconf -m" and verify that "cidr" is in the list of supported table types.)

2016-12-10 08:29:15gstlouis

 the Okean site


2016-12-10 08:29:34