Postfix: Allow SMTP AUTH only from specified IP address ranges

authenticationip addresspostfixsmtpsmtp-auth

can one implement an IP address based restriction for SMTP AUTH in Postfix?

Scenario:
I'm running a Postfix mail server that receives mails from all over the Internet. But the server doesn't only receive mails, it also allows its authenticated users to send mails to internal users or to external ones. So far no problem.

Unfortunately, I'm always getting a little scared when reading the log files. There are thousands of unsuccessful, illegal login attempts every day from IP addresses from all over the world.

But actually the legitimate sender hosts only come from a handful of known ip address ranges. So I know only someone from (for example)

  • 134.500.0.0/16
  • 134.700.42.0/24
  • 134.800.133.7

might even be a legitimate sender at all. (I know that the IP address given in the example above are malformed. I just don't wanted to unveil the real ones.)

So if the sender comes from a different ip range, he's for sure none of my users and therfore not allowed to relay anything.

I don't want someone from outside of these subnets to be able to relay even if he figures out a valid username/password combination for SMTP AUTH. If he's from a non-white-listed ip address range, he mustn't send. Under no circumstances. So permit_sasl_authenticated alone is not enough. As long as someone from "certain" countries (I don't want to name them explicitly…) is able to login with stolen/brute-forced/spyed credentials, it's not secure enough. 🙂 (Think of social engineering, trojan keyloggers that steal account data, lightheaded users with easy-to-guess passwords, etc.)

=> So is it possible to implement an ip address restriction for SMTP AUTH login attempts?
(The receiving of incoming mails must not be affected by this. For that I have policyd-weight etc. Here it's only about outgoing / to be relayed mails.)

Solutions that won't work:

  • iptables firewall restriction. As I want to be able to receive mails from all over the Internet on port 25, I cannot implement restrictions on transport layer level. – Moreover, I want the legitimate users to be able to connect on port 25 to admit new outgoing mails into the server. So allowing mail sending only via a subnet restricted-mystery tcp port, e.g. 24343, is no solution, too.
  • permit_mynetworks: Not everybody from the known ip ranges is a legitimate user. So I can't allow everybody from there to send. SMTP AUTH login is necessary to determine whether someone is an authorized user.

Best Answer

How about putting your SMTP AUTH on another port like 587, and using iptables to restrict access to that port? 587 isn't a hidden port, it's an RFC defined mail submission port. Mail to you arrives on 25, mail through you needs to go over 587.

https://www.rfc-editor.org/rfc/rfc6409

Related Topic