May 292011
If you intend to be able to reject connections from remote IP addresses if they’re from certain countries. This is how you do it. This method will reject ip address that has been mapped in GeoIP at smtp conversation stage. However, This tutorial has never been tested. nothing more than a prototype that i created in leisure time.
Software required:
- postfix (tcp_table)
- Perl
- Perl Geo::IP module
main.cf:
127.0.0.1:2528_time_limit = 3600s smtpd_client_restrictions = check_client_access tcp:[127.0.0.1]:2528
master.cf
127.0.0.1:2528 inet n n n - 0 spawn user=nobody argv=/etc/postfix/geo-reject.pl
geo-reject.pl
#!/usr/bin/perl
use strict;
use warnings;
use Sys::Syslog qw(:DEFAULT setlogsock);
use Geo::IP;
my $gi = Geo::IP->new(GEOIP_STANDARD);
# maps country code to reject (this is just example)
# add more country code you would like to reject
my @geo_map = (
'JP' ,
'US' ,
'CN' ,
'HK'
);
#
# Initalize and open syslog.
#
openlog('postfix/geoIP-reject','pid','mail');
#
# Autoflush standard output.
#
select STDOUT; $|++;
while (<>) {
chomp;
if (/^get\s(.+)$/i) {
my $client_ip = $1;
my $country_code = $gi->country_code_by_name($client_ip);
if (defined $country_code)
{
if ( grep /$country_code/, @geo_map )
{
print "200 REJECT you're from $country_code\n";
syslog("info","Rejecting: %s", $country_code);
} else {
print "200 DUNNO\n";
}
} else {
print "200 DUNNO\n";
}
next;
}
print "200 DUNNO\n";
}
Test from command line
# telnet xxx.xxx.xxx.xxx 25 Trying xxx.xxx.xxx.xxx... Connected to mx.example.com (xxx.xxx.xxx.xxx). Escape character is '^]'. 220-mx.example.com ESMTP Postfix ehlo dude 554 5.7.1 <remote.example.com[xxx.xxx.xxx.xxx>: Client host rejected: you're from ID 503 5.7.0 Error: access denied for remote.example.com[xxx.xxx.xxx.xxx]
Logs
May 30 12:20:33 fire postfix/smtpd[7493]: NOQUEUE: reject: CONNECT from remote.example.com[xxx.xxx.xxx.xxx] 554 5.7.1 remote.example.com[xxx.xxx.xxx.xxx] Client host rejected: you're from ID; proto=SMTP
enjoy 
You may also want to read these posts:
- Postfix Bind Sender Outgoing IP, Based On GeoIP Location
- Geo Location DNSBL Using Perl, Memcached And GeoIP
- postfix, integrating memcache as a lookup table using tcp_table
- Postfix, Rate Limiting Inbound Emails Using SenderScore And Memcache
- Postfix Changing Outgoing IP By Time Interval Using TCP_TABLE And Perl
- Postfix Checking Maildir Disk Usage / Quota On The Fly
- Postfix, Dynamic OverQuota User Map Script Using Bash And Inotifywait
- Postfix Randomizing Outgoing IP Using TCP_TABLE And Perl
- Check Disk Quota Usage By Parsing Maildirsize
- Postfix, Omar Kilani’s Memcache Patch Try-Out
One Response to “Postfix GeoIP Based Rejections”
Comments (1)
Tested in production, works very well.
It’s useful especially if you know, that you will never get e-mails sent from given countries. In my case I’m 100% sure that my company has no customers in China, India, Brasil or Russia so it’s good deal since 50% of spam is sent from that countries
Thanks for this post!