May 292011

If you intend to be able to reject connections from remote IP addresses if they’re from certain countries. This is how you do it. This method will reject ip address that has been mapped in GeoIP at smtp conversation stage. However, This tutorial has never been tested. nothing more than a prototype that i created in leisure time.

Software required:

  • postfix (tcp_table)
  • Perl
  • Perl Geo::IP module = 3600s
smtpd_client_restrictions =
	check_client_access tcp:[]:2528 inet  n       n       n       -       0      spawn
	user=nobody argv=/etc/postfix/

use strict;
use warnings;
use Sys::Syslog qw(:DEFAULT setlogsock);
use Geo::IP;

my $gi = Geo::IP->new(GEOIP_STANDARD);

# maps country code to reject (this is just example)
# add more country code you would like to reject
my @geo_map = (
	'JP' ,
	'US' ,
	'CN' ,

# Initalize and open syslog.

# Autoflush standard output.
select STDOUT; $|++;

while (<>) {
	if (/^get\s(.+)$/i) {
		my $client_ip = $1;
		my $country_code = $gi->country_code_by_name($client_ip);

		if (defined $country_code)
			if ( grep /$country_code/, @geo_map )
				print "200 REJECT you're from $country_code\n";
				syslog("info","Rejecting: %s", $country_code);
			} else {
				print "200 DUNNO\n";
		} else {
			print "200 DUNNO\n";
	print "200 DUNNO\n";

Test from command line

# telnet 25
Connected to (
Escape character is '^]'. ESMTP Postfix
ehlo dude
554 5.7.1 <[>: Client host rejected: you're from ID
503 5.7.0 Error: access denied for[]


May 30 12:20:33 fire postfix/smtpd[7493]: NOQUEUE: reject: CONNECT from[] 554 5.7.1[] Client host rejected: you're from ID; proto=SMTP

enjoy 🙂

  7 Responses to “Postfix GeoIP Based Rejections”

Comments (7)
  1. Tested in production, works very well.

    It’s useful especially if you know, that you will never get e-mails sent from given countries. In my case I’m 100% sure that my company has no customers in China, India, Brasil or Russia so it’s good deal since 50% of spam is sent from that countries

    Thanks for this post!

  2. Thank you for the awesome filter.

    If you have a country blocked, say Germany (DE), is there a way to exclude a specific range from that country from being blocked?

  3. sure, add exclusion in perl script.

  4. Hello.. I’m having some trouble with this. The script appears to be working fine (connecting with telnet and passing IP and I can get a 200 DUNNO or REJECT) but after trying to connect it to postfix, it appears to not be seeing anything passed to it.

    By adding some debug syslog handling, it appears the tcp_table is sending a blank or null value so country and ip are Unknown. I do have tcp_tables support in postfix, so I’m pretty stuck at this point.


  5. try debug the script as follow

    get ip_which_related_to_countrycode_you_want_to_block

    you shou have a result like this:

    # perl   
    200 REJECT you're from ID

    or you get a result “DUNNO” if ip address isn’t in country code lists.

    next step debug by telneting to port 2528

    #telnet 2528
    Connected to
    Escape character is '^]'.
    200 REJECT you're from ID
  6. Hi, this plugin, works with a relay from exim to postfix?

  7. postfix should be in front.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>