IP Network Blacklists

C

CaseyJones62

Member
Jun 14, 2020
3
0
6
61
Hi,

I've just installed Proxmox Mail Gateway and have a simple noob question.
I get a lot of access attempts from Bangalore addresses which I'd like to filter. Hmail used to do a good job blocking IPs automatically.

I've setup a who object network blacklist for the ranges to block.

My question is when these addresses attempt connection they still seem to get the 'EHLO User' prompt.

Is this the correct behaviour as I was hoping that they would get an immediate disconnection or no response and then drop - although would be nice to hold it for 10 seconds then drop :)
 
Blocking in the rulesystem (by creating a rule with a WHO-Object like you did) happens after the SMTP-dialogue.

currently there is no way to blacklist IPs during SMTP-dialogue from the GUI - you can however adapt your postfix configuration by adding another entry to the smtpd_sender_restrictions:
check
http://www.postfix.org/SMTPD_ACCESS_README.html
for the postfix configuration and
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_template_engine
for how to integrate it into PMG

I hope this helps!
 
Well I think I have done everything right.

I copied and then edited the main.cf.in template by adding the following line (after the other smtpd_client_* lines)

smtpd_client_restrictions =
check_client_access cidr:/etc/postfix/client_checks

Created the /etc/postfix/client_checks file with the following line and then ran postmap client_checks

46.38.145.0/24 REJECT

Finally ran command

pmgconfig sync --restart 1 (my new lines are now in /etc/postfix/main.cf)

Still not blocking? even after a reboot. System still responds with EHLO to the IPs.

Probable chair/keyboard interface problem but I can't spot it.
 
Last edited:
CaseyJones62 said:
Still not blocking? even after a reboot. System still responds with EHLO to the IPs.
Click to expand...
the reject should come after the RCPT TO
do mails get accepted? if so please post the anonymized logs
 
Thanks for the response. It seems I had the wrong understanding of how much of the communication needs to be completed before the connection is rejected. If appears each connection will initiate an smtp process in order to be rejected.

After investigation it seems adding fail2ban to the config gives me what I require, if I enable rejection for 'PREGREET' and 'disconnect from unknown'
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back