Wednesday, March 4, 2015

How to deny Postfix SMTP authentication from non-US clients

As the war on spam continues, one of my clients wanted to only provide SMTP AUTH capabilities to IP addresses in the states, as their employees are only located there anyway.

Postfix has a facility for this, called smtpd_sasl_exceptions_networks. It basically denies SASL auth to IP's from the specified ranges. Disregarding IPv6 for now, here's a list of IP ranges from IANA that are non-US (ARIN) allocations:

smtpd_sasl_exceptions_networks = 0.0.0.0/7
  2.0.0.0/8
  5.0.0.0/8
  10.0.0.0/8
  14.0.0.0/8
  25.0.0.0/8
  27.0.0.0/8
  31.0.0.0/8
  36.0.0.0/8
  37.0.0.0/8
  39.0.0.0/8
  41.0.0.0/8
  42.0.0.0/7
  46.0.0.0/8
  49.0.0.0/8
  51.0.0.0/8
  53.0.0.0/8
  57.0.0.0/8
  58.0.0.0/7
  60.0.0.0/7
  62.0.0.0/8
  77.0.0.0/8
  78.0.0.0/7
  80.0.0.0/4
  101.0.0.0/8
  102.0.0.0/7
  105.0.0.0/8
  106.0.0.0/8
  109.0.0.0/8
  110.0.0.0/7
  112.0.0.0/4
  133.0.0.0/8
  141.0.0.0/8
  145.0.0.0/8
  150.0.0.0/7
  153.0.0.0/8
  154.0.0.0/8
  163.0.0.0/8
  171.0.0.0/8
  175.0.0.0/8
  176.0.0.0/4
  193.0.0.0/8
  194.0.0.0/7
  196.0.0.0/7
  200.0.0.0/6
  210.0.0.0/7
  212.0.0.0/7
  217.0.0.0/8
  218.0.0.0/7
  220.0.0.0/6