Aaah, then its a bit worser problem. Are all your customers from a specific country? Then you can add a geoIP block to your firewall so customers can only send email from their country.
Else: My suggestion is then that you open up a web interface (I guess you already have a web interface where your customers can manage their account). Then you provide a function, where the customer can specify up to X IP-ranges, that is allowed to authenticate on SMTP level on their account, and those ranges must at least be /8, to prevent customers from specifying 0.0.0.0/0 and allowing the whole world. You can propably use a policy server or some maps to ensure certain accounts only can authenticate from specific IP ranges. So each customer do have their own authorization list. Note that your web interface can also be hacked, so ensure its protected with a captcha and make accounts locked down to the customer’s billing country, or employ 2FA authentication. From: Christos Chatzaras Sent: Sunday, May 24, 2015 1:01 PM To: Sebastian Nielsen Cc: postfix-users@postfix.org Subject: Re: problem with spam I do shared hosting, so users should be able to use any ISP to connect. postconf -Mf : smtp inet n - n - - smtpd submission inet n - n - - smtpd -o smtpd_tls_security_level=may -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING pickup fifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp -o smtp_fallback_relay= showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache postconf -nf: authorized_submit_users = root, creta body_checks = regexp:/usr/local/etc/postfix/body_checks command_directory = /usr/local/sbin config_directory = /usr/local/etc/postfix daemon_directory = /usr/local/libexec/postfix data_directory = /var/db/postfix debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5 default_destination_concurrency_limit = 2 default_destination_rate_delay = 1s default_extra_recipient_limit = 10 header_checks = regexp:/usr/local/etc/postfix/header_checks html_directory = /usr/local/share/doc/postfix inet_protocols = ipv4 mail_owner = postfix mailq_path = /usr/local/bin/mailq manpage_directory = /usr/local/man message_size_limit = 25600000 myhostname = server8.cretaforce.gr mynetworks_style = host newaliases_path = /usr/local/bin/newaliases queue_directory = /var/spool/postfix readme_directory = /usr/local/share/doc/postfix sample_directory = /usr/local/etc/postfix sender_dependent_relayhost_maps = hash:/usr/local/etc/postfix/sender_transport sendmail_path = /usr/local/sbin/sendmail setgid_group = maildrop smtp_bind_address = 178.63.64.86 smtp_destination_concurrency_limit = 2 smtp_destination_rate_delay = 1s smtp_extra_recipient_limit = 10 smtp_tls_CAfile = /etc/ssl/certs/cacert.crt smtp_tls_cert_file = /etc/ssl/certs/server8.pem smtp_tls_key_file = /etc/ssl/private/server8.pem smtp_tls_security_level = may smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache smtpd_banner = $myhostname smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_hostname, reject_invalid_hostname, permit smtpd_recipient_restrictions = check_sender_access hash:/usr/local/etc/postfix/sender_access, check_recipient_access hash:/usr/local/etc/postfix/recipient_access, permit_sasl_authenticated, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, reject_unauth_pipelining, reject_invalid_hostname, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org, permit smtpd_relay_restrictions = permit_sasl_authenticated, defer_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = /var/run/dovecot/auth-client smtpd_sasl_type = dovecot smtpd_sender_restrictions = reject_unlisted_sender, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, permit smtpd_tls_CAfile = /etc/ssl/certs/cacert.crt smtpd_tls_ask_ccert = yes smtpd_tls_cert_file = /etc/ssl/certs/server8.pem smtpd_tls_key_file = /etc/ssl/private/server8.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:$data_directory/smtpd_tls_session_cache tls_random_source = dev:/dev/urandom transport_maps = hash:/usr/local/etc/postfix/recipient_transport unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/usr/local/etc/postfix/virtual virtual_gid_maps = hash:/usr/local/etc/postfix/virtual_uids virtual_mailbox_base = /home/mail virtual_mailbox_domains = hash:/usr/local/etc/postfix/domains virtual_mailbox_limit = 1000000000 virtual_mailbox_limit_inbox = no virtual_mailbox_limit_maps = hash:/usr/local/etc/postfix/vquota virtual_mailbox_limit_override = yes virtual_mailbox_maps = hash:/usr/local/etc/postfix/vmailbox virtual_maildir_extended = yes virtual_minimum_uid = 100 virtual_overquota_bounce = yes virtual_uid_maps = hash:/usr/local/etc/postfix/virtual_uids
smime.p7s
Description: S/MIME Cryptographic Signature
