Hello, A simpler solution would be using a cidr access map from <http://ipdeny.com/ipblocks/data/countries/> that match netblocks you allow in master.cf for submission (or smtps if using the legacy SMTPS service on port 465) service with smtpd_client_restrictions, eg.:
Long form for postfix >= 3.0 only:
-o { smtpd_client_restrictions = permit_mynetworks check_client_access
cidr:$config_directory/submission_access.cidr permit_sasl_authenticated reject }
Short form for previous postfix < 3.0:
-o
smtpd_client_restrictions=permit_mynetworks,check_client_access,cidr:$config_directory/submission_access.cidr,permit_sasl_authenticated,reject}
submission_access.cidr map:
<netblocks_allowed> OK
0.0.0.0/0 REJECT Submission not allowed from your country.
Be sure to update submission_access.cidr with a daily cronjob to have up to
date netblocks then reload postfix to use the newly cidr map right away.
On 5 Jan 2019, at 22:26, Philippe - Forums wrote:
> Hello,
>
> I would like to filter SMTP access using geo-localization.
>
> I have installed geoip-bin on my mailserver.
>
> This tool works like nslookup with an IP (geoiplookup @IP) and give
> geographic informations about this IP and especially the country (FR, DE,...).
>
> My purpose is to filter IPs out of my country to reject SMTP connection.
>
>
> I must made a linux script, on bash (/usr/bin/policyd-geoip).
>
> But I don't know how the script can tell to postfix if the IP is OK or KO.
>
>
> For postfix configuration I think that I must do that:
>
> * master.cf:
>
> policy-geoip unix - n n - 0 spawn
>
> user=nobody argv=/usr/bin/policyd-geoip
>
> * main.cf:
>
> check_policy_service unix:private/policy-geoip
>
>
> If someone can help me for this "project".
>
>
> --
> ##################
>
> Philippe - Forums
--
matt [at] lv223.org
GPG key ID: 7D91A8CA
signature.asc
Description: OpenPGP digital signature
