Installation:
The starting point for this script was from here:
http://web.archive.org/web/20151128083440/https://www.kutukupret.com/2011/05/29/postfix-geoip-based-rejections/
You need:
- Linux machine with-
- Perl
- Perl Geo::IP module
- and of course "Postfix" (MTA)
-
You will need to add the script above somewhere on your system.
/etc/postfix/scripts/postfix-geoip.pl
would probably be a good place. It doesn't really matter where it is placed, though. Keep in mind the permissions & owner will need to be correct no matter where you put it.Once placed, make sure it's owned by root and can be run by the "nobody" user. (It should be owned by root to avoid postfix warnings):
sudo chown root: /etc/postfix/scripts /etc/postfix/scripts/postfix-geoip.pl sudo chmod 755 /etc/postfix/scripts/postfix-geoip.pl
-
Once the script is owned correctly and executable on the Postfix system, you will need to edit the Postfix configuration.
Edit
sudo nano /etc/postfix/main.cf
and findsmtpd_client_restrictions =
and add a 'check_client_access' directive under it (just make sure it has a comma on end and is above the final 'permit') Leave any other directives you may see (the dots '...') in place.:smtpd_client_restrictions = ... check_client_access tcp:[127.0.0.1]:2528, ... permit
Example:
NOTE: It may be a better idea to place this under
smtpd_helo_restrictions
since this is the very first check. If it's a bad IP, it should go no further. Less system resources would be used to check and 'block' a connected IP under HELO hypothetically. I usedsmtpd_client_restrictions
for my own reasons. Either area should work. I haven't tested it under helo restrictions, though. -
Next, edit the
/etc/postfix/master.cf
file and put this bit at the very bottom of this file:127.0.0.1:2528 inet n n n - 0 spawn user=nobody argv=/etc/postfix/scripts/postfix-geoip.pl
-
Next install GeoIP system wide. Debian/Ubuntu
apt
example:sudo apt update -y && sudo apt install libgeo-ip-perl
OR: If using cpan to install the module:
sudo cpan install Geo::IP
Configuration is complete. Restart Postfix:
sudo systemctl restart postfix
Test / check mail.log / etc.
Can you run it on the cli? Does the geo-ip file run manually?