<html><head></head><body><div class="yahoo-style-wrap" style="font-family:courier new, courier, monaco, monospace, sans-serif;font-size:13px;"><div dir="ltr" data-setdir="false">Lookup "geofence" and see if you can get any good results for what you're trying to achieve.</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">I am doing things at two different levels : the firewall, and the MTA (postfix).<br></div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">1/ At the firewall level</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">With shorewall, it's as simple as giving the country codes (US, CN, FR, CA...) you want to let in or block.</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">My firewall's policy is to deny all access from outside except for what I explicitly authorize in the rules</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">Policy file looks like this<br></div><div dir="ltr" data-setdir="false"><div><br>$FW net ACCEPT<br>net $FW DROP INFO<br><br><div>Which reads : from firewall to internet : accept all. From internet to firewall, drop and log.</div><div><br></div><div dir="ltr" data-setdir="false">Now I can put the exceptions in the rules file : <br></div><div><br>#ACTION SOURCE DEST PROTO DEST PORTS<br>?SECTION NEW<br>ACCEPT net:192.168.0.0/16 $FW all<br>ACCEPT net:172.16.0.0/12 $FW all<br>ACCEPT net:10.10.10.0/24 $FW all<br>ACCEPT net:^[DZ,US,TN] $FW all<br>ACCEPT net $FW tcp $sshport,25,80,443<br><br><br></div><div dir="ltr" data-setdir="false"><div dir="ltr" data-setdir="false">Which reads : lines 1-3 : create an exception for incoming connection from the LAN ; line 4 create an exception for countries DZ US TN, last line is an exception for SMTP, HTTP and HTTPS.</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">For this geofence to work you need <br></div><div dir="ltr" data-setdir="false">1- a specific kernel module that allows iptables to use geoip for its filtering capabilites</div><div dir="ltr" data-setdir="false">2- to download the database of IPs (a provided tool does that for you, but it might not work)<br></div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">The detailed procedure is explained in this page from my personal wiki <a href="https://ychaouche.informatick.net/shorewallcountrybasedacls" rel="nofollow" target="_blank">https://ychaouche.informatick.net/shorewallcountrybasedacls</a></div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">2/ At the postfix level</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">I have a specific map to reject senders which contains the qq.com and another domain</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false"><div>root@messagerie[10.10.10.19] ~ # cat /etc/postfix/maps/reject_senders<br>qq.com REJECT<br>uscourtsgov.com REJECT<br><div>root@messagerie[10.10.10.19] ~ #</div><div><br></div><div dir="ltr" data-setdir="false">This map file is given to the smtpd_sender_restrictions configuration option, with check_sender_access as the configured restriction, like so : <br></div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false"><div>root@messagerie[10.10.10.19] ~ # grep /etc/postfix/maps/reject_senders /etc/postfix/main.cf<br>smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/maps/reject_senders<br>root@messagerie[10.10.10.19] ~ #<br><div><br></div><div><br></div><div><br></div></div><div dir="ltr" data-setdir="false">Yasine.<br></div></div><br></div><div><br></div></div></div><div><br></div></div><div><br></div></div></div></body></html>