Filtering by country

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Filtering by country

Anvar Kuchkartaev
Is it possible to filter out logins by country (I would like to limit dovecot instance users to log in only from specific countries)?‎‎

Anvar Kuchkartaev 
[hidden email] 
Reply | Threaded
Open this post in threaded view
|

Re: Filtering by country

lists
For a global filter, that is filter all accounts, I use the data provided by ip2location. I put the CIDRs for all the countries where I don't plan on sending or retrieving mail in the ipfw firewall. Block all mail ports other than 25.

Noye by not blocking 25, you can still receive email independent of the countries you blocked. You just can send or retrieve via pop/images.

This assumes an email server using 587.

I have an extensive list of IP space consisting of hosts, VPN, and VPS that I also keep away from the server excluding 25. Basically you can block IP space that you don't expect to use. Since my server is just for me, I can get very aggressive in blocking.



  Original Message  
From: [hidden email]
Sent: October 15, 2017 6:43 PM
To: [hidden email]
Subject: Filtering by country

Is it possible to filter out logins by country (I would like to limit dovecot instance users to log in only from specific countries)?‎‎

Anvar Kuchkartaev 
[hidden email] 
Reply | Threaded
Open this post in threaded view
|

Re: Filtering by country

Aki Tuomi-2
Another good alternative is to use auth_policy_server along with Weakforced (https://github.com/PowerDNS/weakforced) to do this filtering. It has GeoIP support, and since dovecot does auth policy lookup before and after user authentication, you can set some cos attribute in the user's account and pass that on to weakforced so it knows to refuse the login if it comes from unexpected country.

Aki

> On October 16, 2017 at 5:21 AM Gary <[hidden email]> wrote:
>
>
> For a global filter, that is filter all accounts, I use the data provided by ip2location. I put the CIDRs for all the countries where I don't plan on sending or retrieving mail in the ipfw firewall. Block all mail ports other than 25.
>
> Noye by not blocking 25, you can still receive email independent of the countries you blocked. You just can send or retrieve via pop/images.
>
> This assumes an email server using 587.
>
> I have an extensive list of IP space consisting of hosts, VPN, and VPS that I also keep away from the server excluding 25. Basically you can block IP space that you don't expect to use. Since my server is just for me, I can get very aggressive in blocking.
>
>
>
>   Original Message  
> From: [hidden email]
> Sent: October 15, 2017 6:43 PM
> To: [hidden email]
> Subject: Filtering by country
>
> Is it possible to filter out logins by country (I would like to limit dovecot instance users to log in only from specific countries)?‎‎
>
> Anvar Kuchkartaev 
> [hidden email]