Back to Top

Help & Support

Get instant answers 24/7

Top > Questions & Answers

How do I lock down my Postfix server to only accept deliveries from SpamHero IPs?

These instructions have only been lightly tested but should give a good overview of how to configure your Postfix server to only allow deliveries from SpamHero IP addresses. These instructions should work for Postfix v2.2 and newer.

SpamHero settings

Before getting started, confirm that your domain is configured to use the SpamHero static delivery IPs.

  1. From within the SpamHero control panel go to Settings > Delivery Mail host or use this shortcut: https://www.spamhero.com/cp/settings/mail-host
  2. On the Delivery mail host page, switch your Mail host configuration to Mail host will only accept email from specific IPs or on a specific port. Doing so will ensure that we always use the same IPs to deliver your mail. You can also find the most current list of IP addresses here as well:


 

Postfix settings

Always make a backup copy of your Postfix configs before making any changes 

sudo tar -czvf /etc/postfix-beforeSpamHeroUpdate.tar.gz /etc/postfix

If something goes wrong and you need to revert all changes, use this line:

sudo tar -xzvf /etc/postfix-beforeSpamHeroUpdate.tar.gz -C /etc/
  1. Open the Postfix configuration file, usually located at /etc/postfix/main.cf, in a text editor with administrative privileges.
  2. Add or modify the following settings:

    If any of these settings already exist, do not replace them. Instead, add the associated values to the end of the same line (without introducing any duplicate values). For example, if your config already has smtpd_recipient_restrictions then copy the values from the settings below to the end of the existing config line and then remove repeat values so that reject remains at the end of the line.

    # Only accept deliveries to local users from these IP addresses
smtpd_recipient_restrictions = permit_mynetworks, check_client_access hash:/etc/postfix/client_ip, reject

# Only allow relaying from trusted IP addresses
smtpd_relay_restrictions = permit_mynetworks, reject

# Specify the allowed IP addresses and ranges for deliveries to local users
smtpd_client_restrictions = check_client_access cidr:/etc/postfix/client_ip

# Specify the network masks for the allowed IP addresses and ranges
smtpd_authorized_xforward_hosts = cidr:/etc/postfix/client_ip
  3. Save and close the main.cf file.
  4. Create or modify the file /etc/postfix/client_ip with the following IP ranges (add your own authorized IP addresses to this list as well): 

    108.60.195.192/27   OK
108.166.161.224/27  OK
208.53.48.0/24      OK
209.41.68.0/24      OK
209.105.224.160/27  OK
216.172.106.0/26    OK

    As of February 24, 2023, this includes IP addresses that have yet to be officially published in the SpamHero control panel (but should be soon).

  5. Save and close the client_ip file
  6. Use the postmap command to create a hashed database file for the client_ip file:

    sudo postmap /etc/postfix/client_ip
  7. Reload the Postfix configuration by running:

    sudo postfix reload

With these settings, Postfix should only accept deliveries to local users from SpamHero IP addresses and ranges, and it will reject any delivery attempts from other IP addresses.


Last updated May 27, 2023

Related topics

By continuing to use this site, you agree to our Privacy Policy, Terms of Service, and use of cookies. Unable to dismiss this message? Try disabling your adblocker.