Firewall¶
Under Firewall, IP-based access rules for the SMTP service are managed. These rules operate at the network level (nftables) and take effect before Postfix.
Rule Types¶
| Type | Description |
|---|---|
| Allow | Explicitly allow an IP/CIDR (highest priority) |
| Block | Permanently block an IP/CIDR (SMTP connection immediately dropped) |
| Rate Limit | Limit connection rate for an IP/CIDR |
Creating Rules¶
Click + Add Rule to open the form:
| Field | Description |
|---|---|
| IP / CIDR | Single IP (1.2.3.4) or CIDR block (1.2.3.0/24) |
| Action | allow, block, or rate-limit |
| Port | SMTP port (25 or 587 or both) |
| Comment | Optional description (e.g. Spammer IP from abuse report) |
Behaviour¶
- Rules take effect immediately (no restart required)
- In a cluster, firewall rules are replicated to all nodes
- With
block: connection is immediately dropped, no SMTP banner - With
allow: IP is exempt from Postscreen and rate limiting
Recommendations¶
- Add all known spam sources (abuse reports, own experience) here
- Add internal networks with
allowso they are never blocked - Use very broad CIDR blocks (
/8,/16) only after careful review
Don't block your own IP
Before adding a block, verify that your own management IP or network is not affected. Accidentally blocking your own IP locks you out of the management interface.