Networking HowTos
Networking HowTos

Limit Postfix to listen on specific IP addresses

February 14, 2012 Linux

On a default install of Postfix, it will listen on all interfaces/IP addresses on your machine. Sometimes this is not what you want. For example, the computer may be connected directly to the internet on one network interface, and connected to a lan on another interface, however you may not want to allow access to the SMTP server from the internet, and only use it for internal mail. You can do this by specifying only the internal address to listen on (as well as local host).
The example below will be to limit SMTP access only to local host, so no other computers on the network can access it.
This configuration is done in the main.cf configuration file. Edit it in your editor of choice.

$ sudo nano /etc/postfix/main.cf

Find the following configuration option in the file:

inet_interfaces = all

Either comment this line out, and duplicate it underneath, or simply modify the line. I choose to comment and duplicate the line in case I needed to change it back.
Modify the ‘all’ text to contain a list of IP addresses, separated by commas, that you want Postfix to listen on.

#inet_interfaces = all
inet_interfaces = 127.0.0.1

Save the file, and exit the editor.
Restart Postfix to activate these changes.

$ sudo /etc/init.d/postfix restart

You can now issue the ‘netstat -an’ command and see that it is only listening on port 25 on the specific IP’s you configured, instead of 0.0.0.0.
The netstat output would look something like this for my example:

$ netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN

More information on the inet_interfaces syntax is avaliable here:
http://www.postfix.org/postconf.5.html#inet_interfaces

You Might Also Like

  • Mark October 4, 2012 at 3:21 am

    Excellent – worked with an old release of Postfix on Solaris 9 (no IPTables to block port 25). How old? Don’t know, but the startup script doesn’t even have the restart option.