GFI Software

Welcome to the GFI Software community forum! For support please open a ticket from https://support.gfi.com.

Home » GFI User Forums » Kerio Connect » How do I import a boatload of IP addresses for blacklisting? (I have over 1,000 IPv4 blocks that I want to block.)
How do I import a boatload of IP addresses for blacklisting? [message #145326] Sat, 23 March 2019 01:05 Go to next message
SenseiNYC
Messages: 3
Registered: March 2019
I have over 1,000 IPv4 blocks that I want to block. Various blocks from all over the world. About 16,000 IP v4 blocks in total. I really do not want to add each one manually and honestly that would be ridiculous to have to do so. I see there is no way to import a list of IPv4 blocks such as:

42.2.0.0/8
153.21.0.0/16

Again, we are talking a few THOUSAND IPv4 blocks. I tried browsing around the Kerio installation folder to hopefully find the file which the blacklist configuration is located, no such luck.

Helpful suggestions welcomed. Thanks.
Re: How do I import a boatload of IP addresses for blacklisting? [message #145338 is a reply to message #145326] Mon, 25 March 2019 09:58 Go to previous messageGo to next message
freakinvibe is currently offline  freakinvibe
Messages: 597
Registered: April 2004
I don't think you can do that easily in Kerio Connect (the mail server). To block such a huge abount of IP sub-nets, you should use your firewall.

Dexion Services AG - IT Support Services in Basel, Switzerland
https://dexionag.ch
Re: How do I import a boatload of IP addresses for blacklisting? [message #145341 is a reply to message #145338] Mon, 25 March 2019 13:17 Go to previous messageGo to next message
SenseiNYC
Messages: 3
Registered: March 2019
I am currently using my firewall to do the task but that is not the point. I am asking about doing it in Kerio and alleviating the stress from the firewall. The firewall can only REJECT, i want all IP blocks in the list to mark/tag - not block them. This is why I need it on Kerio, not thee firewall.
Re: How do I import a boatload of IP addresses for blacklisting? [message #145344 is a reply to message #145341] Mon, 25 March 2019 17:31 Go to previous messageGo to next message
Maerad is currently offline  Maerad
Messages: 275
Registered: August 2013
SenseiNYC wrote on Mon, 25 March 2019 13:17
I am currently using my firewall to do the task but that is not the point. I am asking about doing it in Kerio and alleviating the stress from the firewall. The firewall can only REJECT, i want all IP blocks in the list to mark/tag - not block them. This is why I need it on Kerio, not thee firewall.
With all due respect, but the mailserver will be more under fire with something like this like your firewall. And if the firewall has a problem with rejecting 42.2.0.0/8, 153.21.0.0/16 in terms of performance, you should really get a new one. Hell, even a Raspi with pfsense would idle with a simple task like that.

If you REALLY want to do this with kerio, you add a new group under "IP Adress groups" and below the new group you can add IP adress ranges like 42.2.0.1-42.2.255.254 for 42.2.0.0/8 or as mask with network 42.2.0.0 with Netmask 255.0.0.0 (that's /8)

In the tab Spamfilter you select under Blacklist "Use IP Adress Group" and select the new group you have added. That way you can add multiple IP ranges to one group to be blocked.

But like I said - this is something that should be done in the firewall and NOT in the mailserver. I mean, it should be possible to add a filter in the firwall logs to see those adress ranges being rejected or?

EDIT:
Damn, I just discovered you wanna add 4k of subnets like that, misread that. Dude. Honestly. No. Just No. What are those subnets? From a spamlist? Use Kerios Spamfilter with Spamcop etc. If it's geoIP blocking - do that in the firewall and use it with automatic updates.

Kerio will do a Spamlookup EVERYTIME there is a mail transfered! And if needs to lookup a fucking huge IP address file for that. THAT will be funny. Even more so, if the process is locked to one core/thread. This HAS to be done on firewall level! Get PFSense as firewall, add suricata for additional protection and pfBlockerNG for GeoIP and whatever blocking. Really.

Another solution would be a spamfilter proxy set before kerio connect. Those are made to handle something like you want and add additional headers to mails to let kerio do an additional rule. I believe Kerio can also do it, but the performance impact would be really bad. I know what you're trying to do, but as long kerio has no option like that, it's also not tailored for it. Like geoIP blocking/spam tag increase if it's .ru .ga or whatever.

If you really wanna try it, open the mailserver.cfg and add those with the lines under

<list name="IpAccessList">
<listitem>
<variable name="Name">Local clients</variable>

... and so on. Add the groups like I said and do a copy/paste to create the addtional lines with excel or whatever you can use for that task. But this WILL blow up you mailserver.cfg and most likely kick the server in the nuts. It's simply not made for this kind of work. You can block some specific addresses, but I'm sure they never made it for like 200 million ip addresses. That's also why there is no import feature.

[Updated on: Mon, 25 March 2019 17:55]

Report message to a moderator

Re: How do I import a boatload of IP addresses for blacklisting? [message #145597 is a reply to message #145344] Fri, 19 April 2019 19:40 Go to previous messageGo to next message
SenseiNYC
Messages: 3
Registered: March 2019
We are using a Netgate XG7100-1U (pfSense) currently with pfBlocker and still some things do slip through the cracks. We wish to load a few hundred to a few thousand blocks so your suggestion won't work. THe customer is a small private hospital and there are only specific places that email should be coming in from. This is why we wish to block out as much trash as possible.
Re: How do I import a boatload of IP addresses for blacklisting? [message #145651 is a reply to message #145597] Sat, 27 April 2019 00:41 Go to previous messageGo to next message
bigmountain is currently offline  bigmountain
Messages: 65
Registered: April 2006

If it is only a few places Mail would be coming from, could you do the opposite and block all IPs over the mail ports and only open those ports up for those that need it? I don't know how realistic that is or if you really mean just a few places.

Preferred Kerio Partner and Cloud Solutions Provider - Offering both shared and dedicated Kerio Connect hosting solutions.
Visit us at http://bigmountainmail.com
Re: How do I import a boatload of IP addresses for blacklisting? [message #145682 is a reply to message #145651] Tue, 30 April 2019 17:34 Go to previous message
Maerad is currently offline  Maerad
Messages: 275
Registered: August 2013
If there are only a few places that are allowed for mail, why don't you use whitelisting instead of blacklisting? Could that reduce the numbers?
If you already use PFSense, this would be easy to accomplish, by setting filtering rules etc. on specific ports. AFAIK you can even import them.
Previous Topic: Filtering limits
Next Topic: Kerio Connect - Cloud Archive problem
Goto Forum:
  


Current Time: Mon Oct 02 09:58:22 CEST 2023

Total time taken to generate the page: 0.05795 seconds