This is probably something you can more easily control by using a reverse proxy like Traefik, or placing both systems within a VPN (perhaps Tailscale?).

Postfix

For Postfix, you'll need to edit the /etc/postfix/master.cf config for the submission (port 587) and submissions (port 465) entries.

Restricting client by IP

There should be a line like -o smtpd_client_restrictions, you'll need to modify it to instead look like this:

-o { smtpd_client_restrictions=check_client_access cidr:{{172.16.42.10 OK}},reject }

• The { } wrapping around most of the line there permits spaces, which AFAIK is required for check_client_access to provide the CIDR table.
• Any other client IP would not have provided OK, so the next rule is to reject.

For reference, these are what DMS has configured by default:

# 25:
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
# 587 / 465:
smtpd_client_restrictions = permit_sasl_authenticated, reject

Restrict by IP but also continue to require authentication

This below variation appears to work without needing check_client_access, although the space between the IP and action is still required (preventing using this via postconf -P in user-patches.sh, which means it will be inconvenient to modify master.cf):

-o { smtpd_client_restrictions=cidr:{{!172.16.42.10 REJECT}},permit_sasl_authenticated,reject }

The rule was changed with a ! in front of the IP along with the action, which allows us to additionally add the additional check that you've provided correct credentials to submit mail for DMS to send.

Compatibility with postconf -P / postfix-master.cf via separate CIDR file

To workaround the space issue, you can move the CIDR table to a separate file, then use our support for Postfix overrides with postfix-master.cf:

submission/inet/smtpd_client_restrictions=cidr:/etc/postfix/trusted_clients,permit_sasl_authenticated,reject
submissions/inet/smtpd_client_restrictions=cidr:/etc/postfix/trusted_clients,permit_sasl_authenticated,reject

/etc/postfix/trusted_clients (replace with your trusted IP):

!172.16.42.10 REJECT

Compatibility with postfix-main.cf for CIDR table via custom parameter

With v14 of DMS, a bug will be fixed which instead would allow you to also use postfix-main.cf with a custom parameter instead of a separate CIDR map file like /etc/postfix/trusted_clients:

postfix-main.cf:

dms_trusted_clients= cidr:{{!172.16.42.10 REJECT}}, permit_sasl_authenticated, reject

postfix-master.cf:

submission/inet/smtpd_client_restrictions=$dms_trusted_clients
submissions/inet/smtpd_client_restrictions=$dms_trusted_clients

Elsewhere

You'll also want similar config for Dovecot, and if you need to login for anything else like supervisord/rspamd web UI.

If you instead restrict access to those ports via reverse proxy instead, that'd simplify configuration for you. For example with Traefik 3.0:

services:
  dms:
    labels:
      - traefik.tcp.middlewares.trusted_clients.ipallowlist.sourcerange=172.16.42.10
      # Then for each router (authenticated ports 587/465/143/993/etc), add a label to use the middleware:
      - traefik.tcp.routers.smtp-submissions.middlewares=trusted_clients

NOTE: Traefik 2.x calls the same middleware ipwhitelist.

If you already have a reverse proxy in your setup, do note that if the original client IP is not preserved (eg via PROXY protocol), then you could not apply the Postfix advice securely, as you'd always have the reverse proxy as the client IP. Similarly if you have any other hops between the client, ensure the client IP is properly preserved 👍

If all the above is too much, just use a strong password and you should be ok 👍 Fail2Ban can be enabled to block anyone else attempting to login repeatedly failing auth.