Loading ...
Sorry, an error occurred while loading the content.

Re: permit_sasl_authenticated ONLY from one interface

Expand Messages
  • Simone Felici
    ... Thank s everyone: Wietse and postfix@bitfreak.org for answers. I ll take a look and test the submission service. :) Simon
    Message 1 of 11 , Nov 30, 2008
    • 0 Attachment
      Simone Felici ha scritto:
      > Hi to all!
      >
      > I've tested successfully a simple smtp server with SMTP authenticated.
      > Now I would like do the following:
      >
      > My server has two interfaces with IP1 and IP2.
      > I would like to setup postfix to permit AUTH-SMTP only for sessions
      > incoming on IP1 and normal SMTP sessions on IP2.
      > I've only find how to apply restrictions on sender (ip/domain) but have
      > no idea how to manage different policies depend
      > on which smtp-IP is using the client.
      >
      > Can someone help me a little or post me a really simple example?
      >
      > Thank's
      >
      > Simon
      >
      >


      Thank's everyone: Wietse and postfix@... for answers.
      I'll take a look and test the "submission" service. :)

      Simon
    • Simone Felici
      ... Mouss, this could be a solution... but haven t find any example or documation to try it. Could you pount me at any example? The initial problem was: I ve
      Message 2 of 11 , Dec 1, 2008
      • 0 Attachment
        mouss ha scritto:
        > Simone Felici a écrit :
        >> Why? Uhm, dunno...
        >> It seems certain mailclients has Autenticated smtp enabled as default
        >> and if the client found the smtp server support it, then it try to send
        >> in auth. This return an error, due inappropriate settings of the client.
        >
        > if you know their IPs, you can use smtpd_discard_ehlo_keyword_address_maps
        >


        Mouss,
        this could be a solution... but haven't find any example or documation to try it.
        Could you pount me at any example?

        The initial problem was:
        I've an SMTP server for customers, with standard smtp open only from a range of IPs.
        Could I provide normal smtp service for customers of a range of known IP (like now) and open my server to all the world
        for smtp service but ONLY if autenthicated smtp i sused?

        Is the MUA with an IP of my customers?
        YES: It can send without any authentication.
        NO: It can send ONLY it a user/pass is provided.

        Simon







        --
        Simone Felici E-Mail: s.felici@...
        Divisione Tecnica Tel: 0461 030 111
        Alpikom S.p.A. Fax: 0461 030 112
        v.Fersina, 23 - 38100 Trento URL: http://www.alpikom.it
      • mouss
        ... make sure to read: http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keyword_address_maps smtpd_discard_ehlo_keyword_address_maps
        Message 3 of 11 , Dec 1, 2008
        • 0 Attachment
          Simone Felici a écrit :
          > mouss ha scritto:
          >> Simone Felici a écrit :
          >>> Why? Uhm, dunno...
          >>> It seems certain mailclients has Autenticated smtp enabled as default
          >>> and if the client found the smtp server support it, then it try to send
          >>> in auth. This return an error, due inappropriate settings of the client.
          >>
          >> if you know their IPs, you can use
          >> smtpd_discard_ehlo_keyword_address_maps
          >>
          >
          >
          > Mouss,
          > this could be a solution... but haven't find any example or documation
          > to try it.
          > Could you pount me at any example?

          make sure to read:

          http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keyword_address_maps



          smtpd_discard_ehlo_keyword_address_maps
          hash:/etc/postfix/discard_ehlo

          == discard_ehlo
          10.1.2.3 starttls, auth, silent-discard

          (silent-discard prevents postfix from logging this "keyword discard"
          action).


          >
          > The initial problem was:
          > I've an SMTP server for customers, with standard smtp open only from a
          > range of IPs.
          > Could I provide normal smtp service for customers of a range of known IP
          > (like now) and open my server to all the world for smtp service but ONLY
          > if autenthicated smtp i sused?
          >
          > Is the MUA with an IP of my customers?
          > YES: It can send without any authentication.
          > NO: It can send ONLY it a user/pass is provided.
          >
        • Noel Jones
          ... (discarding starttls may be too much, but OP can decide for himself) I think this is even easier:
          Message 4 of 11 , Dec 1, 2008
          • 0 Attachment
            mouss wrote:
            > Simone Felici a écrit :
            >> mouss ha scritto:
            >>> Simone Felici a écrit :
            >>>> Why? Uhm, dunno...
            >>>> It seems certain mailclients has Autenticated smtp enabled as default
            >>>> and if the client found the smtp server support it, then it try to send
            >>>> in auth. This return an error, due inappropriate settings of the client.
            >>> if you know their IPs, you can use
            >>> smtpd_discard_ehlo_keyword_address_maps
            >>>
            >>
            >> Mouss,
            >> this could be a solution... but haven't find any example or documation
            >> to try it.
            >> Could you pount me at any example?
            >
            > make sure to read:
            >
            > http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keyword_address_maps
            >
            >
            >
            > smtpd_discard_ehlo_keyword_address_maps
            > hash:/etc/postfix/discard_ehlo
            >
            > == discard_ehlo
            > 10.1.2.3 starttls, auth, silent-discard
            >
            > (silent-discard prevents postfix from logging this "keyword discard"
            > action).
            >
            >


            (discarding starttls may be too much, but OP can decide for
            himself)


            I think this is even easier:
            http://www.postfix.org/postconf.5.html#smtpd_sasl_exceptions_networks

            The simplest form of this is:
            # main.cf
            smtpd_sasl_exceptions_networks = $mynetworks


            >> The initial problem was:
            >> I've an SMTP server for customers, with standard smtp open only from a
            >> range of IPs.
            >> Could I provide normal smtp service for customers of a range of known IP
            >> (like now) and open my server to all the world for smtp service but ONLY
            >> if autenthicated smtp i sused?
            >>
            >> Is the MUA with an IP of my customers?
            >> YES: It can send without any authentication.
            >> NO: It can send ONLY it a user/pass is provided.
            >>
            >

            The behavior you describe is the standard settings:

            smtpd_recipient_restrictions =
            permit_mynetworks
            permit_sasl_authenticated
            reject_unauth_destination
            ... other restrictions ...

            You only need to make special arrangements such as mouss and I
            describe when you don't want to ever offer AUTH to local
            clients. Offering AUTH to everyone does not present a problem
            to the vast majority of clients.

            --
            Noel Jones
          • mouss
            ... yes. I only cited it to show that multiple keywords can be discarded. ... It s unclear whether he actually found misbehaving MUAs or if he is just fearing
            Message 5 of 11 , Dec 1, 2008
            • 0 Attachment
              Noel Jones a écrit :
              > mouss wrote:
              >> Simone Felici a écrit :
              >>> mouss ha scritto:
              >>>> Simone Felici a écrit :
              >>>>> Why? Uhm, dunno...
              >>>>> It seems certain mailclients has Autenticated smtp enabled as default
              >>>>> and if the client found the smtp server support it, then it try to
              >>>>> send
              >>>>> in auth. This return an error, due inappropriate settings of the
              >>>>> client.
              >>>> if you know their IPs, you can use
              >>>> smtpd_discard_ehlo_keyword_address_maps
              >>>>
              >>>
              >>> Mouss,
              >>> this could be a solution... but haven't find any example or documation
              >>> to try it.
              >>> Could you pount me at any example?
              >>
              >> make sure to read:
              >>
              >> http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keyword_address_maps
              >>
              >>
              >>
              >>
              >> smtpd_discard_ehlo_keyword_address_maps
              >> hash:/etc/postfix/discard_ehlo
              >>
              >> == discard_ehlo
              >> 10.1.2.3 starttls, auth, silent-discard
              >>
              >> (silent-discard prevents postfix from logging this "keyword discard"
              >> action).
              >>
              >>
              >
              >
              > (discarding starttls may be too much, but OP can decide for himself)
              >

              yes. I only cited it to show that multiple keywords can be discarded.

              >
              > I think this is even easier:
              > http://www.postfix.org/postconf.5.html#smtpd_sasl_exceptions_networks
              >
              > The simplest form of this is:
              > # main.cf
              > smtpd_sasl_exceptions_networks = $mynetworks
              >
              >
              >>> The initial problem was:
              >>> I've an SMTP server for customers, with standard smtp open only from a
              >>> range of IPs.
              >>> Could I provide normal smtp service for customers of a range of known IP
              >>> (like now) and open my server to all the world for smtp service but ONLY
              >>> if autenthicated smtp i sused?
              >>>
              >>> Is the MUA with an IP of my customers?
              >>> YES: It can send without any authentication.
              >>> NO: It can send ONLY it a user/pass is provided.
              >>>
              >>
              >
              > The behavior you describe is the standard settings:
              >
              > smtpd_recipient_restrictions =
              > permit_mynetworks
              > permit_sasl_authenticated
              > reject_unauth_destination
              > ... other restrictions ...
              >
              > You only need to make special arrangements such as mouss and I describe
              > when you don't want to ever offer AUTH to local clients. Offering AUTH
              > to everyone does not present a problem to the vast majority of clients.
              >

              It's unclear whether he actually found misbehaving MUAs or if he is just
              fearing the unknown ;-p
            • Simone Felici
              ... Both are good solutions, I ll try these! Thank s a lot!!! Simon
              Message 6 of 11 , Dec 1, 2008
              • 0 Attachment
                Noel Jones ha scritto:
                > mouss wrote:

                >>> Mouss,
                >>> this could be a solution... but haven't find any example or documation
                >>> to try it.
                >>> Could you pount me at any example?
                >>
                >> make sure to read:
                >>
                >> http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keyword_address_maps
                >>
                >>
                >>
                >>
                >> smtpd_discard_ehlo_keyword_address_maps
                >> hash:/etc/postfix/discard_ehlo
                >>
                >> == discard_ehlo
                >> 10.1.2.3 starttls, auth, silent-discard
                >>
                >> (silent-discard prevents postfix from logging this "keyword discard"
                >> action).
                >>
                >>

                Both are good solutions, I'll try these!

                Thank's a lot!!!

                Simon
              Your message has been successfully submitted and would be delivered to recipients shortly.