Loading ...
Sorry, an error occurred while loading the content.
 

Re: permit_sasl_authenticated ONLY from one interface

Expand Messages
  • mouss
    ... make sure to read: http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keyword_address_maps smtpd_discard_ehlo_keyword_address_maps
    Message 1 of 11 , Dec 1, 2008
      Simone Felici a écrit :
      > mouss ha scritto:
      >> Simone Felici a écrit :
      >>> Why? Uhm, dunno...
      >>> It seems certain mailclients has Autenticated smtp enabled as default
      >>> and if the client found the smtp server support it, then it try to send
      >>> in auth. This return an error, due inappropriate settings of the client.
      >>
      >> if you know their IPs, you can use
      >> smtpd_discard_ehlo_keyword_address_maps
      >>
      >
      >
      > Mouss,
      > this could be a solution... but haven't find any example or documation
      > to try it.
      > Could you pount me at any example?

      make sure to read:

      http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keyword_address_maps



      smtpd_discard_ehlo_keyword_address_maps
      hash:/etc/postfix/discard_ehlo

      == discard_ehlo
      10.1.2.3 starttls, auth, silent-discard

      (silent-discard prevents postfix from logging this "keyword discard"
      action).


      >
      > The initial problem was:
      > I've an SMTP server for customers, with standard smtp open only from a
      > range of IPs.
      > Could I provide normal smtp service for customers of a range of known IP
      > (like now) and open my server to all the world for smtp service but ONLY
      > if autenthicated smtp i sused?
      >
      > Is the MUA with an IP of my customers?
      > YES: It can send without any authentication.
      > NO: It can send ONLY it a user/pass is provided.
      >
    • Noel Jones
      ... (discarding starttls may be too much, but OP can decide for himself) I think this is even easier:
      Message 2 of 11 , Dec 1, 2008
        mouss wrote:
        > Simone Felici a écrit :
        >> mouss ha scritto:
        >>> Simone Felici a écrit :
        >>>> Why? Uhm, dunno...
        >>>> It seems certain mailclients has Autenticated smtp enabled as default
        >>>> and if the client found the smtp server support it, then it try to send
        >>>> in auth. This return an error, due inappropriate settings of the client.
        >>> if you know their IPs, you can use
        >>> smtpd_discard_ehlo_keyword_address_maps
        >>>
        >>
        >> Mouss,
        >> this could be a solution... but haven't find any example or documation
        >> to try it.
        >> Could you pount me at any example?
        >
        > make sure to read:
        >
        > http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keyword_address_maps
        >
        >
        >
        > smtpd_discard_ehlo_keyword_address_maps
        > hash:/etc/postfix/discard_ehlo
        >
        > == discard_ehlo
        > 10.1.2.3 starttls, auth, silent-discard
        >
        > (silent-discard prevents postfix from logging this "keyword discard"
        > action).
        >
        >


        (discarding starttls may be too much, but OP can decide for
        himself)


        I think this is even easier:
        http://www.postfix.org/postconf.5.html#smtpd_sasl_exceptions_networks

        The simplest form of this is:
        # main.cf
        smtpd_sasl_exceptions_networks = $mynetworks


        >> The initial problem was:
        >> I've an SMTP server for customers, with standard smtp open only from a
        >> range of IPs.
        >> Could I provide normal smtp service for customers of a range of known IP
        >> (like now) and open my server to all the world for smtp service but ONLY
        >> if autenthicated smtp i sused?
        >>
        >> Is the MUA with an IP of my customers?
        >> YES: It can send without any authentication.
        >> NO: It can send ONLY it a user/pass is provided.
        >>
        >

        The behavior you describe is the standard settings:

        smtpd_recipient_restrictions =
        permit_mynetworks
        permit_sasl_authenticated
        reject_unauth_destination
        ... other restrictions ...

        You only need to make special arrangements such as mouss and I
        describe when you don't want to ever offer AUTH to local
        clients. Offering AUTH to everyone does not present a problem
        to the vast majority of clients.

        --
        Noel Jones
      • mouss
        ... yes. I only cited it to show that multiple keywords can be discarded. ... It s unclear whether he actually found misbehaving MUAs or if he is just fearing
        Message 3 of 11 , Dec 1, 2008
          Noel Jones a écrit :
          > mouss wrote:
          >> Simone Felici a écrit :
          >>> mouss ha scritto:
          >>>> Simone Felici a écrit :
          >>>>> Why? Uhm, dunno...
          >>>>> It seems certain mailclients has Autenticated smtp enabled as default
          >>>>> and if the client found the smtp server support it, then it try to
          >>>>> send
          >>>>> in auth. This return an error, due inappropriate settings of the
          >>>>> client.
          >>>> if you know their IPs, you can use
          >>>> smtpd_discard_ehlo_keyword_address_maps
          >>>>
          >>>
          >>> Mouss,
          >>> this could be a solution... but haven't find any example or documation
          >>> to try it.
          >>> Could you pount me at any example?
          >>
          >> make sure to read:
          >>
          >> http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keyword_address_maps
          >>
          >>
          >>
          >>
          >> smtpd_discard_ehlo_keyword_address_maps
          >> hash:/etc/postfix/discard_ehlo
          >>
          >> == discard_ehlo
          >> 10.1.2.3 starttls, auth, silent-discard
          >>
          >> (silent-discard prevents postfix from logging this "keyword discard"
          >> action).
          >>
          >>
          >
          >
          > (discarding starttls may be too much, but OP can decide for himself)
          >

          yes. I only cited it to show that multiple keywords can be discarded.

          >
          > I think this is even easier:
          > http://www.postfix.org/postconf.5.html#smtpd_sasl_exceptions_networks
          >
          > The simplest form of this is:
          > # main.cf
          > smtpd_sasl_exceptions_networks = $mynetworks
          >
          >
          >>> The initial problem was:
          >>> I've an SMTP server for customers, with standard smtp open only from a
          >>> range of IPs.
          >>> Could I provide normal smtp service for customers of a range of known IP
          >>> (like now) and open my server to all the world for smtp service but ONLY
          >>> if autenthicated smtp i sused?
          >>>
          >>> Is the MUA with an IP of my customers?
          >>> YES: It can send without any authentication.
          >>> NO: It can send ONLY it a user/pass is provided.
          >>>
          >>
          >
          > The behavior you describe is the standard settings:
          >
          > smtpd_recipient_restrictions =
          > permit_mynetworks
          > permit_sasl_authenticated
          > reject_unauth_destination
          > ... other restrictions ...
          >
          > You only need to make special arrangements such as mouss and I describe
          > when you don't want to ever offer AUTH to local clients. Offering AUTH
          > to everyone does not present a problem to the vast majority of clients.
          >

          It's unclear whether he actually found misbehaving MUAs or if he is just
          fearing the unknown ;-p
        • Simone Felici
          ... Both are good solutions, I ll try these! Thank s a lot!!! Simon
          Message 4 of 11 , Dec 1, 2008
            Noel Jones ha scritto:
            > mouss wrote:

            >>> Mouss,
            >>> this could be a solution... but haven't find any example or documation
            >>> to try it.
            >>> Could you pount me at any example?
            >>
            >> make sure to read:
            >>
            >> http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keyword_address_maps
            >>
            >>
            >>
            >>
            >> smtpd_discard_ehlo_keyword_address_maps
            >> hash:/etc/postfix/discard_ehlo
            >>
            >> == discard_ehlo
            >> 10.1.2.3 starttls, auth, silent-discard
            >>
            >> (silent-discard prevents postfix from logging this "keyword discard"
            >> action).
            >>
            >>

            Both are good solutions, I'll try these!

            Thank's a lot!!!

            Simon
          Your message has been successfully submitted and would be delivered to recipients shortly.