Loading ...
Sorry, an error occurred while loading the content.
 

Re: permit_sasl_authenticated ONLY from one interface

Expand Messages
  • Noel Jones
    ... (discarding starttls may be too much, but OP can decide for himself) I think this is even easier:
    Message 1 of 11 , Dec 1, 2008
      mouss wrote:
      > Simone Felici a écrit :
      >> mouss ha scritto:
      >>> Simone Felici a écrit :
      >>>> Why? Uhm, dunno...
      >>>> It seems certain mailclients has Autenticated smtp enabled as default
      >>>> and if the client found the smtp server support it, then it try to send
      >>>> in auth. This return an error, due inappropriate settings of the client.
      >>> if you know their IPs, you can use
      >>> smtpd_discard_ehlo_keyword_address_maps
      >>>
      >>
      >> Mouss,
      >> this could be a solution... but haven't find any example or documation
      >> to try it.
      >> Could you pount me at any example?
      >
      > make sure to read:
      >
      > http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keyword_address_maps
      >
      >
      >
      > smtpd_discard_ehlo_keyword_address_maps
      > hash:/etc/postfix/discard_ehlo
      >
      > == discard_ehlo
      > 10.1.2.3 starttls, auth, silent-discard
      >
      > (silent-discard prevents postfix from logging this "keyword discard"
      > action).
      >
      >


      (discarding starttls may be too much, but OP can decide for
      himself)


      I think this is even easier:
      http://www.postfix.org/postconf.5.html#smtpd_sasl_exceptions_networks

      The simplest form of this is:
      # main.cf
      smtpd_sasl_exceptions_networks = $mynetworks


      >> The initial problem was:
      >> I've an SMTP server for customers, with standard smtp open only from a
      >> range of IPs.
      >> Could I provide normal smtp service for customers of a range of known IP
      >> (like now) and open my server to all the world for smtp service but ONLY
      >> if autenthicated smtp i sused?
      >>
      >> Is the MUA with an IP of my customers?
      >> YES: It can send without any authentication.
      >> NO: It can send ONLY it a user/pass is provided.
      >>
      >

      The behavior you describe is the standard settings:

      smtpd_recipient_restrictions =
      permit_mynetworks
      permit_sasl_authenticated
      reject_unauth_destination
      ... other restrictions ...

      You only need to make special arrangements such as mouss and I
      describe when you don't want to ever offer AUTH to local
      clients. Offering AUTH to everyone does not present a problem
      to the vast majority of clients.

      --
      Noel Jones
    • mouss
      ... yes. I only cited it to show that multiple keywords can be discarded. ... It s unclear whether he actually found misbehaving MUAs or if he is just fearing
      Message 2 of 11 , Dec 1, 2008
        Noel Jones a écrit :
        > mouss wrote:
        >> Simone Felici a écrit :
        >>> mouss ha scritto:
        >>>> Simone Felici a écrit :
        >>>>> Why? Uhm, dunno...
        >>>>> It seems certain mailclients has Autenticated smtp enabled as default
        >>>>> and if the client found the smtp server support it, then it try to
        >>>>> send
        >>>>> in auth. This return an error, due inappropriate settings of the
        >>>>> client.
        >>>> if you know their IPs, you can use
        >>>> smtpd_discard_ehlo_keyword_address_maps
        >>>>
        >>>
        >>> Mouss,
        >>> this could be a solution... but haven't find any example or documation
        >>> to try it.
        >>> Could you pount me at any example?
        >>
        >> make sure to read:
        >>
        >> http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keyword_address_maps
        >>
        >>
        >>
        >>
        >> smtpd_discard_ehlo_keyword_address_maps
        >> hash:/etc/postfix/discard_ehlo
        >>
        >> == discard_ehlo
        >> 10.1.2.3 starttls, auth, silent-discard
        >>
        >> (silent-discard prevents postfix from logging this "keyword discard"
        >> action).
        >>
        >>
        >
        >
        > (discarding starttls may be too much, but OP can decide for himself)
        >

        yes. I only cited it to show that multiple keywords can be discarded.

        >
        > I think this is even easier:
        > http://www.postfix.org/postconf.5.html#smtpd_sasl_exceptions_networks
        >
        > The simplest form of this is:
        > # main.cf
        > smtpd_sasl_exceptions_networks = $mynetworks
        >
        >
        >>> The initial problem was:
        >>> I've an SMTP server for customers, with standard smtp open only from a
        >>> range of IPs.
        >>> Could I provide normal smtp service for customers of a range of known IP
        >>> (like now) and open my server to all the world for smtp service but ONLY
        >>> if autenthicated smtp i sused?
        >>>
        >>> Is the MUA with an IP of my customers?
        >>> YES: It can send without any authentication.
        >>> NO: It can send ONLY it a user/pass is provided.
        >>>
        >>
        >
        > The behavior you describe is the standard settings:
        >
        > smtpd_recipient_restrictions =
        > permit_mynetworks
        > permit_sasl_authenticated
        > reject_unauth_destination
        > ... other restrictions ...
        >
        > You only need to make special arrangements such as mouss and I describe
        > when you don't want to ever offer AUTH to local clients. Offering AUTH
        > to everyone does not present a problem to the vast majority of clients.
        >

        It's unclear whether he actually found misbehaving MUAs or if he is just
        fearing the unknown ;-p
      • Simone Felici
        ... Both are good solutions, I ll try these! Thank s a lot!!! Simon
        Message 3 of 11 , Dec 1, 2008
          Noel Jones ha scritto:
          > mouss wrote:

          >>> Mouss,
          >>> this could be a solution... but haven't find any example or documation
          >>> to try it.
          >>> Could you pount me at any example?
          >>
          >> make sure to read:
          >>
          >> http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keyword_address_maps
          >>
          >>
          >>
          >>
          >> smtpd_discard_ehlo_keyword_address_maps
          >> hash:/etc/postfix/discard_ehlo
          >>
          >> == discard_ehlo
          >> 10.1.2.3 starttls, auth, silent-discard
          >>
          >> (silent-discard prevents postfix from logging this "keyword discard"
          >> action).
          >>
          >>

          Both are good solutions, I'll try these!

          Thank's a lot!!!

          Simon
        Your message has been successfully submitted and would be delivered to recipients shortly.