Loading ...
Sorry, an error occurred while loading the content.

howto limit sasl auth ipranges in postfix?

Expand Messages
  • Benny Pedersen
    since i never travel outside my own country i have desided to limit based on ip to not have sasl on whole ipv4 and now ipv6 ip ranges, my question is, is
    Message 1 of 5 , May 31 8:13 AM
    • 0 Attachment
      since i never travel outside my own country i have desided to limit based
      on ip to not have sasl on whole ipv4 and now ipv6 ip ranges, my question
      is, is enough to remove starttls in port 25 to disable sasl for this
      clients ?

      there is properly better ways to make it, i just need to know them so
    • Wietse Venema
      ... You can use smtpd_discard_ehlo_keyword_address_maps to disable AUTH by IP address. With this, the Postfix SMTP server will not announce AUTH support and
      Message 2 of 5 , May 31 8:22 AM
      • 0 Attachment
        Benny Pedersen:
        > since i never travel outside my own country i have desided to limit based
        > on ip to not have sasl on whole ipv4 and now ipv6 ip ranges, my question
        > is, is enough to remove starttls in port 25 to disable sasl for this
        > clients ?
        >
        > there is properly better ways to make it, i just need to know them so

        You can use smtpd_discard_ehlo_keyword_address_maps to disable
        AUTH by IP address. With this, the Postfix SMTP server will not
        announce AUTH support and will not accept AUTH commands.

        Wietse
      • Thomas Berger
        ... Another solution: - Use the submission port for authenticated clients - only allow server2server communication on port 25 - use a firewall to block
        Message 3 of 5 , May 31 8:27 AM
        • 0 Attachment
          > Benny Pedersen:
          > > since i never travel outside my own country i have desided to limit based
          > > on ip to not have sasl on whole ipv4 and now ipv6 ip ranges, my question
          > > is, is enough to remove starttls in port 25 to disable sasl for this
          > > clients ?
          > >
          > > there is properly better ways to make it, i just need to know them so
          >
          > You can use smtpd_discard_ehlo_keyword_address_maps to disable
          > AUTH by IP address. With this, the Postfix SMTP server will not
          > announce AUTH support and will not accept AUTH commands.
          >
          Another solution:
          - Use the submission port for authenticated clients
          - only allow server2server communication on port 25
          - use a firewall to block incomming traffic to the submission port
          (- use a firewall to block all traffic from dynamic ipranges to port 25)

          Greetings
          Thomas Berger
        • Benny Pedersen
          On Tue, 31 May 2011 11:22:48 -0400 (EDT), Wietse Venema ... super cidr maps are now created from public rir/lir db, but: postfix gives warning with non-null
          Message 4 of 5 , Jun 1, 2011
          • 0 Attachment
            On Tue, 31 May 2011 11:22:48 -0400 (EDT), Wietse Venema
            <wietse@...> wrote:

            > You can use smtpd_discard_ehlo_keyword_address_maps to disable
            > AUTH by IP address. With this, the Postfix SMTP server will not
            > announce AUTH support and will not accept AUTH commands.

            super cidr maps are now created from public rir/lir db, but:

            postfix gives warning with "non-null host address bits in ..."

            are the dbs maked by rir/lir invalid ?

            is cidr map stable with ipv6 ?
          • Noel Jones
            ... The cidr files you re using have non-null host address bits. Postfix will not use entries with non-null host addresses to prevent accidents. There may be
            Message 5 of 5 , Jun 1, 2011
            • 0 Attachment
              On 6/1/2011 2:25 PM, Benny Pedersen wrote:
              > On Tue, 31 May 2011 11:22:48 -0400 (EDT), Wietse Venema
              > <wietse@...> wrote:
              >
              >> You can use smtpd_discard_ehlo_keyword_address_maps to disable
              >> AUTH by IP address. With this, the Postfix SMTP server will not
              >> announce AUTH support and will not accept AUTH commands.
              >
              > super cidr maps are now created from public rir/lir db, but:
              >
              > postfix gives warning with "non-null host address bits in ..."
              >
              > are the dbs maked by rir/lir invalid ?

              The cidr files you're using have non-null host address bits.
              Postfix will not use entries with non-null host addresses to
              prevent accidents.

              There may be tools, such as a simple perl script, you can use
              to fix the table.

              >
              > is cidr map stable with ipv6 ?
              >

              Yes.
              http://www.postfix.org/cidr_table.5.html


              -- Noel Jones
            Your message has been successfully submitted and would be delivered to recipients shortly.