NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> current

Re: permit_sasl_authenticated ONLY from one interface

From: Noel Jones (njonesmegan.vbhcs.org)
Date: Mon Dec 01 2008 - 09:50:31 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

mouss wrote:
> Simone Felici a écrit :
>> mouss ha scritto:
>>> Simone Felici a écrit :
>>>> Why? Uhm, dunno...
>>>> It seems certain mailclients has Autenticated smtp enabled as default
>>>> and if the client found the smtp server support it, then it try to send
>>>> in auth. This return an error, due inappropriate settings of the client.
>>> if you know their IPs, you can use
>>> smtpd_discard_ehlo_keyword_address_maps
>>>
>>
>> Mouss,
>> this could be a solution... but haven't find any example or documation
>> to try it.
>> Could you pount me at any example?
>
> make sure to read:
>
> http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keyword_address_maps
>
>
>
> smtpd_discard_ehlo_keyword_address_maps
> hash:/etc/postfix/discard_ehlo
>
> == discard_ehlo
> 10.1.2.3 starttls, auth, silent-discard
>
> (silent-discard prevents postfix from logging this "keyword discard"
> action).
>
>

(discarding starttls may be too much, but OP can decide for
himself)

I think this is even easier:
http://www.postfix.org/postconf.5.html#smtpd_sasl_exceptions_networks

The simplest form of this is:
# main.cf
smtpd_sasl_exceptions_networks = $mynetworks

>> The initial problem was:
>> I've an SMTP server for customers, with standard smtp open only from a
>> range of IPs.
>> Could I provide normal smtp service for customers of a range of known IP
>> (like now) and open my server to all the world for smtp service but ONLY
>> if autenthicated smtp i sused?
>>
>> Is the MUA with an IP of my customers?
>> YES: It can send without any authentication.
>> NO: It can send ONLY it a user/pass is provided.
>>
>

The behavior you describe is the standard settings:

smtpd_recipient_restrictions =
   permit_mynetworks
   permit_sasl_authenticated
   reject_unauth_destination
   ... other restrictions ...

You only need to make special arrangements such as mouss and I
describe when you don't want to ever offer AUTH to local
clients. Offering AUTH to everyone does not present a problem
to the vast majority of clients.

--
Noel Jones

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]