Deny SASL authentication not from local IP
in [Postfix]
|
From: =?UTF-8?B?0J3QtdCy0L7RgNC+0YLQuNC9INCS0LDQtNC40Lw=?= on 17 Feb 2010 05:58 How can I deny SASL authentication not from local (192.168.0.0/16) IP? Now I have restrictions in smtpd_recipient_restrictions and other parameters, which allow send mails to relayhost only from local IPs and only after authentication. But client from Internet still can authenticate on my server, but can't send mail. But I need to deny authentication from outer net at all. It's because my users use very simple passwords, and in my net each user has only one login/password for all services.
From: Patrick Ben Koetter on 17 Feb 2010 07:37 * Неворотин Вадим <nevorotin(a)gmail.com>: > How can I deny SASL authentication not from local (192.168.0.0/16) IP? Now I > have restrictions in smtpd_recipient_restrictions and other parameters, > which allow send mails to relayhost only from local IPs and only after > authentication. But client from Internet still can authenticate on my > server, but can't send mail. But I need to deny authentication from outer > net at all. It's because my users use very simple passwords, and in my net > each user has only one login/password for all services. If your users also connect from outside, then there's no way to deny SASL authentication. If, however, you can identify your users by network range, split Postfix smtpd into an outside and an inside configuration like this in master.cf: # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== # smtp inet n - - - - smtpd <insideIP>:25 inet n - - - - smtpd -o smtpd_sasl_auth_enable=yes <outsideIP>:25 inet n - - - - smtpd Then remove "smtpd_sasl_auth_enable = yes" from main.cf and restart postfix. p(a)rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
From: mouss on 20 Feb 2010 08:25 Patrick Ben Koetter a écrit : > * Неворотин Вадим <nevorotin(a)gmail.com>: >> How can I deny SASL authentication not from local (192.168.0.0/16) IP? Now I >> have restrictions in smtpd_recipient_restrictions and other parameters, >> which allow send mails to relayhost only from local IPs and only after >> authentication. But client from Internet still can authenticate on my >> server, but can't send mail. But I need to deny authentication from outer >> net at all. It's because my users use very simple passwords, and in my net >> each user has only one login/password for all services. > > If your users also connect from outside, then there's no way to deny SASL > authentication. > Assuming postfix >= 2.2, he could use: smtpd_discard_ehlo_keyword_address_maps = cidr:/etc/postfix/ehlo.cidr == ehlo.cidr 192.169.0.0/16 silent-discard 0.0.0.0/0 auth,silent-discard > If, however, you can identify your users by network range, split Postfix smtpd > into an outside and an inside configuration like this in master.cf: > > > # ========================================================================== > # service type private unpriv chroot wakeup maxproc command + args > # (yes) (yes) (yes) (never) (100) > # ========================================================================== > # smtp inet n - - - - smtpd > <insideIP>:25 inet n - - - - smtpd > -o smtpd_sasl_auth_enable=yes > <outsideIP>:25 inet n - - - - smtpd > > > Then remove "smtpd_sasl_auth_enable = yes" from main.cf and restart postfix. > > p(a)rick > > > >
|
Pages: 1 Prev: Rejecting Unknown Local Recipients issue Next: header_checks issue - need your help |