@Sebastian <sebast...@sebbe.eu> you now seem to be addressing a different problem than the OP presented.
On Wed, Apr 21, 2021 at 4:37 PM Sebastian via Exim-users < exim-users@exim.org> wrote: > I would say it’s a benefit. Even if you restrict IPs to a bigger area like > a country (geoIP restriction) or a whole ISP, you still reduce the attack > surface with MANY times. > I before had problems with bots hacking my passwords. They guessed them > all the time. > After I added IP restrictions covering all the locations im at, the bot > hacking problem have disappeared completely. > > And with the username/password restriction, I can add IPs belonging to > public locations or are shared with many users (for example, mobile ISPs) > without being afraid of any of these being finding my server AND finding my > password. > > But bots cracking passwords to gain access are a real problem today, and > IP whitelisting are a good solution to that. > > IF you run for example a webhosting company, and all your customers are > located in a specific country (just because the payment method only exist > in that country for example) you can geoIP restrict it to your country only. > To avoid a large auth_advertise_hosts list, you can join CIDR ranges that > are close to each other, even if a few out-of-country IPs are added. > > The important is to have a "rough" filtering to avoid all bots from all > over the world. > > -----Ursprungligt meddelande----- > Från: Odhiambo Washington via Exim-users <exim-users@exim.org> > Skickat: den 21 april 2021 15:25 > Till: Sebastian <sebast...@sebbe.eu> > Kopia: Mailing List <exim-users@exim.org>; Douba Samuel DIARRA < > doubasam...@outlook.fr> > Ämne: Re: [exim] RELAY NOT PERMITED exim4 > > @Sebastian, > If you live in a world where IPs are dynamic, then you will understand my > point. > There is no real benefit of restricting auth to particular IPs, IMHO. > If you must restrict AUTH to just a few IPs, then you actually don't need > that overhead. > Just put them in relay_from_hosts and you are good. > > > On Wed, Apr 21, 2021 at 1:55 PM Sebastian via Exim-users < > exim-users@exim.org> wrote: > > > But its still good to use "auth_advertise_hosts" to restrict which > > hosts that are permitted to authenticate in addition to this. > > Else you will get bots that hack the password and then spam with your > > server. > > > > In auth_advertise_hosts, you can use CIDR notation (like > > 123.123.123.0/24) to allow large amounts of hosts in case of dynamic IP > or mobile terminals. > > > > So authenticated SMTP should still be IP restricted since there is > > bots out there guessing passwords (and hitting the right passwords > > sometimes and gaining access) > > > > -----Ursprungligt meddelande----- > > Från: Odhiambo Washington via Exim-users <exim-users@exim.org> > > Skickat: den 21 april 2021 12:36 > > Till: Douba Samuel DIARRA <doubasam...@outlook.fr> > > Kopia: exim-users@exim.org > > Ämne: Re: [exim] RELAY NOT PERMITED exim4 > > > > On Wed, Apr 21, 2021 at 1:24 PM Douba Samuel DIARRA via Exim-users < > > exim-users@exim.org> wrote: > > > > > Hello > > > I was using Exim 4, in office (differents sites) but I was using > > > vsat system for interconnecting sites. I put private adresses to > > > configure exim in differents sites. > > > Since I published my servers on internet, I have this kind of error > > > message and i cannot send mails. the message is : RELAY NOT PERMITED > > > > > > Need some advices please > > > > > > > > Instead of relying on IP addresses for relaying (as should be listed > > in > > relay_from_hosts) it is better to use ASMTP ad the condition for > relaying. > > So just set up authenticated SMTP and let users enable the same on > > their MuA and you are good to go. > > > > -- > > Best regards, > > Odhiambo WASHINGTON, > > Nairobi,KE > > +254 7 3200 0004/+254 7 2274 3223 > > "Oh, the cruft.", grep ^[^#] :-) > > -- > > ## List details at https://lists.exim.org/mailman/listinfo/exim-users > > ## Exim details at http://www.exim.org/ ## Please use the Wiki with > > this list - http://wiki.exim.org/ > > > > -- > > ## List details at https://lists.exim.org/mailman/listinfo/exim-users > > ## Exim details at http://www.exim.org/ ## Please use the Wiki with > > this list - http://wiki.exim.org/ > > > > > -- > Best regards, > Odhiambo WASHINGTON, > Nairobi,KE > +254 7 3200 0004/+254 7 2274 3223 > "Oh, the cruft.", grep ^[^#] :-) > -- > ## List details at https://lists.exim.org/mailman/listinfo/exim-users > ## Exim details at http://www.exim.org/ > ## Please use the Wiki with this list - http://wiki.exim.org/ > > -- > ## List details at https://lists.exim.org/mailman/listinfo/exim-users > ## Exim details at http://www.exim.org/ > ## Please use the Wiki with this list - http://wiki.exim.org/ > -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-) -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/