On Sun, Aug 07, 2011 at 02:10:35PM -0500, Noel Jones wrote: > On 8/7/2011 12:36 PM, /dev/rob0 wrote: > > On Sun, Aug 07, 2011 at 08:03:47AM -0700, Jack Bates wrote: > >> On Fri, Aug 5, 2011 at 2:10 PM, Noel Jones <njo...@megan.vbhcs.org> > >> wrote: > >>> On 8/5/2011 3:26 PM, Jack Bates wrote: > >>>> What's the simplest way to enable > >>>> smtpd_authorized_xforward_hosts for any/all clients? > >>> > >>> That sounds very wrong. What problem are you trying to solve? > >> > >> I want to control access to this MTA with a firewall. The only > >> client permitted access is an upstream instance of Postfix, via > >> smtpd_proxy_filter. I want this client to use XFORWARD, so I want > >> to enable smtpd_authorized_xforward_hosts unconditionally. What's > >> the simplest way? > > > > Restating the solutions I gave you in IRC that day (I assuming it > > was you, because the question and description of the issue was > > identical): > > > > smtpd_authorized_xforward_hosts = static:all > > > > or > > > > smtpd_authorized_xforward_hosts = 0.0.0.0/0, [::/0] > > > > These can be preceded by exclusions. For details, see: > > http://www.postfix.org/postconf.5.html#smtpd_authorized_xforward_hosts > > > No, the above solution is wrong. > > The only client IP that should be in smtpd_authorized_xforward_hosts > is the upstream postfix server. > > # main.cf > smtpd_authorized_xforward_hosts = ip.of.upstream.postfix
Apparently this upstream IP is dynamic, he said in IRC. Agreed, it sounds very strange. > Putting static:all or equivalent would allow an unauthorized client > to spoof their IP address. > > (in this case, using static:all might not matter if a firewall > prevents outside access, but it's still wrong.) That was my reasoning, along with "if it breaks, Jack gets to keep both pieces." -- Offlist mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header