On Sun, Aug 07, 2011 at 02:10:35PM -0500, Noel Jones wrote:
> On 8/7/2011 12:36 PM, /dev/rob0 wrote:
> > On Sun, Aug 07, 2011 at 08:03:47AM -0700, Jack Bates wrote:
> >> On Fri, Aug 5, 2011 at 2:10 PM, Noel Jones <njo...@megan.vbhcs.org>
> >> wrote:
> >>> On 8/5/2011 3:26 PM, Jack Bates wrote:
> >>>> What's the simplest way to enable
> >>>> smtpd_authorized_xforward_hosts for any/all clients?
> >>>
> >>> That sounds very wrong. What problem are you trying to solve?
> >>
> >> I want to control access to this MTA with a firewall. The only
> >> client permitted access is an upstream instance of Postfix, via
> >> smtpd_proxy_filter. I want this client to use XFORWARD, so I want
> >> to enable smtpd_authorized_xforward_hosts unconditionally. What's
> >> the simplest way?
> >
> > Restating the solutions I gave you in IRC that day (I assuming it
> > was you, because the question and description of the issue was
> > identical):
> >
> > smtpd_authorized_xforward_hosts = static:all
> >
> > or
> >
> > smtpd_authorized_xforward_hosts = 0.0.0.0/0, [::/0]
> >
> > These can be preceded by exclusions. For details, see:
> > http://www.postfix.org/postconf.5.html#smtpd_authorized_xforward_hosts
>
>
> No, the above solution is wrong.
>
> The only client IP that should be in smtpd_authorized_xforward_hosts
> is the upstream postfix server.
>
> # main.cf
> smtpd_authorized_xforward_hosts = ip.of.upstream.postfix
Apparently this upstream IP is dynamic, he said in IRC. Agreed, it
sounds very strange.
> Putting static:all or equivalent would allow an unauthorized client
> to spoof their IP address.
>
> (in this case, using static:all might not matter if a firewall
> prevents outside access, but it's still wrong.)
That was my reasoning, along with "if it breaks, Jack gets to keep
both pieces."
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
