Hi,
sorry for my english. I would like to allow access for clients who are
already authenticated (SMTP AUTH SASL), but from specified IP address
ranges only.
In the Internet I found various posts. I found something that
interested me:
http://serverfault.com/questions/476451/postfix-allow-smtp-auth-only-from-specified-ip-address-ranges
Scenario is the same as the URL above. Postfix mail server that
receives mails from all over the Internet. But the server doesn't only
receive mails, it also allows its authenticated users to send mails to
internal users or to external ones...
Facts:
- I can not disable port 25
- Fail2ban can not be applied, use a different type of firewall
This is not about it me to block 'LOGIN authentication failed', but I
want to block subnets from Asia and so on. Sometimes it happens that my
legitimate user has an infected computer and occurs leak credentials,
for example to Asia and then the attacker from Asia through my server
sends e-mails, because he is successfully authenticated.
I used parameter:
smtpd_sasl_exceptions_networks = !195.98.0.0/19, !212.26.160.0/19,
!...., 0.0.0.0/0
It works as I imagine, but I need to allow about 1000 subnets in CIDR
format, but I'm not sure the correct entry. Based on the documentation:
http://www.postfix.org/SASL_README.html
If I'm not mistaken, does not allow parameter
'smtpd_sasl_exceptions_networks' lookup tables. Is it possible to enroll
1,000 subnets, for example:
smtpd_sasl_exceptions_networks = !1.1.1.0/8, !2.2.1.0/8, !3.1.0.0/16,
!55.62.0.0/16, \
!78.41.168.0/21, !..., !..., !..., !..., !94.136.128.0/19, !..., !..., \
!..., !..., !..., \
!..., !..., !..., \
!..., !..., !..., \
0.0.0.0/0
Thank you very much
--
Lubomir Majersky
~~~~~~~~~~~~~~~~~~~~
http://LuMaX.acom.sk
~~~~~~~~~~~~~~~~~~~~
