Re: check IP before permit_sasl_authenticated
On 13 Aug 19, at 09:19 , Scott Techlist wrote: > I'd like to block certain IP's from attempting to authenticate on my > submission port. You cannot prevent them from attempting to authenticate, at least not via postfix. You would need to firewall them or do something in hosts.allow for that. You can allow them from losing in successfully, regardless of credentials, but you can’t keep them from connecting and trying to login. -- On a scale of one to ten, it sucked.
RE: check IP before permit_sasl_authenticated
>Is there a workaround for the space in v2.2 (old server, working on migrating)? > >submission inetn - n - - smtpd > -o smtpd_recipient_restrictions=check_client_access > hash:/etc/postfix/access,permit_sasl_authenticated,reject > I found a post where someone said this was valid workaround in master.cf, replacing the single space with a comma: -o smtpd_recipient_restrictions=check_client_access,hash:/etc/postfix/send_access,permit_sasl_authenticated, reject Hopefully that is correct.
Re: check IP before permit_sasl_authenticated
On 8/13/2019 12:15 PM, Scott Techlist wrote: Is there a workaround for the space in v2.2 (old server, working on migrating)? submission inetn - n - - smtpd -o smtpd_recipient_restrictions=check_client_access hash:/etc/postfix/access,permit_sasl_authenticated,reject I found a post where someone said this was valid workaround in master.cf, replacing the single space with a comma: -o smtpd_recipient_restrictions=check_client_access,hash:/etc/postfix/send_access,permit_sasl_authenticated, reject Hopefully that is correct. Yes, that's correct, use a comma instead of space. Note in the above example you still have a space in ", reject" Also note this won't prevent intruders from attempting to AUTH, but it will prevent them from abusing your server if they are successful. -- Noel Jones
RE: check IP before permit_sasl_authenticated
Thanks Wietse. Is there a workaround for the space in v2.2 (old server, working on migrating)? submission inetn - n - - smtpd -o smtpd_recipient_restrictions=check_client_access hash:/etc/postfix/access,permit_sasl_authenticated,reject
Re: check IP before permit_sasl_authenticated
Scott Techlist:
> I'd like to block certain IP's from attempting to authenticate on my
> submission port.
>
> This is what I have now:
>
> #master.cf
> #port 587
> submission inetn - n - - smtpd
> -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
> -o smtpd_sasl_auth_enable=yes
>
> Is it possible to configure to use an access list before the
> permit_sasl_authenticated?
>
> Where the access file contains:
> #
> Somedomain.com550 reject
> 45.227.253.216 550 reject
>
>
> Is this right? Want to be sure I'm configuring it correctly and not opening
> some hole:
>
> #master.cf
> #port 587
> submission inetn - n - - smtpd
> -o smtpd_recipient_restrictions= check_client_access
> hash:/etc/postfix/access, permit_sasl_authenticated,reject
> -o smtpd_sasl_auth_enable=yes
Your -o name=value contains spaces, therefore use {} like this:
submission inetn - n - - smtpd
-o { smtpd_recipient_restrictions =
check_client_access hash:/etc/postfix/access,
permit_sasl_authenticated, reject }
(this requires Postfix version 3.0 or later).
You are right to place check_client_access before permit_sasl_authenticated.
Wietse
check IP before permit_sasl_authenticated
I'd like to block certain IP's from attempting to authenticate on my submission port. This is what I have now: #master.cf #port 587 submission inetn - n - - smtpd -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o smtpd_sasl_auth_enable=yes Is it possible to configure to use an access list before the permit_sasl_authenticated? Where the access file contains: # Somedomain.com 550 reject 45.227.253.216 550 reject Is this right? Want to be sure I'm configuring it correctly and not opening some hole: #master.cf #port 587 submission inetn - n - - smtpd -o smtpd_recipient_restrictions= check_client_access hash:/etc/postfix/access, permit_sasl_authenticated,reject -o smtpd_sasl_auth_enable=yes
