[exim] Re: How to restrict client login through IP whitelist

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MLena--- via Exim-users at <-
MJasen Betts at ->
Delete this message
Reply to this message
Author: TomNewChao
Date:  
To: Lena
CC: exim-users
Subject: [exim] Re: How to restrict client login through IP whitelist
Thanks for your apply.
   I have read your information about `https://github.com/Exim/exim/wiki/BlockCracking`. The main purpose is to modify the configuration to prevent user attacks through frequency limiting. However, it doesn't meet my needs. I wonder if we can add an IP whitelist to allow emails sent by specified users through login. For accepting emails from other MTAs, just release them directly.
The config As follows in acl_check_rcpt:
`
      accept
        authenticated = *
        control = submission/sender_retain
        control = dkim_disable_verify
        condition = ${if match_ip{$sender_host_address}{172.20.0.0/16 : 127.0.0.1 : ::::1 : 192.168.1.0/24}}
        deny
            message = Your IP address $sender_host_address is not allowed to send mail.
`



But it will block all mailboxes, including those sent by logging in with username and password and mails received from other MTAs. I just want to block mails sent by logging in with username and password, not mails forwarded by other MTAs. Is there a better approach here?


Thanks again







At 2024-03-26 20:44:26, "Lena--- via Exim-users" <exim-users@???> wrote:
>> Is there a way to solve a scenario here? The IP whitelist restricts
>> forwarding after logging in with user name and password, but does not
>> restrict the acceptance of emails sent by third parties.
>> and the `acl_smtp_auth` can resolve it ?
>
>No, you add a condition into the paragraph with "accept authenticated"
>in rcpt ACL. Like this:
>
>  accept authenticated = *
>        condition = ${lookup{$sender_host_address}iplsearch\
>                    {/usr/local/etc/exim/auth_whitelist}{1}{0}}
>        control = submission/domain=

>
>See also https://github.com/Exim/exim/wiki/BlockCracking
>
>--
>## subscription configuration (requires account):
>## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
>## unsubscribe (doesn't require an account):
>## exim-users-unsubscribe@???
>## Exim details at http://www.exim.org/
>## Please use the Wiki with this list - http://wiki.exim.org/

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-[exim] Re: How to restrict client login through IP whitelist[exim] Re: How to restrict client login through IP whitelist->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)