Re: [exim] Allow authenticated SMTP from one IP Only

Góra strony
Delete this message
Reply to this message
Autor: Klaus Ethgen
Data:  
Dla: exim-users
Temat: Re: [exim] Allow authenticated SMTP from one IP Only
Hello,

Urgh, I tried to fix the TOFU to answer practically. So sorry for the
full quote, otherwise the sense would be lost.

Am Do den 22. Sep 2011 um 18:36 schrieb Todd Lyons:
> On Wed, Sep 21, 2011 at 9:39 PM, Aneesh Joseph <aneeshjoseph@???> wrote:
> > Hello,
> >
> > I have a mail server and a web server.  I have installed the webmail client
> > ( custom program )  in the web server.  I need to allow Authenticated SMTP
> > only from this web server.  What I mean is that, if I have the email address
> > and password, I should not be able to send email using my Outlook or any
> > script from other server.
> >
> > Now I have enabled POP before SMTP and disabled POP3 port from all IPs
> > Except the web server IP. Still people are sending email using SMTP
> > authentication from remote computer
> >
> > Any Idea how to fix this ? Or any suggestion ?
>
> Honestly the easiest option to me is to put an iptables rule on the
> mail server which rejects port 587 (you do require smtp auth to run
> only on port 587, right?) except for 1 IP, that of the webmail server
> you wish to allow.


First of all, no 587 is not requiring authentication. True, that it is
required by RFC but if you do not activate that in the exim config it
would also allow unauthenticated connections.

But you can also authenticate using port 25 so it would not help to
block only port 587 if you do not also actively disable the possibility
in the exim configuration.

Finally there is also port 465 ...

However, question to Aneesh (is your last name really Joseph?), why
would you specifically forbid users to authenticate? In my eyes if they
still authenticate you should be proud as not every user can be told to
do so.

If you really wish to allow authentication from only one IP, you can use
any condition in "server_advertise_condition" of the authenticator
configuration. Normally you have something like
"server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}" in that
option.

Regards
   Klaus
- -- 
Klaus Ethgen                              http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16   Klaus Ethgen <Klaus@???>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C