I would say it’s a benefit. Even if you restrict IPs to a bigger area like a country (geoIP restriction) or a whole ISP, you still reduce the attack surface with MANY times.
I before had problems with bots hacking my passwords. They guessed them all the time.
After I added IP restrictions covering all the locations im at, the bot hacking problem have disappeared completely.
And with the username/password restriction, I can add IPs belonging to public locations or are shared with many users (for example, mobile ISPs) without being afraid of any of these being finding my server AND finding my password.
But bots cracking passwords to gain access are a real problem today, and IP whitelisting are a good solution to that.
IF you run for example a webhosting company, and all your customers are located in a specific country (just because the payment method only exist in that country for example) you can geoIP restrict it to your country only.
To avoid a large auth_advertise_hosts list, you can join CIDR ranges that are close to each other, even if a few out-of-country IPs are added.
The important is to have a "rough" filtering to avoid all bots from all over the world.
-----Ursprungligt meddelande-----
Från: Odhiambo Washington via Exim-users <exim-users@???>
Skickat: den 21 april 2021 15:25
Till: Sebastian <sebastian@???>
Kopia: Mailing List <exim-users@???>; Douba Samuel DIARRA <doubasamuel@???>
Ämne: Re: [exim] RELAY NOT PERMITED exim4
@Sebastian,
If you live in a world where IPs are dynamic, then you will understand my point.
There is no real benefit of restricting auth to particular IPs, IMHO.
If you must restrict AUTH to just a few IPs, then you actually don't need that overhead.
Just put them in relay_from_hosts and you are good.
On Wed, Apr 21, 2021 at 1:55 PM Sebastian via Exim-users < exim-users@???> wrote:
> But its still good to use "auth_advertise_hosts" to restrict which
> hosts that are permitted to authenticate in addition to this.
> Else you will get bots that hack the password and then spam with your
> server.
>
> In auth_advertise_hosts, you can use CIDR notation (like
> 123.123.123.0/24) to allow large amounts of hosts in case of dynamic IP or mobile terminals.
>
> So authenticated SMTP should still be IP restricted since there is
> bots out there guessing passwords (and hitting the right passwords
> sometimes and gaining access)
>
> -----Ursprungligt meddelande-----
> Från: Odhiambo Washington via Exim-users <exim-users@???>
> Skickat: den 21 april 2021 12:36
> Till: Douba Samuel DIARRA <doubasamuel@???>
> Kopia: exim-users@???
> Ämne: Re: [exim] RELAY NOT PERMITED exim4
>
> On Wed, Apr 21, 2021 at 1:24 PM Douba Samuel DIARRA via Exim-users <
> exim-users@???> wrote:
>
> > Hello
> > I was using Exim 4, in office (differents sites) but I was using
> > vsat system for interconnecting sites. I put private adresses to
> > configure exim in differents sites.
> > Since I published my servers on internet, I have this kind of error
> > message and i cannot send mails. the message is : RELAY NOT PERMITED
> >
> > Need some advices please
>
>
>
> Instead of relying on IP addresses for relaying (as should be listed
> in
> relay_from_hosts) it is better to use ASMTP ad the condition for relaying.
> So just set up authenticated SMTP and let users enable the same on
> their MuA and you are good to go.
>
> --
> Best regards,
> Odhiambo WASHINGTON,
> Nairobi,KE
> +254 7 3200 0004/+254 7 2274 3223
> "Oh, the cruft.", grep ^[^#] :-)
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/ ## Please use the Wiki with
> this list - http://wiki.exim.org/
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/ ## Please use the Wiki with
> this list - http://wiki.exim.org/
>
--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)
--
## List details at
https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/