Re: [exim] RELAY NOT PERMITED exim4

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MSebastian at <-
MCyborg at ->
Delete this message
Reply to this message
Author: Odhiambo Washington
Date:  
To: Sebastian
CC: Mailing List
Subject: Re: [exim] RELAY NOT PERMITED exim4
@Sebastian <sebastian@???> you now seem to be addressing a different
problem than the OP presented.

On Wed, Apr 21, 2021 at 4:37 PM Sebastian via Exim-users <
exim-users@???> wrote:

> I would say it’s a benefit. Even if you restrict IPs to a bigger area like
> a country (geoIP restriction) or a whole ISP, you still reduce the attack
> surface with MANY times.
> I before had problems with bots hacking my passwords. They guessed them
> all the time.
> After I added IP restrictions covering all the locations im at, the bot
> hacking problem have disappeared completely.
>
> And with the username/password restriction, I can add IPs belonging to
> public locations or are shared with many users (for example, mobile ISPs)
> without being afraid of any of these being finding my server AND finding my
> password.
>
> But bots cracking passwords to gain access are a real problem today, and
> IP whitelisting are a good solution to that.
>
> IF you run for example a webhosting company, and all your customers are
> located in a specific country (just because the payment method only exist
> in that country for example) you can geoIP restrict it to your country only.
> To avoid a large auth_advertise_hosts list, you can join CIDR ranges that
> are close to each other, even if a few out-of-country IPs are added.
>
> The important is to have a "rough" filtering to avoid all bots from all
> over the world.
>
> -----Ursprungligt meddelande-----
> Från: Odhiambo Washington via Exim-users <exim-users@???>
> Skickat: den 21 april 2021 15:25
> Till: Sebastian <sebastian@???>
> Kopia: Mailing List <exim-users@???>; Douba Samuel DIARRA <
> doubasamuel@???>
> Ämne: Re: [exim] RELAY NOT PERMITED exim4
>
> @Sebastian,
> If you live in a world where IPs are dynamic, then you will understand my
> point.
> There is no real benefit of restricting auth to particular IPs, IMHO.
> If you must restrict AUTH to just a few IPs, then you actually don't need
> that overhead.
> Just put them in relay_from_hosts and you are good.
>
>
> On Wed, Apr 21, 2021 at 1:55 PM Sebastian via Exim-users <
> exim-users@???> wrote:
>
> > But its still good to use "auth_advertise_hosts" to restrict which
> > hosts that are permitted to authenticate in addition to this.
> > Else you will get bots that hack the password and then spam with your
> > server.
> >
> > In auth_advertise_hosts, you can use CIDR notation (like
> > 123.123.123.0/24) to allow large amounts of hosts in case of dynamic IP
> or mobile terminals.
> >
> > So authenticated SMTP should still be IP restricted since there is
> > bots out there guessing passwords (and hitting the right passwords
> > sometimes and gaining access)
> >
> > -----Ursprungligt meddelande-----
> > Från: Odhiambo Washington via Exim-users <exim-users@???>
> > Skickat: den 21 april 2021 12:36
> > Till: Douba Samuel DIARRA <doubasamuel@???>
> > Kopia: exim-users@???
> > Ämne: Re: [exim] RELAY NOT PERMITED exim4
> >
> > On Wed, Apr 21, 2021 at 1:24 PM Douba Samuel DIARRA via Exim-users <
> > exim-users@???> wrote:
> >
> > > Hello
> > > I was using Exim 4, in office (differents sites) but I was using
> > > vsat system for interconnecting sites. I put private adresses to
> > > configure exim in differents sites.
> > > Since I published my servers on internet, I have this kind of error
> > > message and i cannot send mails. the message is : RELAY NOT PERMITED
> > >
> > > Need some advices please
> >
> >
> >
> > Instead of relying on IP addresses for relaying (as should be listed
> > in
> > relay_from_hosts) it is better to use ASMTP ad the condition for
> relaying.
> > So just set up authenticated SMTP and let users enable the same on
> > their MuA and you are good to go.
> >
> > --
> > Best regards,
> > Odhiambo WASHINGTON,
> > Nairobi,KE
> > +254 7 3200 0004/+254 7 2274 3223
> > "Oh, the cruft.", grep ^[^#] :-)
> > --
> > ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> > ## Exim details at http://www.exim.org/ ## Please use the Wiki with
> > this list - http://wiki.exim.org/
> >
> > --
> > ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> > ## Exim details at http://www.exim.org/ ## Please use the Wiki with
> > this list - http://wiki.exim.org/
> >
>
>
> --
> Best regards,
> Odhiambo WASHINGTON,
> Nairobi,KE
> +254 7 3200 0004/+254 7 2274 3223
> "Oh, the cruft.", grep ^[^#] :-)
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>


--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)
This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] RELAY NOT PERMITED exim4Re: [exim] RELAY NOT PERMITED exim4->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)