Discussion:
smtpd_sasl_exceptions_networks doesn't work
(too old to reply)
Oleg
2015-02-26 18:00:09 UTC
Permalink
Hi everyone!

I want to allow sasl authentification only from specific networks.
I've added smtpd_sasl_exceptions_networks option:

smtpd_sasl_exceptions_networks = !10.0.0.0/8,
!192.168.0.0/16,
static:all

Looks like everything is fine, EHLO doesn't show AUTH for alien networks:

250-example.com
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

BUT I still can use AUTH LOGIN from any IP I want!
Am I doing something wrong or have I forgot to add something?

Oleg

P.S. Postfix version 2.6.6
Wietse Venema
2015-02-26 18:23:06 UTC
Permalink
Post by Oleg
BUT I still can use AUTH LOGIN from any IP I want!
smtpd_sasl_exceptions_networks
What remote SMTP clients the Postfix SMTP server will not offer AUTH
support to.

It works as described: Postfix does not announce AUTH support. This
feature was donated to prevent certain network clients from messing
up when the server announces AUTH support but the client has no
login information. With smtpd_sasl_exceptions_networks, those clients
would not try to authenticate and all was well.

smtpd_sasl_exceptions_networks is obsoleted by smtpd_discard_ehlo_keywords
and smtpd_discard_ehlo_keyword_address_maps. The latter two prevent
Postfix from accepting AUTH commands. smtpd_sasl_exceptions_networks
should probably be deprecated and eventually removed from documentation.

Wietse
o***@heewie.org
2015-02-27 06:46:26 UTC
Permalink
Post by Oleg
Post by Oleg
BUT I still can use AUTH LOGIN from any IP I want!
smtpd_sasl_exceptions_networks
What remote SMTP clients the Postfix SMTP server will not
offer AUTH
support to.
It works as described: Postfix does not announce AUTH support. This
feature was donated to prevent certain network clients from messing
up when the server announces AUTH support but the client has no
login information. With smtpd_sasl_exceptions_networks, those clients
would not try to authenticate and all was well.
smtpd_sasl_exceptions_networks is obsoleted by
smtpd_discard_ehlo_keywords
and smtpd_discard_ehlo_keyword_address_maps. The latter two prevent
Postfix from accepting AUTH commands. smtpd_sasl_exceptions_networks
should probably be deprecated and eventually removed from
documentation.
Excellent. smtpd_discard_ehlo_keyword_address_maps solved my problem

Thanks alot

Oleg

Loading...