Ok to put private network in mynetworks?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Ok to put private network in mynetworks?

Florian Lindner
Hello,

I run a docker container on my server. To not have all docker containers need to authenticate when sending mail, I added
the private network range 172.16/12 to mynetworks:

# Added private network 172.16/12 for Docker


mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 172.16.0.0/12


* Is this safe?

* Is there another / better way to achieve what I want?


# ip route
default via 188.68.36.1 dev ens3
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1
188.68.36.0/22 dev ens3 proto kernel scope link src 188.68.38.242

# ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether 06:08:95:a6:04:77 brd ff:ff:ff:ff:ff:ff
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
    link/ether 02:42:2b:eb:c1:98 brd ff:ff:ff:ff:ff:ff
267: veth1dac1ee@if266: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT
group default
    link/ether 7a:a8:15:1f:cb:f4 brd ff:ff:ff:ff:ff:ff link-netnsid 0



Thanks,
Florian

Reply | Threaded
Open this post in threaded view
|

Re: Ok to put private network in mynetworks?

btb-2
On May 17, 2017, at 10.44, Florian Lindner <[hidden email]> wrote:
>
> Hello,
>
> I run a docker container on my server. To not have all docker containers need to authenticate when sending mail, I added
> the private network range 172.16/12 to mynetworks:

i would discourage authorization based on source ip address.  automated credential configuration is a fairly basic task, and there are a plethora of benefits to using user/pass [or even a certificate, if desired] over source ip address.

> # Added private network 172.16/12 for Docker
>
>
> mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 172.16.0.0/12
>
>
> * Is this safe?

that's a rather relative/subjective measure - but pursuant to my particular philosophies, no.

> * Is there another / better way to achieve what I want?

there are some cases in which i "must" allow authorization based on source ip address.  some time ago, i stopped using mynetworks/permit_mynetworks for this.  i now use check_client_access cidr:${table_directory}/non_auth_submitters.cidr, and i set mynetworks to empty [e.g. "mynetworks ="].
Reply | Threaded
Open this post in threaded view
|

Re: Ok to put private network in mynetworks?

Viktor Dukhovni

> On May 17, 2017, at 12:27 PM, [hidden email] wrote:
>
>> I run a docker container on my server. To not have all docker containers need to authenticate when sending mail, I added
>> the private network range 172.16/12 to mynetworks:
>
> I would discourage authorization based on source ip address.  automated credential configuration is a fairly basic task, and there are a plethora of benefits to using user/pass [or even a certificate, if desired] over source ip address.

And yet, allowing a block of private addresses that are directly managed by the
same administrators that manage the MTA is quite reasonable.

If all the nodes in question would in any case be given relay permission (via
passwords, client certificates, ...) and the risk of IP spoofing is low (BGP
route forgery is unlikely to be relevant here) then by all means whitelist
the netblock.

The OP is best position to assess the risk of source forgery for the netblock
in question, and whether there are likely to be exceptions to the rule that
make authentication desirable.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Ok to put private network in mynetworks?

btb-2

> On May 17, 2017, at 12.55, Viktor Dukhovni <[hidden email]> wrote:
>
>
>> On May 17, 2017, at 12:27 PM, [hidden email] wrote:
>>
>>> I run a docker container on my server. To not have all docker containers need to authenticate when sending mail, I added
>>> the private network range 172.16/12 to mynetworks:
>>
>> I would discourage authorization based on source ip address.  automated credential configuration is a fairly basic task, and there are a plethora of benefits to using user/pass [or even a certificate, if desired] over source ip address.
>
> And yet, allowing a block of private addresses that are directly managed by the
> same administrators that manage the MTA is quite reasonable.
>
> If all the nodes in question would in any case be given relay permission (via
> passwords, client certificates, ...) and the risk of IP spoofing is low (BGP
> route forgery is unlikely to be relevant here) then by all means whitelist
> the netblock.

perhaps, although as i stated, there is more to it than that.  for example, more fine grained control of authorization, and the potential reduction in ambiguity as to what, specifically, is submitting mail.