check IP before permit_sasl_authenticated

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

check IP before permit_sasl_authenticated

techlist06
I'd like to block certain IP's from attempting to authenticate on my submission port.

This is what I have now:

#master.cf
#port 587
submission   inet    n       -       n       -       -       smtpd
 -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
 -o smtpd_sasl_auth_enable=yes

Is it possible to configure to use an access list before the permit_sasl_authenticated?

Where the access file contains:
#
Somedomain.com 550 reject
45.227.253.216  550 reject


Is this right?  Want to be sure I'm configuring it correctly and not opening some hole:

#master.cf
#port 587
submission   inet    n       -       n       -       -       smtpd
-o smtpd_recipient_restrictions= check_client_access hash:/etc/postfix/access, permit_sasl_authenticated,reject
-o smtpd_sasl_auth_enable=yes


Reply | Threaded
Open this post in threaded view
|

Re: check IP before permit_sasl_authenticated

Wietse Venema
Scott Techlist:

> I'd like to block certain IP's from attempting to authenticate on my submission port.
>
> This is what I have now:
>
> #master.cf
> #port 587
> submission   inet    n       -       n       -       -       smtpd
>  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
>  -o smtpd_sasl_auth_enable=yes
>
> Is it possible to configure to use an access list before the permit_sasl_authenticated?
>
> Where the access file contains:
> #
> Somedomain.com 550 reject
> 45.227.253.216  550 reject
>
>
> Is this right?  Want to be sure I'm configuring it correctly and not opening some hole:
>
> #master.cf
> #port 587
> submission   inet    n       -       n       -       -       smtpd
> -o smtpd_recipient_restrictions= check_client_access hash:/etc/postfix/access, permit_sasl_authenticated,reject
> -o smtpd_sasl_auth_enable=yes

Your -o name=value contains spaces, therefore use {} like this:

submission   inet    n       -       n       -       -       smtpd
  -o { smtpd_recipient_restrictions =
       check_client_access hash:/etc/postfix/access,
       permit_sasl_authenticated, reject }

(this requires Postfix version 3.0 or later).

You are right to place check_client_access before permit_sasl_authenticated.

        Wietse
Reply | Threaded
Open this post in threaded view
|

RE: check IP before permit_sasl_authenticated

techlist06
Thanks Wietse.

Is there a workaround for the space in v2.2 (old server, working on migrating)?

submission   inet    n       -       n       -       -       smtpd
  -o smtpd_recipient_restrictions=check_client_access hash:/etc/postfix/access,permit_sasl_authenticated,reject



Reply | Threaded
Open this post in threaded view
|

RE: check IP before permit_sasl_authenticated

techlist06
>Is there a workaround for the space in v2.2 (old server, working on migrating)?
>
>submission   inet    n       -       n       -       -       smtpd
>  -o smtpd_recipient_restrictions=check_client_access hash:/etc/postfix/access,permit_sasl_authenticated,reject
>

I found a post where someone said this was valid workaround in master.cf, replacing the single space with a comma:
 -o smtpd_recipient_restrictions=check_client_access,hash:/etc/postfix/send_access,permit_sasl_authenticated, reject

Hopefully that is correct.



Reply | Threaded
Open this post in threaded view
|

Re: check IP before permit_sasl_authenticated

Noel Jones-2
On 8/13/2019 12:15 PM, Scott Techlist wrote:

>> Is there a workaround for the space in v2.2 (old server, working on migrating)?
>>
>> submission   inet    n       -       n       -       -       smtpd
>>   -o smtpd_recipient_restrictions=check_client_access hash:/etc/postfix/access,permit_sasl_authenticated,reject
>>
>
> I found a post where someone said this was valid workaround in master.cf, replacing the single space with a comma:
>   -o smtpd_recipient_restrictions=check_client_access,hash:/etc/postfix/send_access,permit_sasl_authenticated, reject
>
> Hopefully that is correct.
>
>
>


Yes, that's correct, use a comma instead of space.  Note in the
above example you still have a space in  ", reject"

Also note this won't prevent intruders from attempting to AUTH, but
it will prevent them from abusing your server if they are successful.



   -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: check IP before permit_sasl_authenticated

@lbutlr
In reply to this post by techlist06
On 13 Aug 19, at 09:19 , Scott Techlist <[hidden email]> wrote:
I'd like to block certain IP's from attempting to authenticate on my submission port.

You cannot prevent them from attempting to authenticate, at least not via postfix. You would need to firewall them or do something in hosts.allow for that.

You can allow them from losing in successfully, regardless of credentials, but you can’t keep them from connecting and trying to login.


-- 
On a scale of one to ten, it sucked.