On 2021-07-15 8:07 a.m., Laura Smith wrote:
Perhaps there are dovecot (and postfix submission) options to at least restrict
access by IP?
Restricting by IP is soon going to become very tedious, especially if you are
dealing with more than a small number of users, and especially once post-COVID
travel comes back and people start connecting from random hotels and airport
lounges.
If you don't fancy the idea of client certs, the alternative I would suggest
instead of IP limiting would be a Wireguard VPN instead of IP limiting.
Wireguard VPN servers run very quiet and won't respond to anything unless a
client sends the right parameters.
Of course the downside of a VPN compared to certificates is that the user will
have to be aware and know how to manage a VPN, whilst with certificates it can
all be quietly done in the background.
And of course, you can always do..
submission inet n - y - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_delay_reject=no
-o { smtpd_client_restrictions = reject_rbl_client
auth.spamrats.com=127.0.0.39, permit }
-o { smtpd_relay_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject }
Pick your favourite RBL's.. And do suggest that based on our threat
teams' research, block AUTH from many of the cloud providers IP Space,
several RBL's out there make it easy..
And/or, you can create your own lists, Amazon/Google/Azure all list
their IP space publicly..
Just remember, use your own DNS servers, or upstream DNS servers, and
NOT open resolvers such as Google's 8.8.8.8, as most RBL's block queries
from those..
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
