Patrick Ben Koetter a écrit :
> * Неворотин Вадим <nevoro...@gmail.com>:
>> How can I deny SASL authentication not from local (192.168.0.0/16) IP? Now I
>> have restrictions in smtpd_recipient_restrictions and other parameters,
>> which allow send mails to relayhost only from local IPs and only after
>> authentication. But client from Internet still can authenticate on my
>> server, but can't send mail. But I need to deny authentication from outer
>> net at all. It's because my users use very simple passwords, and in my net
>> each user has only one login/password for all services.
>
> If your users also connect from outside, then there's no way to deny SASL
> authentication.
>
Assuming postfix >= 2.2, he could use:
smtpd_discard_ehlo_keyword_address_maps =
cidr:/etc/postfix/ehlo.cidr
== ehlo.cidr
192.169.0.0/16 silent-discard
0.0.0.0/0 auth,silent-discard
> If, however, you can identify your users by network range, split Postfix smtpd
> into an outside and an inside configuration like this in master.cf:
>
>
> # ==========================================================================
> # service type private unpriv chroot wakeup maxproc command + args
> # (yes) (yes) (yes) (never) (100)
> # ==========================================================================
> # smtp inet n - - - - smtpd
> <insideIP>:25 inet n - - - - smtpd
> -o smtpd_sasl_auth_enable=yes
> <outsideIP>:25 inet n - - - - smtpd
>
>
> Then remove "smtpd_sasl_auth_enable = yes" from main.cf and restart postfix.
>
> p...@rick
>
>
>
>
