On 8/7/2011 12:36 PM, /dev/rob0 wrote: > On Sun, Aug 07, 2011 at 08:03:47AM -0700, Jack Bates wrote: >> On Fri, Aug 5, 2011 at 2:10 PM, Noel Jones <njo...@megan.vbhcs.org> >> wrote: >>> On 8/5/2011 3:26 PM, Jack Bates wrote: >>>> What's the simplest way to enable >>>> smtpd_authorized_xforward_hosts for any/all clients? >>> >>> That sounds very wrong. What problem are you trying to solve? >> >> I want to control access to this MTA with a firewall. The only >> client permitted access is an upstream instance of Postfix, via >> smtpd_proxy_filter. I want this client to use XFORWARD, so I want >> to enable smtpd_authorized_xforward_hosts unconditionally. What's >> the simplest way? > > Restating the solutions I gave you in IRC that day (I assuming it > was you, because the question and description of the issue was > identical): > > smtpd_authorized_xforward_hosts = static:all > > or > > smtpd_authorized_xforward_hosts = 0.0.0.0/0, [::/0] > > These can be preceded by exclusions. For details, see: > http://www.postfix.org/postconf.5.html#smtpd_authorized_xforward_hosts
No, the above solution is wrong. The only client IP that should be in smtpd_authorized_xforward_hosts is the upstream postfix server. # main.cf smtpd_authorized_xforward_hosts = ip.of.upstream.postfix Putting static:all or equivalent would allow an unauthorized client to spoof their IP address. (in this case, using static:all might not matter if a firewall prevents outside access, but it's still wrong.) -- Noel Jones
