On 8/7/2011 3:52 PM, /dev/rob0 wrote: > On Sun, Aug 07, 2011 at 02:10:35PM -0500, Noel Jones wrote: >> # main.cf >> smtpd_authorized_xforward_hosts = ip.of.upstream.postfix > > Apparently this upstream IP is dynamic, he said in IRC. Agreed, it > sounds very strange.
If the upstream is dynamic, there would presumably be some way for the firewall to be updated. Such an update could also include updating the postfix main.cf and loading postfix. > >> Putting static:all or equivalent would allow an unauthorized client >> to spoof their IP address. >> >> (in this case, using static:all might not matter if a firewall >> prevents outside access, but it's still wrong.) > > That was my reasoning, along with "if it breaks, Jack gets to keep > both pieces." When you knowingly give bad advice (not pointing fingers, I do it too -- still trying to quit), make sure to clearly label it as such. I didn't see any warning on your post to the list. -- Noel Jones
