Am 06.09.2011 11:24, schrieb Patrick Ben Koetter:
* Heiko Wundram<modeln...@modelnine.org>:
As the title says: is there a possibility to set different
smtpd_sasl_security_options depending on the connecting IP (or
rather subnet) of the client that tries to do authentication?
No, you can't. Which problem are you trying to solve? Maybe there's another
way to do it.
Thought so; the problem I'm trying to solve is getting software which is
connected via LAN to a mail relay to be able to use the relay. :-)
The software (which is a Java-based backup solution) is neither able to
use TLS/SSL when using the smarthost to send out its notifications, nor
is it able to do any non-plaintext authentication (i.e., only LOGIN),
and as such I need to set up smtpd_sasl_security_options = noanonymous
to allow the software to function. Security-wise, this is somewhat
"okay": the server hosting the backup software is connected via
MAC/IP-firewalled switches to the mail relays, and as such I'm not too
concerned having people eavesdrop on the traffic that's exchanged
between the two systems, so that allowing plaintext auth for this
specific case even without TLS should be okay.
I'm not too happy with that, though, in the general case: the smarthost
is also used by external systems to relay, and these should always use
either non-TLS with non-plaintext authentication (CRAM-MD5 in the
specific case), or use TLS. Enforcing this policy for external users of
the mail system was straightforward with different configurations of
smtpd_(tls_)sasl_security_options, but now means that I have to rely on
the external users to "do the right thing" because I'm required to allow
plaintext auth also for the non-TLS case.
Anyway, maybe I'll try to hack together a patch for this if I've got the
time to do so, I just wanted to know whether there's the possibility to
do this out of the box.
Thanks!
--
--- Heiko.
