On Mon, Apr 22, 2013 at 03:01:04PM +0200, L.W. van Braam van Vloten wrote:
> > While it's easy enough to spoof single IP packets, it's far more
> > difficult to spoof a whole SMTP conversation.
>
> Very well. If adding the IP address to mynetworks provides sufficient
> security against abuse of my server, I will leave it to that.
What is sufficient protection depends on the assumed skills of the attacker.
If you're worried about spammers, ... you're probably safe with an IP
filter. Just document the reason why that particular IP is on your
access list, and periodically audit the status of the associated client
to make sure it still has that IP address and that the relationship with
that client still requires this access.
More resourceful attackers may be able to forge traffic from an IP address
not directly under their control (false BGP route injection, ...), but they
may also be able to compromise the client machine and misuse or steal
credentials, ...
The main advantage of soft credentials (SASL passwords, TLS client
certs, ...) is that you don't have to worry about IP renumbering
on the client side, and the client does not have to coordinate IP
changes on their end with you.
--
Viktor.
