SV: Different SMTP AUTH options and credentials for different clients

Tue, 31 May 2016 09:33:29 -0700 

You would need to use a firewall for this.
Use master.cf to define 3 different SMTP servers, that implements the 3 
different rulesets and different credentials files.
So for example, you set up 3 servers,
One at port 26 that allows relaying without authentication.
One at port 27 that allows AUTH PLAIN using credentialset A
One at port 28 that allows AUTH LOGIN using credentialset B

Then you use firewall to NAT the traffic accordingly, assuming your SMTP server 
is located at 192.168.1.90.
Like:
From: 127.0.0.0/8 : ANY to 127.0.0.1 : 25 NAT to: 192.168.1.90 : 26
From: 192.168.0.0/16 : ANY to 192.168.1.1 : 25 NAT to: 192.168.1.90 : 27
From: 123.123.88.0/24 : ANY to [WAN_IP] : 25 NAT to: 192.168.1.90 : 28

Be careful so you don't create an open relay. Test the rules carefully, and 
enable spoofing prevention in your firewall if you are going to allow something 
without authentication.
You could also combine firewalling with permit_mynetworks in the first server 
on port 26, so you get protection even if your firewall would fail to block 
packets from an incorrect IP. But best way to make sure everything is right is 
to test throughtly.

That’s how I solved so dns1.sebbe.eu and dns2.sebbe.eu does reply correctly in 
its SMTP banner, even if both dns1.sebbe.eu and dns2.sebbe.eu is really the 
very same physical machine.

-----Ursprungligt meddelande-----
Från: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
För Rob Maidment
Skickat: den 31 maj 2016 18:05
Till: Postfix users <postfix-users@postfix.org>
Ämne: Different SMTP AUTH options and credentials for different clients

How can I implement this in the Postfix SMTP server?

For certain client IP addresses no authentication is required and the EHLO 
response should not advertise the AUTH option.

For a second set of client IP addresses authentication is required and the EHLO 
response should advertise AUTH PLAIN.

For a third set of client IP addresses authentication is required and the EHLO 
response should advertise AUTH LOGIN.

Clients in the third set must not be able to authenticate using the credentials 
defined for the second set, and vice versa.


Rob

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to