> On May 17, 2017, at 12:27 PM, b...@bitrate.net wrote:
>
>> I run a docker container on my server. To not have all docker containers
>> need to authenticate when sending mail, I added
>> the private network range 172.16/12 to mynetworks:
>
> I would discourage authorization based on source ip address. automated
> credential configuration is a fairly basic task, and there are a plethora of
> benefits to using user/pass [or even a certificate, if desired] over source
> ip address.
And yet, allowing a block of private addresses that are directly managed by the
same administrators that manage the MTA is quite reasonable.
If all the nodes in question would in any case be given relay permission (via
passwords, client certificates, ...) and the risk of IP spoofing is low (BGP
route forgery is unlikely to be relevant here) then by all means whitelist
the netblock.
The OP is best position to assess the risk of source forgery for the netblock
in question, and whether there are likely to be exceptions to the rule that
make authentication desirable.
--
Viktor.
