On 12/9/19 2:29 PM, @lbutlr wrote:
On 09 Dec 2019, at 13:54, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:
On Dec 9, 2019, at 3:38 PM, LuKreme <krem...@kreme.com> wrote:
The configuration as posted, and specifically the line I quoted directly above
my comment, allowed unauthenticated traffic from anything on the LAN. This
means random printers, IOT devices, android phones, etc were allowed to send
mail unchecked. I consider that a security hole.
That's your take on your network, but many other networks use mynetworks
to meet their requirements. Universal authenticated access is not always
feasible, and more restrained language is appropriate when describing the
tradeoffs.
“Restrained language”? Are you joking?
Allowing unauthenticated mail sending *is* a security hole. It may be a
security hole you are willing to live with, but it absolutely is a security
hole. Especially when you have opened yourself up to any random device on your
LAN-side IPs.
Looking at his config he is probably on a home connection since he is relaying
outbpund mail through his ISP, even more reason to dissuade someone from this
kind of configuration.
If you posted a config with a my networks like that I wouldn’t blink an aye.
When I first started reading this thread, the first thought that came
into mind was "custom milter" if the network is small, or a reasonable
VLAN design for a larger network. For example, printers and IoT could
live in a separate broadcast domain, easily blocked via standard
ACLs/IPTBLES/whatall. Not sure what the problem is with Android
(phones/tablets), but his network, his rules.
The solution is relatively simple but tedious, and much of it resides
outside the boundaries of this mailing list.
