On 23/12/22 15:19, Samer Afach wrote:
Btw, the relays happened because I actively changed mynetworks_style to subnet, forgetting and not checking that all incoming connections will come from the gateway of docker subnet. Still under research to identify how that works.
I would recommend that you explicitly set mynetworks to nothing (ie, `mynetworks=`) and use other access controls, such as check_client_access if you need to explicitly allow a specific IP or subnet to relay. This is the approach of "poke a hole only where you need it" rather than "have a big gaping hole for anyone to drive a truck through" approach.
That said, it's much better to use stronger authentication such as SASL auth or client certificate auth than it is to authenticate based on IP address. So consider not allowing IP based authentication at all unless you have some sort of old appliance that cannot authenticate in any other way.
Peter
