On 2021-07-15 8:07 a.m., Laura Smith wrote:
Perhaps there are dovecot (and postfix submission) options to at least restrict access by IP?
Restricting by IP is soon going to become very tedious, especially if you are dealing with more than a small number of users, and especially once post-COVID travel comes back and people start connecting from random hotels and airport lounges.
If you don't fancy the idea of client certs, the alternative I would suggest instead of IP limiting would be a Wireguard VPN instead of IP limiting.
Wireguard VPN servers run very quiet and won't respond to anything unless a client sends the right parameters.
Of course the downside of a VPN compared to certificates is that the user will have to be aware and know how to manage a VPN, whilst with certificates it can all be quietly done in the background.
And of course, you can always do..
submission inet n - y - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_delay_reject=no
-o { smtpd_client_restrictions = reject_rbl_client auth.spamrats.com=127.0.0.39, permit } -o { smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject }
Pick your favourite RBL's.. And do suggest that based on our threat teams' research, block AUTH from many of the cloud providers IP Space, several RBL's out there make it easy..
And/or, you can create your own lists, Amazon/Google/Azure all list their IP space publicly..
Just remember, use your own DNS servers, or upstream DNS servers, and NOT open resolvers such as Google's 8.8.8.8, as most RBL's block queries from those..
-- "Catch the Magic of Linux..."
Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.