[prev in list] [next in list] [prev in thread] [next in thread]
List: exim-users
Subject: Re: [exim] =?utf-8?q?RELAY_NOT_PERMITED_exim4?=
From: Sebastian via Exim-users <exim-users () exim ! org>
Date: 2021-04-21 13:31:04
Message-ID: 000b01d736b2$981d13c0$c8573b40$ () sebbe ! eu
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
I would say it's a benefit. Even if you restrict IPs to a bigger area like a country \
(geoIP restriction) or a whole ISP, you still reduce the attack surface with MANY \
times. I before had problems with bots hacking my passwords. They guessed them all \
the time. After I added IP restrictions covering all the locations im at, the bot \
hacking problem have disappeared completely.
And with the username/password restriction, I can add IPs belonging to public \
locations or are shared with many users (for example, mobile ISPs) without being \
afraid of any of these being finding my server AND finding my password.
But bots cracking passwords to gain access are a real problem today, and IP \
whitelisting are a good solution to that.
IF you run for example a webhosting company, and all your customers are located in a \
specific country (just because the payment method only exist in that country for \
example) you can geoIP restrict it to your country only. To avoid a large \
auth_advertise_hosts list, you can join CIDR ranges that are close to each other, \
even if a few out-of-country IPs are added.
The important is to have a "rough" filtering to avoid all bots from all over the \
world.
-----Ursprungligt meddelande-----
Från: Odhiambo Washington via Exim-users <exim-users@exim.org>
Skickat: den 21 april 2021 15:25
Till: Sebastian <sebastian@sebbe.eu>
Kopia: Mailing List <exim-users@exim.org>; Douba Samuel DIARRA \
<doubasamuel@outlook.fr> Ämne: Re: [exim] RELAY NOT PERMITED exim4
@Sebastian,
If you live in a world where IPs are dynamic, then you will understand my point.
There is no real benefit of restricting auth to particular IPs, IMHO.
If you must restrict AUTH to just a few IPs, then you actually don't need that \
overhead. Just put them in relay_from_hosts and you are good.
On Wed, Apr 21, 2021 at 1:55 PM Sebastian via Exim-users < exim-users@exim.org> \
wrote:
> But its still good to use "auth_advertise_hosts" to restrict which
> hosts that are permitted to authenticate in addition to this.
> Else you will get bots that hack the password and then spam with your
> server.
>
> In auth_advertise_hosts, you can use CIDR notation (like
> 123.123.123.0/24) to allow large amounts of hosts in case of dynamic IP or mobile \
> terminals.
> So authenticated SMTP should still be IP restricted since there is
> bots out there guessing passwords (and hitting the right passwords
> sometimes and gaining access)
>
> -----Ursprungligt meddelande-----
> Från: Odhiambo Washington via Exim-users <exim-users@exim.org>
> Skickat: den 21 april 2021 12:36
> Till: Douba Samuel DIARRA <doubasamuel@outlook.fr>
> Kopia: exim-users@exim.org
> Ämne: Re: [exim] RELAY NOT PERMITED exim4
>
> On Wed, Apr 21, 2021 at 1:24 PM Douba Samuel DIARRA via Exim-users <
> exim-users@exim.org> wrote:
>
> > Hello
> > I was using Exim 4, in office (differents sites) but I was using
> > vsat system for interconnecting sites. I put private adresses to
> > configure exim in differents sites.
> > Since I published my servers on internet, I have this kind of error
> > message and i cannot send mails. the message is : RELAY NOT PERMITED
> >
> > Need some advices please
>
>
>
> Instead of relying on IP addresses for relaying (as should be listed
> in
> relay_from_hosts) it is better to use ASMTP ad the condition for relaying.
> So just set up authenticated SMTP and let users enable the same on
> their MuA and you are good to go.
>
> --
> Best regards,
> Odhiambo WASHINGTON,
> Nairobi,KE
> +254 7 3200 0004/+254 7 2274 3223
> "Oh, the cruft.", grep ^[^#] :-)
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/ ## Please use the Wiki with
> this list - http://wiki.exim.org/
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/ ## Please use the Wiki with
> this list - http://wiki.exim.org/
>
--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
["smime.p7s" (application/pkcs7-signature)]
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic