Mailing List Archive: How to restrict client login through IP whitelist

How to restrict client login through IP whitelist

Mar 26, 2024, 1:12 AM

Post #1 of 4 (56 views)

Hi , Is there a way to solve a scenario here? The IP whitelist restricts forwarding after logging in with user name and password, but does not restrict the acceptance of emails sent by third parties.
and the `acl_smtp_auth` can resolve it ?

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: How to restrict client login through IP whitelist [ In reply to ]

exim-users at lists

Mar 26, 2024, 5:44 AM

Post #2 of 4 (56 views)

Permalink

> Is there a way to solve a scenario here? The IP whitelist restricts
> forwarding after logging in with user name and password, but does not
> restrict the acceptance of emails sent by third parties.
> and the `acl_smtp_auth` can resolve it ?

No, you add a condition into the paragraph with "accept authenticated"
in rcpt ACL. Like this:

accept authenticated = *
condition = ${lookup{$sender_host_address}iplsearch\
{/usr/local/etc/exim/auth_whitelist}{1}{0}}
control = submission/domain=

See also https://github.com/Exim/exim/wiki/BlockCracking

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: How to restrict client login through IP whitelist [ In reply to ]

exim-users at lists

Mar 26, 2024, 7:53 AM

Post #3 of 4 (56 views)

Permalink

Thanks for your apply.
I have read your information about `https://github.com/Exim/exim/wiki/BlockCracking`. The main purpose is to modify the configuration to prevent user attacks through frequency limiting. However, it doesn't meet my needs. I wonder if we can add an IP whitelist to allow emails sent by specified users through login. For accepting emails from other MTAs, just release them directly.
The config As follows in acl_check_rcpt:
`
accept
authenticated = *
control = submission/sender_retain
control = dkim_disable_verify
condition = ${if match_ip{$sender_host_address}{172.20.0.0/16 : 127.0.0.1 : ::::1 : 192.168.1.0/24}}
deny
message = Your IP address $sender_host_address is not allowed to send mail.
`

But it will block all mailboxes, including those sent by logging in with username and password and mails received from other MTAs. I just want to block mails sent by logging in with username and password, not mails forwarded by other MTAs. Is there a better approach here?

Thanks again

At 2024-03-26 20:44:26, "Lena--- via Exim-users" <exim-users@lists.exim.org> wrote:
>> Is there a way to solve a scenario here? The IP whitelist restricts
>> forwarding after logging in with user name and password, but does not
>> restrict the acceptance of emails sent by third parties.
>> and the `acl_smtp_auth` can resolve it ?
>
>No, you add a condition into the paragraph with "accept authenticated"
>in rcpt ACL. Like this:
>
> accept authenticated = *
> condition = ${lookup{$sender_host_address}iplsearch\
> {/usr/local/etc/exim/auth_whitelist}{1}{0}}
> control = submission/domain=
>
>See also https://github.com/Exim/exim/wiki/BlockCracking
>
>--
>## subscription configuration (requires account):
>## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
>## unsubscribe (doesn't require an account):
>## exim-users-unsubscribe@lists.exim.org
>## Exim details at http://www.exim.org/
>## Please use the Wiki with this list - http://wiki.exim.org/

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: How to restrict client login through IP whitelist [ In reply to ]

exim-users at lists

Mar 26, 2024, 11:05 PM

Post #4 of 4 (56 views)

Permalink

On 2024-03-26, TomNewChao via Exim-users <exim-users@lists.exim.org> wrote:
> Thanks for your apply.
> I have read your information about `https://github.com/Exim/exim/wiki/BlockCracking`. The main purpose is to modify the configuration to prevent user attacks through frequency limiting. However, it doesn't meet my needs. I wonder if we can add an IP whitelist to allow emails sent by specified users through login. For accepting emails from other MTAs, just release them directly.
> The config As follows in acl_check_rcpt:
> `
> accept
> authenticated = *
> control = submission/sender_retain
> control = dkim_disable_verify
> condition = ${if match_ip{$sender_host_address}{172.20.0.0/16 : 127.0.0.1 : ::::1 : 192.168.1.0/24}}
> deny
> message = Your IP address $sender_host_address is not allowed to send mail.
> `
>
>
> But it will block all mailboxes, including those sent by logging in with username and password and mails received from other MTAs. I just want to block mails sent by logging in with username and password, not mails forwarded by other MTAs. Is there a better approach here?

Before the deny (or even before the first accept)
there should be another accept for those other messages,

accept
domains= +local_domains
verify = recipient

or something like that.

>

--
Jasen.
???????? ????? ???????

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/