[ndbug] PF filtering by Mac address

N.J. Thomas njt at ayvali.org
Wed Dec 21 08:13:41 PST 2016


* Hrishikesh Muruk <hrishim at gmail.com> [2016-12-21 20:12:04+0530]:
> I have just one machine (VPS) that I want to configure as an email
> server. The accounts on the server will be accessed using a specific
> set of devices (say 10-15). Would it be overkill to set up pf so that
> only requests from these mac addresses will be allowed for
> sending/retrieving mail?

IMO, overkill yes. Even packet filtering by IP is a bit harsh.

While what you are trying to accomplish (restrict valid SMTP clients) is
doable by a firewall, that's typically not how it's done. The reason is
that when a client tries to connect to your MTA, it finds out it can't
talk at all. It's hard for someone to figure out if the MTA is down, if
something wrong with the network, etc. It certainly makes things harder
to debug for both sides.

It's better to do your filtering via the mail server. It should know
what are the valid clients, networks, etc.

Using Postfix as an example:

    $ postconf -n|grep mynetworks
    mynetworks = 127.0.0.0/8, 1.2.3.4/32, 2.2.2.2/32, 3.3.3.3/32

This is what the Postfix docs have to say about 'mynetworks':

    # TRUST AND RELAY CONTROL

    # The mynetworks parameter specifies the list of "trusted" SMTP
    # clients that have more privileges than "strangers".
    #
    # In particular, "trusted" SMTP clients are allowed to relay mail
    # through Postfix.  See the smtpd_recipient_restrictions parameter
    # in postconf(5).

So basically, I list every valid host by IP on my MTA, and Postfix will
accept only those valid hosts. (If you look in the headers of the email
you sent, you will see evidence of this: my primary MTA is zaph.org and
indraprastha.jagr.org is the server that runs ndbug.in via mailman and
httpd.)

You can also configure your clients to authenticate via SASL, and do
away with specifying IP addresses entirely. This way, if you re-IP a
client, you don't have to update Postfix. (I should probably get around
to setting up SASL auth on my mail server and clients, but in all the
years I've been running mail, I've moved servers around very little. But
I will do this Real Soon Now.)

Btw, you can do all the above with OpenSMTPD, I think the configs will
be cleaner and simpler, but my use of Postfix predates the existinence
of that MTA by a decade or so, perhaps one of these days I will switch
over.


Perhaps the only downside to this is that you will see in your maillogs
all the random people that are trying to use you as an open relay. I
don't mind terribly though, they are all rejected and it's a good idea
to know what's happening anyway.

hth,
Thomas


More information about the talk mailing list