> On May 17, 2017, at 12.55, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote: > > >> On May 17, 2017, at 12:27 PM, b...@bitrate.net wrote: >> >>> I run a docker container on my server. To not have all docker containers >>> need to authenticate when sending mail, I added >>> the private network range 172.16/12 to mynetworks: >> >> I would discourage authorization based on source ip address. automated >> credential configuration is a fairly basic task, and there are a plethora of >> benefits to using user/pass [or even a certificate, if desired] over source >> ip address. > > And yet, allowing a block of private addresses that are directly managed by > the > same administrators that manage the MTA is quite reasonable. > > If all the nodes in question would in any case be given relay permission (via > passwords, client certificates, ...) and the risk of IP spoofing is low (BGP > route forgery is unlikely to be relevant here) then by all means whitelist > the netblock.
perhaps, although as i stated, there is more to it than that. for example, more fine grained control of authorization, and the potential reduction in ambiguity as to what, specifically, is submitting mail.
