Hi all,
Does ejabberd support the idea of restricting certain types of s2s (or c2s) authentication by IP addresses or DNS names?
For example, I may want to permit SASL External over TLS communication with IP addresses, 1.2.3.4 and 5.6.7.8 but will allow IP address a.b.c.d access via dialback.
One possible solution may be deep packet inspection (at the firewall and/or XMPP server), where the xmpp stanza's are inspected for dialback and sasl strings.
Ordinarily if there are two service ports as in the case of a Web sever (ports 80 and 443) one could restrict who can access what port and thus access to encrypted or unencrypted traffic. However, given that traffic arrives on a single port (5269 for example) it makes it much harder to control what source IP address should have access to what authentication method.