Mailinglist Archive: opensuse (4633 mails)

< Previous Next >
Re: [opensuse] Open (subnet) Relay using Postfix
  • From: Sandy Drobic <suse-linux-e@xxxxxxxxxxxxxxxxxxxxxxx>
  • Date: Fri, 29 Dec 2006 23:09:29 +0100
  • Message-id: <45959219.9050701@xxxxxxxxxxxxxxxxxxxxxxx>
John Andersen wrote:
On Friday 29 December 2006 02:00, Sandy Drobic wrote:
It is indeed not the best practise.

By adding the line:
mynetworks = 192.168.2.0/24, 127.0.0.0/8
you can prevent this, but Yast does not offer that as
best I can see, so you have to remember to do it
manually.
If you set mynetworks manually, the option mynetworks_style is skipped.
You could also use "mynetworks_style = host" to grant relay access to the
server only.

True enough about the mynetworks setting over riding mynetworks_style
which is precisely why i recommended this in my post above.

Its not that I don't know how to do this its just a trap for the unwary
and it also affects SLES.

The unwary have no business running a mailserver. (^-^)

Setting mynetworks_style = host is sort of self defeating unless you
expect everybody in the company to walk over to your SLES machine
to send email. Host style blocks the local network, leaving the
only machine capable of sending mail as the server itself.

Usually you set up authentication for clients, servers that don't support smtp auth can be added to $mynetworks.
Currently best practises recommend to set up smtp auth/TLS for clients and firewall outgoing port 25 for all other machines except your mailserver, thus forcing all internal clients to use your mailserver. Even if a windows pc is infested with spamware, that should prevent the zombie from spreading the junk.

In the end it comes down to the old saying "If you are playing with Linux
you should know what you are doing, especially if you are configuring a
network service accessable by the external internet".

The point is that the mynetworks_style choices are somewhat limited
and next to useless for a product like SLES or even opensuse
when used as a mail server, so yast should ALWAYS ignore
these options and insist on having the user configure mynetworks.

That I can agree to. If you could set up authentication in the next step also, I would start cheering. (^-^)

My ISP runs a daemon that periodically tries to relay a test
message thru any machine that has port 25 open. I've seen
it in the logs, and called their security desk. They explained
it was their policy to do these tests, and they shut off your
cable modem if the relay succeeds.

I like your ISP. Wish some others would adopt that practise, too. When I saw someone with the sender address smtphunter@xxxxxxxx try to relay using my server, I first thought "Oh, a relay probe from an anti spam fighter". It was probably exactly the opposite, a spammer looking for open relays. Though it seems he stopped checking some month ago. Maybe ordb.org is indeed not needed anymore.

Currently I think that the biggest threat are infected/insecure machines within your network.

Sandy
--
List replies only please!
Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups