John Andersen wrote:
The problem is that mynetworks does not appear in /etc/sysconfig/postfix so they have no way to set this via yast. You have to know this in advance. Perhaps it will be fixed in 9.2 or 9.3.
Just peeked into my 9.2 config files. There is no access to $mynetworks in sysconfig.
Without the ability to set mynetworks via yast, postfix defaults mynetworks to use mynetworks-style, and THAT in turn defaults to mynetworks_style = subnet which means anyone with the same subnet can relay thru your box. In my case someone appearing to be (in reality, probably forged IP) on the same ISP was able to connect and relay.
Here in Europe we naturally assume you are behind a firewall and your network is a private network that's not accessible from the internet. For a host with a public ip this is indeed not acceptable. It would be a very good idea for Suse to check if the ip of the host is a public or a private ip and set relay to host/mynetwork accordingly.
So the upshot is, that unless you know to check the main.cf, postfix will install insecurely if you accept smtp connections from remote and you configure it with Yast2.
I think yast is meant to make it easier to set up an home pc, but when you set up a server you should indeed check the entire config.
Of course this was fairly easy to dig out after the fact, but with my machine filling my bandwidth with spam I was in a big hurry to get the problem solved, and learning postfix under the barrel of a gun was mot something I wanted to do, and not something I expected to do after years of installing sendmail securely with Yast.
Happens to all of us some day. (^-^) At least it is nicely documented and rather easy to configure. For me it was to secure the domino server against relaying some days ago.
Still, it was My-Bad for not testing the install for open relay initially.
You definitely need to check the installation. Just looking at the mail log will make anyone realize that who administers a public mail server. Sandy