On Friday 29 December 2006 02:00, Sandy Drobic wrote:
It is indeed not the best practise.
By adding the line: mynetworks = 192.168.2.0/24, 127.0.0.0/8 you can prevent this, but Yast does not offer that as best I can see, so you have to remember to do it manually.
If you set mynetworks manually, the option mynetworks_style is skipped. You could also use "mynetworks_style = host" to grant relay access to the server only.
True enough about the mynetworks setting over riding mynetworks_style which is precisely why i recommended this in my post above. Its not that I don't know how to do this its just a trap for the unwary and it also affects SLES. Setting mynetworks_style = host is sort of self defeating unless you expect everybody in the company to walk over to your SLES machine to send email. Host style blocks the local network, leaving the only machine capable of sending mail as the server itself.
In the end it comes down to the old saying "If you are playing with Linux you should know what you are doing, especially if you are configuring a network service accessable by the external internet".
The point is that the mynetworks_style choices are somewhat limited and next to useless for a product like SLES or even opensuse when used as a mail server, so yast should ALWAYS ignore these options and insist on having the user configure mynetworks. Anything less is a minor, but annoying security breach. My ISP runs a daemon that periodically tries to relay a test message thru any machine that has port 25 open. I've seen it in the logs, and called their security desk. They explained it was their policy to do these tests, and they shut off your cable modem if the relay succeeds. Had i been located closer to their head-end, I would have been caught by this, (and would have discovered this issue a year ago). This is not a big deal as far as i'm concerned, and the risk is fairly small, as the number of hosts you can trick Postfix into relaying to is limited by your subnet mask. -- _____________________________________ John Andersen -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org