[opensuse] Open (subnet) Relay using Postfix
I've discovered that the default Postfix install as done in openSUSE 10.2 and SLES9 provides an open relay for anyone on the same subnets as the mail server. This includes both the internal and external subnets. Postfix defaults to mynetworks_style = subnet but the fine print says that means ALL subnets to which it has an interface. So some of my customers run mail servers on static IPs and these machines offer an open relay from anywhere on the internet to any host on the same subnet as the server. Say I have two customers with static IPs in the 206.174.64.0/18 range... From anywhere, I can send mail thru one of them, (say 206.174.64.22) to any server that happens to be in that same /18 by simply using 206.174.64.22 as my smtp server. Now admittedly, this isn't going to get Joe Spammer vary far but it still seems like a hole to me. By adding the line: mynetworks = 192.168.2.0/24, 127.0.0.0/8 you can prevent this, but Yast does not offer that as best I can see, so you have to remember to do it manually. -- _____________________________________ John Andersen
John Andersen wrote:
I've discovered that the default Postfix install as done in openSUSE 10.2 and SLES9 provides an open relay for anyone on the same subnets as the mail server.
When you consider default values then you should also mention that the default value for inet_interfaces is 127.0.0.1. Once you start to fiddle with the default settings all bets are off. (^-^) If yast were able to set up smtp auth with yast, THAT would be a real argument to use yast for configuring Postfix. Though I agree, a warning "you are making this service available for access from the internet, are you sure?" would be nice. Also a dialogue where the relay question could be answered, would really help to set up the mail system.
Now admittedly, this isn't going to get Joe Spammer vary far but it still seems like a hole to me.
It is indeed not the best practise.
By adding the line: mynetworks = 192.168.2.0/24, 127.0.0.0/8 you can prevent this, but Yast does not offer that as best I can see, so you have to remember to do it manually.
If you set mynetworks manually, the option mynetworks_style is skipped. You could also use "mynetworks_style = host" to grant relay access to the server only. In the end it comes down to the old saying "If you are playing with Linux you should know what you are doing, especially if you are configuring a network service accessable by the external internet". Sandy -- List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 29 December 2006 02:00, Sandy Drobic wrote:
It is indeed not the best practise.
By adding the line: mynetworks = 192.168.2.0/24, 127.0.0.0/8 you can prevent this, but Yast does not offer that as best I can see, so you have to remember to do it manually.
If you set mynetworks manually, the option mynetworks_style is skipped. You could also use "mynetworks_style = host" to grant relay access to the server only.
True enough about the mynetworks setting over riding mynetworks_style which is precisely why i recommended this in my post above. Its not that I don't know how to do this its just a trap for the unwary and it also affects SLES. Setting mynetworks_style = host is sort of self defeating unless you expect everybody in the company to walk over to your SLES machine to send email. Host style blocks the local network, leaving the only machine capable of sending mail as the server itself.
In the end it comes down to the old saying "If you are playing with Linux you should know what you are doing, especially if you are configuring a network service accessable by the external internet".
The point is that the mynetworks_style choices are somewhat limited and next to useless for a product like SLES or even opensuse when used as a mail server, so yast should ALWAYS ignore these options and insist on having the user configure mynetworks. Anything less is a minor, but annoying security breach. My ISP runs a daemon that periodically tries to relay a test message thru any machine that has port 25 open. I've seen it in the logs, and called their security desk. They explained it was their policy to do these tests, and they shut off your cable modem if the relay succeeds. Had i been located closer to their head-end, I would have been caught by this, (and would have discovered this issue a year ago). This is not a big deal as far as i'm concerned, and the risk is fairly small, as the number of hosts you can trick Postfix into relaying to is limited by your subnet mask. -- _____________________________________ John Andersen -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
John Andersen wrote:
On Friday 29 December 2006 02:00, Sandy Drobic wrote:
It is indeed not the best practise.
By adding the line: mynetworks = 192.168.2.0/24, 127.0.0.0/8 you can prevent this, but Yast does not offer that as best I can see, so you have to remember to do it manually. If you set mynetworks manually, the option mynetworks_style is skipped. You could also use "mynetworks_style = host" to grant relay access to the server only.
True enough about the mynetworks setting over riding mynetworks_style which is precisely why i recommended this in my post above.
Its not that I don't know how to do this its just a trap for the unwary and it also affects SLES.
The unwary have no business running a mailserver. (^-^)
Setting mynetworks_style = host is sort of self defeating unless you expect everybody in the company to walk over to your SLES machine to send email. Host style blocks the local network, leaving the only machine capable of sending mail as the server itself.
Usually you set up authentication for clients, servers that don't support smtp auth can be added to $mynetworks. Currently best practises recommend to set up smtp auth/TLS for clients and firewall outgoing port 25 for all other machines except your mailserver, thus forcing all internal clients to use your mailserver. Even if a windows pc is infested with spamware, that should prevent the zombie from spreading the junk.
In the end it comes down to the old saying "If you are playing with Linux you should know what you are doing, especially if you are configuring a network service accessable by the external internet".
The point is that the mynetworks_style choices are somewhat limited and next to useless for a product like SLES or even opensuse when used as a mail server, so yast should ALWAYS ignore these options and insist on having the user configure mynetworks.
That I can agree to. If you could set up authentication in the next step also, I would start cheering. (^-^)
My ISP runs a daemon that periodically tries to relay a test message thru any machine that has port 25 open. I've seen it in the logs, and called their security desk. They explained it was their policy to do these tests, and they shut off your cable modem if the relay succeeds.
I like your ISP. Wish some others would adopt that practise, too. When I saw someone with the sender address smtphunter@daum.net try to relay using my server, I first thought "Oh, a relay probe from an anti spam fighter". It was probably exactly the opposite, a spammer looking for open relays. Though it seems he stopped checking some month ago. Maybe ordb.org is indeed not needed anymore. Currently I think that the biggest threat are infected/insecure machines within your network. Sandy -- List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 29 December 2006 13:09, Sandy Drobic wrote:
Currently best practises recommend to set up smtp auth/TLS for clients and firewall outgoing port 25 for all other machines except your mailserver, thus forcing all internal clients to use your mailserver. Even if a windows pc is infested with spamware, that should prevent the zombie from spreading the junk.
Well I already do egress filtering, on 25, so I guess we agree there. As for SMTP auth on the inside network, it does add a bit of complexity, what with generating the certificates etc. Once done, it works from anywhere, which is nice, especially for the roaming laptop crowd. (As long as your firewall allows them to connect to your OUTSIDE nic when they are INSIDE which, I don't thing SuSE firewall does, but Shorewall will.). It turns out SLES9 does set the mynetworks, but it includes IPV6 networks as well which provides a leak. opensuse does not appear to handle mynetworks at all. -- _____________________________________ John Andersen
John Andersen wrote:
On Friday 29 December 2006 13:09, Sandy Drobic wrote:
Currently best practises recommend to set up smtp auth/TLS for clients and firewall outgoing port 25 for all other machines except your mailserver, thus forcing all internal clients to use your mailserver. Even if a windows pc is infested with spamware, that should prevent the zombie from spreading the junk.
Well I already do egress filtering, on 25, so I guess we agree there.
As for SMTP auth on the inside network, it does add a bit of complexity, what with generating the certificates etc.
You only need to create one certificate for the server. If it is not an official certificate you might need to import it to your clients certificate storage. If you don't need plaintext mechanisms for authentication you can also use unencrypted connections. Or do you mean authentication based on the certificate? That is indeed a bit more complicated.
Once done, it works from anywhere, which is nice, especially for the roaming laptop crowd. (As long as your firewall allows them to connect to your OUTSIDE nic when they are INSIDE which, I don't thing SuSE firewall does, but Shorewall will.).
When you use dhcp for your clients you can give them the internal dns server ip with the internal mailserver ip, if they login within your network. Otherwise the external dns will return the external ip of your mailserver. Here in Europe most networks only have a few official ip, so most firewalls use NAT, and the mailserver itself is using a private ip.
It turns out SLES9 does set the mynetworks, but it includes IPV6 networks as well which provides a leak. opensuse does not appear to handle mynetworks at all.
As long as IPv6 is not used in commercial practise, I'll simply ignore it and deactivate it on the servers I am running. Sandy -- List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Saturday 30 December 2006 04:42, Sandy Drobic wrote:
You only need to create one certificate for the server. If it is not an official certificate you might need to import it to your clients certificate storage. If you don't need plaintext mechanisms for authentication you can also use unencrypted connections.
Speaking of that Sandy... The install of Postfix, if you select the right options in the Sysconfig editor portion of yast, creates certificates etc for you for TLS, etc. This is done by mkpostfixcert - driven out of SuseConfig Imaps (secure imap) needs certificates too. Can the they use the same certificates (the ones in /etc/postfix/ssl ) ?? -- _____________________________________ John Andersen
John Andersen wrote:
On Saturday 30 December 2006 04:42, Sandy Drobic wrote:
You only need to create one certificate for the server. If it is not an official certificate you might need to import it to your clients certificate storage. If you don't need plaintext mechanisms for authentication you can also use unencrypted connections.
Speaking of that Sandy...
The install of Postfix, if you select the right options in the Sysconfig editor portion of yast, creates certificates etc for you for TLS, etc.
This is done by mkpostfixcert - driven out of SuseConfig
Nice, I haven't used that yet. Since when is this option available? I just checked in Suse 9.2, and I can't see that point. The only options I CAN see are some values for the creation of the certificate, but not the point where the certificate itself is actually created.
Imaps (secure imap) needs certificates too. Can the they use the same certificates (the ones in /etc/postfix/ssl ) ??
Provided you give the imap server access zu that certificate, you can of course share it among servers. Otherwise just copy it to the place where the imap server wants to access it. Sandy -- List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
John Andersen wrote:
I've discovered that the default Postfix install as done in openSUSE 10.2 and SLES9 provides an open relay for anyone on the same subnets as the mail server.
That is basically stated in Yast2, System, etc/Sysconfig Editor, where it says File: /etc/sysconfig/postfix Possible Values: subnet, host, class Default Value: subnet Configuration Script: postfix Description: The postfix default for this setting is "subnet" for security reasons you should use host otherwise every user in the same subnet as you, can use your postfix server as a mail relay for spam. If you set POSTFIX_DIALUP to "yes" mynetworks_style will be set to "host" by SuSEconfig. Mine was set to host, but I no longer remember if I did that or Yast/SuSEconfig did it.
By adding the line: mynetworks = 192.168.2.0/24, 127.0.0.0/8 you can prevent this, but Yast does not offer that as best I can see, so you have to remember to do it manually.
You do need to add it manually, but you could add POSTFIX_ADD_MYNETWORKS to /etc/sysconfig/postfix to edit this easily with Yast's sysconfig editor. -- Joe Morris Registered Linux user 231871 running openSUSE 10.2 x86_64 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (3)
-
Joe Morris (NTM) -
John Andersen -
Sandy Drobic