SuSE's default postfix config is an open relay?
I can scarcely believe this, so I'm posing this concept to the list in the hopes that someone can tell me if I'm overlooking something, but it would appear that if you merely take the default postfix config as presented by SuSE, you will be operating an open relay on all interfaces. If you're like most people, you would have your email server sitting behind a firewall, and this would be fine. However, if your email server *is* your firewall, the SMTP port is going to be open to your internet connection, otherwise you're not going to receive mail. So the default SuSE config will allow anyone on your local broadband subnet to relay mail through your server. Since spammers love throw-away shared broadband connections, this is going to be a problem. The #1 thing that postfix needs as a configuration parameter with respect to relaying email is ``mynetworks''. To wit: http://www.postfix.org/basic.html#relaying The problem is that SuSE's /etc/sysconfig/postfix doesn't have the ``mynetworks'' parameter. This leaves postfix open to relay mail on _any_ interface. You can fix this by adding something _like_ this to your /etc/sysconfig/postfix file: POSTFIX_ADD_MYNETWORKS="192.168.0.0/24, 127.0.0.1/32" This will restrict access to relaying email to your local machine and your local network behind the firewall. Just FYI, dk
In a previous message, David Krider
it would appear that if you merely take the default postfix config as presented by SuSE, you will be operating an open relay on all interfaces.
If this is so, is everyone running postfix at risk? I use postfix only as a local MDA (AFAIK, that is) - my email is fetched by fetchmail and sending remotely is dealt with by my MUA without involving postfix. Postfix's only role here is dealing with system emails and delivering email once it's gone through procmail. And, in any case, YaST has no information about my ISP's smtp mailserver. Is this setup safe from any relaying nasties? John -- John Pettigrew Headstrong Games john@headstrong-games.co.uk Fun : Strategy : Price http://www.headstrong-games.co.uk/ Board games that won't break the bank
On Fri, 2003-09-05 at 09:16, John Pettigrew wrote:
If this is so, is everyone running postfix at risk? I use postfix only as a local MDA (AFAIK, that is) - my email is fetched by fetchmail and sending remotely is dealt with by my MUA without involving postfix. Postfix's only role here is dealing with system emails and delivering email once it's gone through procmail.
To sum up: the important part of what I was saying is that if you're running a default config of postfix on a machine that has port 25 directly exposed to an external connection, you are at risk. The machine must be actually connected to the internet with no intervening firewall. As long as you're behind a firewall -- even if you forward port 25 to your email server -- you won't be at risk. (I'm assuming that your "broadband" IP addresses are different from your internal addresses by way of NAT. If not, i.e. if you have "real" internet addresses inside your firewall, you're hosed. But, who does this these days? I'm just trying to be complete.) dk
In a previous message, David Krider
To sum up: the important part of what I was saying is that if you're running a default config of postfix on a machine that has port 25 directly exposed to an external connection, you are at risk.
OK - I have my firewall set to disallow all incoming connections, so I should be OK. Thanks John -- John Pettigrew Headstrong Games john@headstrong-games.co.uk Fun : Strategy : Price http://www.headstrong-games.co.uk/ Board games that won't break the bank
* David Krider;
The problem is that SuSE's /etc/sysconfig/postfix doesn't have the ``mynetworks'' parameter. This leaves postfix open to relay mail on _any_ interface. You can fix this by adding something _like_ this to your /etc/sysconfig/postfix file:
POSTFIX_ADD_MYNETWORKS="192.168.0.0/24, 127.0.0.1/32"
So you remember what was the mynetworks parameter before you add this just close this and run SuSEconfig --module postix and then issue a postconf -m ( or n) Of the top of of my head default should be mynetworks_style = subnet I may be wrong it is Friday "oh Freitag" -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
On Friday 05 Sep 2003 17:02, Togan Muftuoglu wrote:
* David Krider;
on 05 Sep, 2003 wrote: The problem is that SuSE's /etc/sysconfig/postfix doesn't have the ``mynetworks'' parameter. This leaves postfix open to relay mail on _any_ interface. You can fix this by adding something _like_ this to your /etc/sysconfig/postfix file:
That parameter is taken from elsewhere, check main.cf.
So you remember what was the mynetworks parameter before you add this just close this and run SuSEconfig --module postix and then issue a postconf -m ( or n)
Of the top of of my head default should be mynetworks_style = subnet I may be wrong it is Friday "oh Freitag"
You're right. A default postfix install is not an open relay! A default Suse postfix install is not an open relay! If it was I would have been cut off from my Internet connection months ago! -- del suse-linux-e
On Fri, 2003-09-05 at 12:10, del wrote:
On Friday 05 Sep 2003 17:02, Togan Muftuoglu wrote:
* David Krider;
on 05 Sep, 2003 wrote: The problem is that SuSE's /etc/sysconfig/postfix doesn't have the ``mynetworks'' parameter. This leaves postfix open to relay mail on _any_ interface. You can fix this by adding something _like_ this to your /etc/sysconfig/postfix file:
That parameter is taken from elsewhere, check main.cf.
Yes, but you can add any non-SuSE specified parameter to the /etc/sysconfig/postfix file with a POSTFIX_ADD_<parameter> inclusion.
So you remember what was the mynetworks parameter before you add this just close this and run SuSEconfig --module postix and then issue a postconf -m ( or n)
There *is* none. This is my point.
Of the top of of my head default should be mynetworks_style = subnet
You're right.
Yes, he is... BUT! Read on..
A default postfix install is not an open relay! A default Suse postfix install is not an open relay! If it was I would have been cut off from my Internet connection months ago!
I guess I should have specified that *if* you configure your server to be a mail server (/etc/sysconfig/mail:SMTPD_LISTEN_REMOTE="yes"), then it will listen for SMTP connections -- as Togan says -- on ANY of its "subnets." Furthermore, *if* your email server is your firewall, and one of your "subnets" is external facing, you will be a relay for that connection's subnet. So, it *is* an open relay, as in "open to the creeps on your broadband subnet," but it may depend on just how open you need "open" to be defined before you call it "open," as in "open to all the creeps in the entire world." Regards, dk
On Friday 05 Sep 2003 20:18, David Krider wrote:
So, it *is* an open relay, as in "open to the creeps on your broadband subnet," but it may depend on just how open you need "open" to be defined before you call it "open," as in "open to all the creeps in the entire world."
Regards, dk
Only if it sends on mail to 3rd parties.
If you tried to use my mail server here to send mail to hotmail you'll
not be allowed. Just because it's listening on port 25 doesn't make it
an open relay.
On Fri, 2003-09-05 at 14:52, del wrote:
On Friday 05 Sep 2003 20:18, David Krider wrote:
So, it *is* an open relay, as in "open to the creeps on your broadband subnet," but it may depend on just how open you need "open" to be defined before you call it "open," as in "open to all the creeps in the entire world."
Only if it sends on mail to 3rd parties. If you tried to use my mail server here to send mail to hotmail you'll not be allowed. Just because it's listening on port 25 doesn't make it an open relay.
I'm sort of tired of trying to explain myself to people who just aren't getting it, but I can't help not dispelling the misunderstanding for those who are lurking in this thread. Yes, I am saying _exactly_ that this problem leaves you open to relay mail to 3rd parties. I don't really care about "works for me" or "doesn't work for me" statements unless someone is going to _at least_ give a full description of their setup. Regards, dk
On Saturday 06 Sep 2003 14:40, David Krider wrote:
On Fri, 2003-09-05 at 14:52, del wrote:
On Friday 05 Sep 2003 20:18, David Krider wrote:
So, it *is* an open relay, as in "open to the creeps on your broadband subnet," but it may depend on just how open you need "open" to be defined before you call it "open," as in "open to all the creeps in the entire world."
Only if it sends on mail to 3rd parties. If you tried to use my mail server here to send mail to hotmail you'll not be allowed. Just because it's listening on port 25 doesn't make it an open relay.
I'm sort of tired of trying to explain myself to people who just aren't getting it, but I can't help not dispelling the misunderstanding for those who are lurking in this thread.
Yes, I am saying _exactly_ that this problem leaves you open to relay mail to 3rd parties.
I don't really care about "works for me" or "doesn't work for me" statements unless someone is going to _at least_ give a full description of their setup.
Took a closer look earlier. Put USB ADSL onto mailserver, connected. The netmask I get from my ISP is a /32 although I'm in a /15 netblock. So no I don't relay for all in the netblock. Is your ISP giving you more than a /32 on your connection? If it is then I can see where you're coming from and I'm sorry if you got wound up about this. -- del suse-linux-e
* David Krider;
I'm sort of tired of trying to explain myself to people who just aren't getting it, but I can't help not dispelling the misunderstanding for those who are lurking in this thread.
Yes, I am saying _exactly_ that this problem leaves you open to relay mail to 3rd parties.
try it with http://www.abuse.net/relay.html and see if it is realy open or not -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
On Sat, 2003-09-06 at 08:59, Togan Muftuoglu wrote:
try it with http://www.abuse.net/relay.html and see if it is realy open or not
I don't have to. See, I was alerted to the problem a few days ago when my logdigest email from that server exploded to over 10 MB in size (which then couldn't be delivered to my personal email server because of the default message size restriction). A spammer on my DSL subnet has been hammering that server. My (default) config allowed him to send thousands of email messages over about a day and a half before I caught the problem and corrected it. The spammer continues to try to relay mail through that server, even though I have no configured it with several blockhole lists, one of which is dinging him. I've sent a message to my ISP about it, but have heard nothing. Which reminds me: I need to make a call. Regards, dk
David Krider
I can scarcely believe this, so I'm posing this concept to the list in the hopes that someone can tell me if I'm overlooking something, but it would appear that if you merely take the default postfix config as presented by SuSE, you will be operating an open relay on all interfaces.
Please send such mails/questions to suse-security@suse.com. There you'll directly reach our security experts. Philipp
participants (5)
-
David Krider
-
del
-
John Pettigrew
-
Philipp Thomas
-
Togan Muftuoglu