Bug#910641: spamassassin: Default options for spamd should include "--listen localhost"

Tue, 09 Oct 2018 01:39:52 -0700 

Package: spamassassin
Version: 3.4.1-6+deb9u1
Severity: normal
Tags: newcomer

Currently, /etc/default/spamassassin contains the following OPTIONS:

OPTIONS="--create-prefs --max-children 5 --helper-home-dir"

This should be changed to:

OPTIONS="--create-prefs --max-children 5 --helper-home-dir --listen localhost"

The man-page of spamd states:

   An asterisk '*' in place of a hostname implies an unspecified address,
   ('0.0.0.0' or '::'), i.e. it binds to all interfaces. An empty option 
   value implies '*'. A default is '--listen localhost', which binds to
   a loopback interface only."

This is misleading as it says that '--listen localhost' is "a default" but in 
fact, the empty option is the default.  The man-page should make clear that 
'--listen *' is the default while '--listen localhost' is likely what the user 
wants (unless running a public spamd).

With the current default setup, spamd binds to 0.0.0.0/::, resulting in it 
being accessable from outside the system. (Does this raise the severity to 
serious?)

-- System Information:
Debian Release: 9.5
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US:en 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages spamassassin depends on:
ii  adduser                                  3.115
ii  curl                                     7.52.1-5+deb9u7
ii  init-system-helpers                      1.48
ii  libhtml-parser-perl                      3.72-3
ii  libhttp-date-perl                        6.02-1
ii  libmail-dkim-perl                        0.40-1
ii  libnet-dns-perl                          1.07-1
ii  libnetaddr-ip-perl                       4.079+dfsg-1+b1
ii  libsocket6-perl                          0.27-1+b1
ii  libsys-hostname-long-perl                1.5-1
ii  libwww-perl                              6.15-1
ii  lsb-base                                 9.20161125
ii  perl                                     5.24.1-3+deb9u4
ii  perl-modules-5.24 [libarchive-tar-perl]  5.24.1-3+deb9u4
ii  w3m                                      0.5.3-34+deb9u1

Versions of packages spamassassin recommends:
ii  gnupg                             2.1.18-8~deb9u2
ii  libio-socket-inet6-perl           2.72-2
ii  libmail-spf-perl                  2.9.0-4
ii  libperl5.24 [libsys-syslog-perl]  5.24.1-3+deb9u4
ii  sa-compile                        3.4.1-6+deb9u1
ii  spamc                             3.4.1-6+deb9u1

Versions of packages spamassassin suggests:
ii  libdbi-perl                          1.636-1+b1
pn  libencode-detect-perl                <none>
pn  libgeo-ip-perl                       <none>
ii  libio-socket-ssl-perl                2.044-1
pn  libnet-patricia-perl                 <none>
ii  libperl5.24 [libcompress-zlib-perl]  5.24.1-3+deb9u4
pn  pyzor                                <none>
ii  razor                                1:2.85-4.2+b2

-- Configuration Files:
/etc/default/spamassassin changed [not included]
/etc/spamassassin/local.cf changed [not included]
/etc/spamassassin/v310.pre changed [not included]

-- no debconf information

Reply via email to