> The man-page of spamd states:
>
> An asterisk '*' in place of a hostname implies an unspecified address,
> ('0.0.0.0' or '::'), i.e. it binds to all interfaces. An empty option
> value implies '*'. A default is '--listen localhost', which binds to
> a loopback interface only."
>
> This is misleading as it says that '--listen localhost' is "a default"
> but in fact, the empty option is the default. The man-page should
> make clear that '--listen *' is the default while '--listen localhost'
> is likely what the user wants (unless running a public spamd).The man page is accurate. When run in the default configuration, spamd listens on loopback only. If this is not the behavior you're seeing, please send more details, including spamd logs, "systemctl status" output, "ss -tnl" output, and anything else you think might be relevant. > With the current default setup, spamd binds to 0.0.0.0/::, resulting > in it being accessable from outside the system. (Does this raise the > severity to serious?) No. You should probably review the definition of the bug severities. https://www.debian.org/Bugs/Developer#severities Given that spamd doesn't even run by default, "normal" is probably the highest severity this should get. noah
signature.asc
Description: PGP signature
