On Sun, Aug 23, 2015 at 02:51:08PM +0200, Thomas Keller wrote:
> subject /usr/lib/postfix/smtpd o {
> / h
> /etc/ h
> /etc/gai.conf r
> /etc/host.conf r
> /etc/hosts r
> /etc/ld.so.cache r
> /etc/localtime r
> /etc/resolv.conf r
> /lib/x86_64-linux-gnu/ rx
> /var/spool/postfix/ rw
> -CAP_ALL
> bind 0.0.0.0/32:25 stream tcp
> bind 0.0.0.0/32:465 stream tcp
> connect 0.0.0.0/0:53 dgram udp
> sock_allow_family netlink ipv4
> }
This can break DNS by blocking DNS via TCP.
> The only remote connections allowed are to udp port 53. Now RBAC is
> logging following error messages:
>
> postfix:U:/usr/lib/postfix/smtpd denied connect() to 74.208.4.197 port
> 0 sock type dgram protocol udp
Read the RBAC docs. Typically, UDP connections that help to detect
port unreachable and the like are to a paricular peer port, but
perhaps your libresolv or OS works differently. Or bugs in the
RBAC code (race conditions?) lead to misleading logging.
> Can somebody please explain what smtpd is trying to do?
There is no code in Postfix that performs UDP connect() calls.
> Why does it try
> to connect to "port 0". What is port 0, anyway - is it raw socket? Is
> smtpd supposed to connect to anything other than udp 53 ?
The relevant code is in system libraries, not Postfix.
--
Viktor.
