Am 23.12.22 um 03:19 schrieb Samer Afach:
Dear Matthias,
I think there's a misunderstanding here. The server is already
shutdown. I thought you meant that I should shutdown the server
permanently and move on with my life because I'm incapable of running
a server, which seems to have been the context (I'll explain next why
that's obvious). But please allow me to elaborate that usually the
cost of that is extremely high, and I'm willing to pay it. Luckily I'm
on vacation now so I'm just spending my own time to do this. I've
spent so far no less than 100 hours on this fiasco. Zero regrets.
Btw, the relays happened because I actively changed mynetworks_style
to subnet, forgetting and not checking that all incoming connections
will come from the gateway of docker subnet. Still under research to
identify how that works.
There have been suggestions on the email list that I could start the
containers locally to do the experiments. Maybe I'm missing something,
but isn't the primary problem that I need to identify connection
sources with the PROXY protocol? How will I do that if I can't produce
remote connections? There's no way to guarantee that unless I do that
remotely. That's why I'll have to turn on the server before it's fully
tested... because the ultimate test will be communicating with the
server remotely and getting the desired results.
And again, let's not forget that disabling email relaying is the
primary solutions (as many have pointed out already). So none of this
is that bad. I think we have a fair assessment of the risk, all things
considered.
Now about learning, people have shared interesting opinions and I read
the email chain (readers, please read them first before commenting on
what I'm saying) and I agree with many of them and disagree with
others, and yes, it's not as simple as it seems. There's no point in
anyone's life where one said "now I'm educated, let's run an email
server". Not really. Even people graduating university don't know what
they're doing after having spent years grinding information. The
reason for this phenomenon is complex and has to do with human nature
and upbringing, but it's what it's. You either inherit a system that
works and you're taught the caveats in it and how to test it and what
to look for, or you start from somewhere (some configuration online?)
and learn as you go. The Linux ecosystem in general is based on
testing things manually, which is why configuration mistakes happen
all the time, and which is why there are tons of online tools to test
the obvious vulnerabilities (OSS, etc, most of which use public
interfaces, because no one knows everything). Email is very sensitive,
granted, but I'm sorry, you're asking for the impossible. You're
asking for people to "learn first", well, I have news for you... THIS
is what learning looks like :-)
There's a saying I like: Experience is the number of mistakes you've
done so far.
You're asking for "safe and possibly reviewed configuration", I'm
sorry, but that doesn't really mean anything in practice unless you
have an army of experts to support you. It's just words that sound
nice. Even with all the wonderful people here and all the help I got,
when I shared my configuration, I barely got commentary on my
configuration, and when I asked further I got your email asking me to
"learn". It didn't take more than one email admitting my ignorance to
start getting requests to shutdown my server (which I had already
done), instead of providing more information. That's not odd, it's
just human nature, which leads to where we are right now. Please don't
misunderstand what I'm saying, I'm in NO WAY entitled to anything, and
I'm already very grateful for everything I learned here, but please be
realistic in what you're asking for. I'm trying to make the best of
the current situation.
Thank you all, lovely people. I wanna emphasize that I'm learning from
every email I'm reading here.
Best regards,
Sam
Sam,
So it appears that there is some understanding, but what I am saying is
- what other people have also written in different words - is that you
are using a rather complex setup.
Containerization with its isolation may serve some purposes, but
requires extra attention - and unless I missed something in the entire
thread, you have not written any pondering of your docker networks
either, starting from <https://docs.docker.com/network/> and selecting
the right one.
I am wondering if I should ask whether you have a CI pipeline set up
that allows you to exchange the base image with a flick of your finger
and reliably rebuild your containers, if some system component (think
libc or your TLS stack) needs updates.
Ooops. That was a pretty loud thought that slipped through my fingers
and keyboard into the world.
Regarding setting up testing, it's easy enough to create another local
network (formerly called alias addressers) on your container host, and
route it to your container host explicitly, and from there route it back
explicitly without making the container host part of that subnet, to
create the illusion of an external host.
We have also had VMs and multi-homed hosts for ages, and relay attacks
have also been known for a quarter of a century and are well-understood.
What I seem to be saying is that if you pick a complex setup, there are
many more components you need to learn, and not only individually, but
also their interactions and how to integrate them. That makes for much
more learning...
Cheers,
Matthias
