Re: [Cooker] ADSL + postfix default config = open relay?
Bruno Prior [EMAIL PROTECTED] writes: P.S. I just tried running the same postconf command as you on my main.cf.rpmnew. This gives mynetworks as 127.0.0.0/8, same as you, although mynetworks is commented out. The same command on my main.cf gives mynetworks of 127.0.0.0/8, 192.168.1.0/24, my.fixed.IP.address, whether or not mynetworks is commented out. The difference appears to be inet_interfaces, which is set to localhost in the rpmnew file, but is commented out (and therefore = all) in my actual main.cf. Maybe an older configuration, I don't know. I certainly haven't changed it in a long time - I didn't even think about this setting. Would it work as a mail server sending and receiving mail for a local network if inet_interfaces were set to localhost? IMHO the safer rule of thumb is to put your modifications to main.cf at the end of the file, and when you upgrade it, use the .rpmnew file as a base, and copy your modifications at the end. Don't keep your old file. That way, you won't miss new default settings (those may even fix problems). -- Guillaume Cottenceau - http://people.mandrakesoft.com/~gc/
Re: [Cooker] ADSL + postfix default config = open relay?
Luca Berra [EMAIL PROTECTED] writes: maybe we should change default postfix main.cf forcing mynetwork_style=host, so there would be two step to open a relay 1) change inet_interfaces to be able to receive mail 2) set mynetworks (comments should advise to leave mynetworks_style alone) This makes sense, since there are people who don't want to relay mail, but might want to receive it. I'd say it's nice. However, why is it using subnet by default? Maybe Wietse/others have good reasons for it? I'd prefer they back the change on their side - also, it's better for us to change only the lowest possible number of parameters, so that new users are less lost when setting up our package for their needs. Since we are speaking of postfix default setup, it seems that Vietse has strong feelings against chrooting postfix by default. Simon J. Mudd provided a script in his rpms to add/remove the chroot by user request. I personally never had a problem with chroots, but what is the feeling around here? I speak as maintainer of postfix - however it's public knowledge that I don't know so much postfix after all :/. I'd say that chrooting is good for security, and it's generally a good option. People wanting more complex or problematic-with-chroot configs can normally easily remove it. It would help to know what are the strong feeling sof Wietse. -- Guillaume Cottenceau - http://people.mandrakesoft.com/~gc/
Re: [Cooker] ADSL + postfix default config = open relay?
On Thu, Oct 30, 2003 at 12:54:05PM +0100, Guillaume Cottenceau wrote: I'd say it's nice. However, why is it using subnet by default? Maybe Wietse/others have good reasons for it? I'd prefer they back the change on their side - also, it's better for us to change only the lowest possible number of parameters, so that new users are less lost when setting up our package for their needs. i'll ask but probably the reason is that postfix target is real mail servers on a lan, not standalone system. I'd say that chrooting is good for security, and it's generally a good option. People wanting more complex or problematic-with-chroot configs can normally easily remove it. It would help to know what are the strong feeling sof Wietse. look at this thread http://archives.neohapsis.com/archives/postfix/2003-10/1590.html especially Wietse comments: http://archives.neohapsis.com/archives/postfix/2003-10/1600.html http://archives.neohapsis.com/archives/postfix/2003-10/1620.html and Simon's http://archives.neohapsis.com/archives/postfix/2003-10/1733.html Tough i believe Simons script sucks :) Postfix binaries chroot themselves after starting, so there should be no need to copy libraries they are linked to in the chroot. We should only need to copy libraries dlopen()-ed by those binaries and their requirements (if they are not already loaded by the binaries) With this i mean that only nss libraries should be needed (sasl plugins are loaded before chrooting) L. -- Luca Berra -- [EMAIL PROTECTED] Communication Media Services S.r.l. /\ \ / ASCII RIBBON CAMPAIGN XAGAINST HTML MAIL / \
Re: [Cooker] ADSL + postfix default config = open relay?
On Thu, 30 Oct 2003 20:22, Luca Berra wrote: On Thu, Oct 30, 2003 at 12:54:05PM +0100, Guillaume Cottenceau wrote: However, why is it using subnet by default? but probably the reason is that postfix target is real mail servers on a lan, not standalone system. No, reason is that on almost all broadband and dialup links that opens you to traffic from no more than your own lan, and your private point-to-point link to the ISP. With the arrangement previously described, most Windows machines would be completely legs-in-air and beckoning to the entire ISP (or at least that subnet) by default. Unwise. Cheers; Leon
Re: [Cooker] ADSL + postfix default config = open relay?
On Tue, Oct 28, 2003 at 03:34:33AM +, Bruno Prior wrote: I took it that this was what was happening: postfix was adding the subnet that my ADSL IP address was on to the list of trusted hosts. Both mynetworks_style and mynetworks were commented out, as per (my) default postfix configuration. So the default values would be mynetworks_style = subnet and mynetworks = the various subnets that the local machine is in. This appears to be confirmed by the fact that specifying mynetworks = 192.168.1.0/24, 127.0.0.0/8, my.fixed.IP.address/32 seems to have stopped this happening. urgh, how does your adsl work? are you bridged? many adsl (including mine) use ppp, so the dialup interface is a /32. Reading your mail it dawned on me that there are many providers that might bridge instead of using ppp (especially in residential area networks cabled in fiber). . P.S. I just tried running the same postconf command as you on my main.cf.rpmnew. This gives mynetworks as 127.0.0.0/8, same as you, although mynetworks is commented out. The same command on my main.cf gives mynetworks of 127.0.0.0/8, 192.168.1.0/24, my.fixed.IP.address, whether or not mynetworks is commented out. The difference appears to be inet_interfaces, which is set to localhost in the rpmnew file, but is commented out (and therefore = all) in my actual main.cf. Maybe an older configuration, I don't know. I certainly haven't changed it in a long time - I didn't even think about this setting. Would it work as a mail server sending and receiving mail for a local network if inet_interfaces were set to localhost? No, that's the point mandrake postfix in default configuration does not allow receiveing mail, so it would not allow you to forward mail coming from local network. Oh, this setting was added in mandrake 9.0 in case you wondered. maybe we should change default postfix main.cf forcing mynetwork_style=host, so there would be two step to open a relay 1) change inet_interfaces to be able to receive mail 2) set mynetworks (comments should advise to leave mynetworks_style alone) This makes sense, since there are people who don't want to relay mail, but might want to receive it. Regards, L. P.S. Since we are speaking of postfix default setup, it seems that Vietse has strong feelings against chrooting postfix by default. Simon J. Mudd provided a script in his rpms to add/remove the chroot by user request. I personally never had a problem with chroots, but what is the feeling around here? regards, L. -- Luca Berra -- [EMAIL PROTECTED] Communication Media Services S.r.l. /\ \ / ASCII RIBBON CAMPAIGN XAGAINST HTML MAIL / \
Re: [Cooker] ADSL + postfix default config = open relay?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Luca Berra wrote: | P.S. | Since we are speaking of postfix default setup, it seems that Vietse has | strong feelings against chrooting postfix by default. Simon J. Mudd | provided a script in his rpms to add/remove the chroot by user request. | I personally never had a problem with chroots, but what is the feeling | around here? | | regards, | L. Chrooting tends to break SASL for example - if you use the database file, then postfix will look for it in the wrong place (chrooted directory instead of /etc/something). Not that it cannot be fixed, but anyway. Jan - -- Jan Ciger VRlab EPFL Switzerland GPG public key : http://www.keyserver.net/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/nmqmn11XseNj94gRAh8AAJ4xjIRkyWKVSNwUVggsb30Q/yitNQCfXOl2 8CvslF2Q4OlCXaTXD812KHw= =YO3/ -END PGP SIGNATURE-
Re: [Cooker] ADSL + postfix default config = open relay?
[EMAIL PROTECTED] (Bruno Prior) writes: My ISP has just pointed out to me that I was running an open relay, which is highly embarrassing. I have been running postfix without causing a problem until I switched to an ADSL connection. The notes in postfix/main.cf seem to make it pretty clear what the problem is: my ISP's subnet had been added as a trusted subnet, as ADSL counts as a dialup connection, which meant that anyone on their network could relay through my mail server. Obviously, the fault is principally mine, for not being more careful when I set ADSL up - the information is all there if you look for it. But I was wondering how many people would look for it. Because, if you setup ADSL using drakconnect, you wouldn't have a clue you needed to edit main.cf to prevent this. Would it be a good idea to either enhance drakconnect to make this change automatically (if you could figure out a sensible way to deduce the appropriate list of trusted clients), or at least flag up a warning, to stop other people making this mistake? Hi there, This is FALSE. The default postfix configuration is binded to localhost. So if, for some season, you bind your localhost to your external IP address, then your postfix is, indeed, acting as a open relay. You might have miscofigured your network ... cheers, -- Florin http://www.mandrakesoft.com http://people.mandrakesoft.com/~florin/
Re: [Cooker] ADSL + postfix default config = open relay?
Luca Berra wrote: mandrake postfix in default configuration does not allow receiveing mail, so it would not allow you to forward mail coming from local network. Oh, this setting was added in mandrake 9.0 in case you wondered. That probably explains it. Mine is probably a configuration file carried forward from pre-9.0. maybe we should change default postfix main.cf forcing mynetwork_style=host, so there would be two step to open a relay 1) change inet_interfaces to be able to receive mail 2) set mynetworks (comments should advise to leave mynetworks_style alone) This makes sense, since there are people who don't want to relay mail, but might want to receive it. Seems unnecessary if my problem has already been put right in newer default configurations. Cheers, Bruno
Re: [Cooker] ADSL + postfix default config = open relay?
On Tue, Oct 28, 2003 at 02:33:12PM +, Bruno Prior wrote: maybe we should change default postfix main.cf forcing mynetwork_style=host, so there would be two step to open a relay 1) change inet_interfaces to be able to receive mail 2) set mynetworks (comments should advise to leave mynetworks_style alone) This makes sense, since there are people who don't want to relay mail, but might want to receive it. Seems unnecessary if my problem has already been put right in newer default configurations. no, default configuration disables postfix for network usually people that want to use postfix from network change inet_interfaces. in your case it results in open-relay. L. -- Luca Berra -- [EMAIL PROTECTED] Communication Media Services S.r.l. /\ \ / ASCII RIBBON CAMPAIGN XAGAINST HTML MAIL / \
Re: [Cooker] ADSL + postfix default config = open relay?
On Tue, Oct 28, 2003 at 02:34:46PM +0100, Florin wrote: [EMAIL PROTECTED] (Bruno Prior) writes: ... This is FALSE. The default postfix configuration is binded to localhost. So if, for some season, you bind your localhost to your external IP address, then your postfix is, indeed, acting as a open relay. his problem seems to be different. IF your external IP is on a broadcast network AND IF you change inet_interfaces THEN you are an open relay and i think we should prevent lusers shooting themselves if we can, see my previous post for a possible solution L. -- Luca Berra -- [EMAIL PROTECTED] Communication Media Services S.r.l. /\ \ / ASCII RIBBON CAMPAIGN XAGAINST HTML MAIL / \
Re: [Cooker] ADSL + postfix default config = open relay?
On Tue, 28 Oct 2003 21:34, Florin wrote: This is FALSE. The default postfix configuration is binded to localhost. He's obviously bound postfix to all local interfaces instead, and the nature of the DSL connection is such that the entire ISP (probably a single Class C within the ISP's collection of addresses) is considered local. In Australia, it is normal for the link to the ISP to be P-t-P, so this would not happen, but perhaps an extra note in main.cf warning of this possibility is apropos? I would be more inclined to ask Wietse to do this than to make it a Mandrake-specific patch. Cheers; Leon
[Cooker] ADSL + postfix default config = open relay?
My ISP has just pointed out to me that I was running an open relay, which is highly embarrassing. I have been running postfix without causing a problem until I switched to an ADSL connection. The notes in postfix/main.cf seem to make it pretty clear what the problem is: my ISP's subnet had been added as a trusted subnet, as ADSL counts as a dialup connection, which meant that anyone on their network could relay through my mail server. Obviously, the fault is principally mine, for not being more careful when I set ADSL up - the information is all there if you look for it. But I was wondering how many people would look for it. Because, if you setup ADSL using drakconnect, you wouldn't have a clue you needed to edit main.cf to prevent this. Would it be a good idea to either enhance drakconnect to make this change automatically (if you could figure out a sensible way to deduce the appropriate list of trusted clients), or at least flag up a warning, to stop other people making this mistake? Cheers, Bruno Prior
Re: [Cooker] ADSL + postfix default config = open relay?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bruno Prior wrote: My ISP has just pointed out to me that I was running an open relay, which is highly embarrassing. I have been running postfix without causing a problem until I switched to an ADSL connection. The notes in postfix/main.cf seem to make it pretty clear what the problem is: my ISP's subnet had been added as a trusted subnet, as ADSL counts as a dialup connection, which meant that anyone on their network could relay through my mail server. But, who added that? Obviously, the fault is principally mine, for not being more careful when I set ADSL up - the information is all there if you look for it. But I was wondering how many people would look for it. Because, if you setup ADSL using drakconnect, you wouldn't have a clue you needed to edit main.cf to prevent this. drakconnect doesn't touch main.cf Would it be a good idea to either enhance drakconnect to make this change automatically (if you could figure out a sensible way to deduce the appropriate list of trusted clients), or at least flag up a warning, to stop other people making this mistake? By default, the important postfix settings are: $ cp /etc/postfix/main.cf.rpmnew /tmp/main.cf $ /usr/sbin/postconf -c /tmp mynetworks inet_interfaces relay_domains mydestination mynetworks = 127.0.0.0/8 inet_interfaces = localhost relay_domains = $mydestination mydestination = $myhostname, localhost.$mydomain So, by default you shouldn't even be able to get a connection to postfix unless you have manually changed mynetworks, or used some tool which does so. drakconnect can't take responsibility for every single possible configuration that may depend on it's settings. Ideally we need a configuration tool which can find such issues, but it's not drakconnect, and it needs to be very user friendly (and not do things automatically). But I don't think this is your problem. Maybe if you can try and find out what had changed any of the important settings, we can take a look, but I don't see how either the default postfix config or drakconnect are responsible. Regards, Buchan - -- |--Another happy Mandrake Club member--| Buchan MilneMechanical Engineer, Network Manager Cellphone * Work+27 82 472 2231 * +27 21 8828820x202 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/nToxrJK6UGDSBKcRApT5AKCZpIZPhXPWX5mfJLWJKvThBlbpKgCcDZ2r RrYeCWK18OGb38ucwuW1pEk= =ZyXe -END PGP SIGNATURE-
Re: [Cooker] ADSL + postfix default config = open relay?
Buchan, Maybe I got the wrong end of the stick, but I thought the relevant notes in main.cf were: # TRUST AND RELAY CONTROL # The mynetworks parameter specifies the list of trusted SMTP # clients that have more privileges than strangers. # # In particular, trusted SMTP clients are allowed to relay mail # through Postfix. See the smtpd_recipient_restrictions parameter # in file sample-smtpd.cf. # # You can specify the list of trusted network addresses by hand # or you can let Postfix do it for you (which is the default). # # By default (mynetworks_style = subnet), Postfix trusts SMTP # clients in the same IP subnetworks as the local machine. # On Linux, this does works correctly only with interfaces specified # with the ifconfig command. # # Specify mynetworks_style = class when Postfix should trust SMTP # clients in the same IP class A/B/C networks as the local machine. # Don't do this with a dialup site - it would cause Postfix to trust # your entire provider's network. Instead, specify an explicit # mynetworks list by hand, as described below. I took it that this was what was happening: postfix was adding the subnet that my ADSL IP address was on to the list of trusted hosts. Both mynetworks_style and mynetworks were commented out, as per (my) default postfix configuration. So the default values would be mynetworks_style = subnet and mynetworks = the various subnets that the local machine is in. This appears to be confirmed by the fact that specifying mynetworks = 192.168.1.0/24, 127.0.0.0/8, my.fixed.IP.address/32 seems to have stopped this happening. my ISP's subnet had been added as a trusted subnet, as ADSL counts as a dialup connection, which meant that anyone on their network could relay through my mail server. But, who added that? As above, I didn't change anything in main.cf. The act of configuring ADSL added the ppp0 device, and postfix looks at this information (provided by ifconfig) and deduces the local subnets. So adding the ADSL connection appears to have turned postfix into an open relay without changing anything in postfix's configuration. drakconnect doesn't touch main.cf Agreed. But if it doesn't, and postfix is behaving the way the notes in main.cf describe, then setting up the ADSL connection via drakconnect turns an existing default postfix configuration into an open relay (open is probably too strong a word, as it is not open generally, but just to anyone on the ISP's subnet, but that's still quite a lot of spammers, by the looks of things). By default, the important postfix settings are: $ cp /etc/postfix/main.cf.rpmnew /tmp/main.cf $ /usr/sbin/postconf -c /tmp mynetworks inet_interfaces relay_domains mydestination mynetworks = 127.0.0.0/8 inet_interfaces = localhost relay_domains = $mydestination mydestination = $myhostname, localhost.$mydomain Maybe my main.cf is out-of-date, then, but it definitely does not have mynetworks = 127.0.0.0/8 as the default. To quote the notes embedded in the file again: # You can specify the list of trusted network addresses by hand # or you can let Postfix do it for you (which is the default). And this does make more sense, to allow for the mail server to serve more than just the local machine, if you have a small local network. It just turns out to be risky if you setup ADSL. So, by default you shouldn't even be able to get a connection to postfix unless you have manually changed mynetworks, or used some tool which does so. drakconnect can't take responsibility for every single possible configuration that may depend on it's settings. Again, agreed, if that is your default configuration for postfix. Admittedly, I did an upgrade from 9.1 to 9.2RC2, rather than a fresh install, but I just checked the main.cf.rpmnew that was created when I upgraded, and it also has the settings I describe above, rather than the ones you describe. Weird, huh? Ideally we need a configuration tool which can find such issues, but it's not drakconnect, and it needs to be very user friendly (and not do things automatically). But I don't think this is your problem. I agree that it may be too difficult for a program to deduce the appropriate settings automatically. But a warning in drakconnect at the end of the ADSL configuration process might be sensible, if there are more people than me out there with my version of the default postfix configuration file. Maybe if you can try and find out what had changed any of the important settings, we can take a look, but I don't see how either the default postfix config or drakconnect are responsible. As I say, mynetworks_style and mynetworks were commented out, which is as I have always understood their default state to be. Maybe the default has changed and I have an old default configuration, but that doesn't explain the matching rpmnew file. Could it be that some other part of the installation configuration process modifies main.cf and that this step got missed out on my machine? I am