Bug#895238: postfix: consider changing the default mailer type to "Local only" instead of "Internet site"
Le 08/04/2018 à 20:26, Scott Kitterman a écrit : > Your example isn't relevant to Debian. In Ubuntu, Postfix is the > default MTA. In Debian, it's not. If a non-default MTA is being > pulled in by a package that only needs a generic MTA, then it's buggy > and should be fixed. Ah, sorry, I don't use Ubuntu, so I didn't know. Feel free to close the bug then, if you think it's not relevant. Regards, -- Raphaël Halimi
Bug#895238: postfix: consider changing the default mailer type to "Local only" instead of "Internet site"
On April 8, 2018 5:41:37 PM UTC, "Raphaël Halimi" wrote: >Package: postfix >Version: 3.3.0-1 >Severity: wishlist > >Hi, > >I report this bug following my own advice in [1]. > >I have set the severity to wishlist, but from a security point of view, >it could be considered much higher. > >The default Postfix configuration, when keeping the default debconf >answers, listens on all network interfaces. Unlike what's said in >#418511, this doesn't make it an open relay though, since mynetworks is >restricted to localhost. Nevertheless, OP in [1] is IMHO quite right, >this is still a "network-exposed attack surface". > >My rationale is : until Stretch, the "standard" installation comprised >exim4-daemon-light, which fulfilled all dependencies on the >"mail-transport-agent" virtual package, which in turn implicated that >users installing Postfix did so manually, and knew what they were >doing. > >Unfortunately, from Stretch onward, now that no MTA is present in the >standard installation, some dependencies chains can end up installing a >random MTA "unexpectedly" (I put quotes around "unexpectedly", because >one should always carefully read the list of installed dependencies >when >installing a package, but we all know that users are not always that >careful). > >IMHO it would be wise to change the default answer to the debconf >question "postfix/main_mailer_type" to "Local only" instead of >"Internet >site", in order to limit the security risk in case Postfix was >installed >"unexpectedly" due of an overlooked dependency chain. > >[1] https://bugs.launchpad.net/debian/+source/tlp/+bug/1758798 > >Regards, Your example isn't relevant to Debian. In Ubuntu, Postfix is the default MTA. In Debian, it's not. If a non-default MTA is being pulled in by a package that only needs a generic MTA, then it's buggy and should be fixed. Scott K
Bug#895238: postfix: consider changing the default mailer type to "Local only" instead of "Internet site"
Package: postfix Version: 3.3.0-1 Severity: wishlist Hi, I report this bug following my own advice in [1]. I have set the severity to wishlist, but from a security point of view, it could be considered much higher. The default Postfix configuration, when keeping the default debconf answers, listens on all network interfaces. Unlike what's said in #418511, this doesn't make it an open relay though, since mynetworks is restricted to localhost. Nevertheless, OP in [1] is IMHO quite right, this is still a "network-exposed attack surface". My rationale is : until Stretch, the "standard" installation comprised exim4-daemon-light, which fulfilled all dependencies on the "mail-transport-agent" virtual package, which in turn implicated that users installing Postfix did so manually, and knew what they were doing. Unfortunately, from Stretch onward, now that no MTA is present in the standard installation, some dependencies chains can end up installing a random MTA "unexpectedly" (I put quotes around "unexpectedly", because one should always carefully read the list of installed dependencies when installing a package, but we all know that users are not always that careful). IMHO it would be wise to change the default answer to the debconf question "postfix/main_mailer_type" to "Local only" instead of "Internet site", in order to limit the security risk in case Postfix was installed "unexpectedly" due of an overlooked dependency chain. [1] https://bugs.launchpad.net/debian/+source/tlp/+bug/1758798 Regards, -- Raphaël Halimi
