[Geek] Postfix default configuration allows subnet open relay

[azekeil]

Not sure who has seen this problem but certainly on Fedora Core 5, postfix in its default configuration allows relaying from all subnets local to the machine, including local internet subnets on your ISP if your machine is connected directly to the internet. This is not necessarily obvious as testing by other sources to see if your machine is an open relay will not reveal this misconfiguration.

I discovered this after Postfix had crashed under the weight of spam a machine on my ISP's local subnet was sending through me.

The fix is to change mynetworks_style from the default of subnet to host. You do use authenticated sending only, right? (check smtpd_recipient_restrictions includes permit_sasl_authenticated and not a lot else).

I debugged this and was up to 2am last night clearing up after the mess.

Comments

[the-magician.livejournal.com]

Thank you! That all looks terribly useful and all that ...

... however I don't understand more than every 2nd word :-)

And as someone that has fretted for a couple of years now about setting up a Linux box as a mailserver/fileserver/webserver (local and out to the world) because I have no real idea of what security holes I might leave open, this is probably useful but very worrying at the same time ...

... eek!

[azekeil.livejournal.com]

Heh. It's not all that hard, you just need to ensure you have enough time to check over configurations. Most things should provide sane defaults; this was one instance that didn't.

[theeighth.livejournal.com]

wow.
That's a gurt big craphole of a security flaw.

Just checked my linux machines at work, but I was ok, as I only had postfix on one machine (I tend to prefer sendmail... )

[azekeil.livejournal.com]

Tell me about it.

[samoth.livejournal.com]

You *prefer* sendmail? Well there had to be someone still using it I guess...

[theeighth.livejournal.com]

Heheh. I think it's one of those things where you prefer what you're most familiar with, and one of the jobs that I had to do in the past involved weeks and weeks of fixing someone else's stupid mistakes in sendmail doing sendmail support stuff. So when it comes time to doing mail stuff, I normally know that off the top of my head :D

[thespirit3.livejournal.com]

I was always pro-sendmail, but here we're using Exim and I must admit it's a pleasure to work with. I guess I only stuck to sendmail due to the familiarity too ...

[diffrentcolours]

I'm slightly confused as to what kind of idiot ISP would have a subnet of public IPs and allow them to talk to each other.

[azekeil.livejournal.com]

Erm, because they're public, therefore by definition they should be able to talk to each other?

[samoth.livejournal.com]

No, that's still a weird thing to do, although it does become clearer if you're on cable and just being bridged onto a big subnet. Personally I think that's a stupid way for the ISP to configure things.

The postfix default is perfectly sensible, for most sane networks, it just doesn't match your particular setup well - but then this is why one reads the configs and doesn't leave things on the defaults right? :)

(I tend to be fairly fascist with my mailservers, they're lucky if I let anyone relay anything through them ever :))

[azekeil.livejournal.com]

Yes, I know, PEBKAC, RTFM, etc.

Perhaps ISPs should have each node on its own subnet; there are probably some reasons why this is not suitable, but even so.

My argument is that most sane mail programs have sensible defaults - I'm not sure relaying from ALL subnets is a sensible default, regardless of the environment the server is provisioned in.

[samoth.livejournal.com]

Bear in mind that the majority of home ISP customers don't run their own mail servers, so this probably isn't something that's a 'typical' default setup for people.

For corporate internet mail servers then the network is liable to be set up in a way that there isn't a big untrusted subnet that you're connected to like this. For most non-cable xDSL type ISPs, your public address is normally a /30 or similar, not a big subnet.

I'm also not sure if what you've got there is a *postfix* default, or a Fedora default, since most distros seem to fiddle with the config files to some extent.

I'd personally be happier with a default of 'trust no-one', but I suspect that distros then have to deal with a million idiot users going 'why can't I send mail at all from my machine' etc :)

[azekeil.livejournal.com]

It is an application default if it is left unspecified in the config.

I have joined the postfix development mailing list and put across my point. </me dons flameproof boilersuit>

[samoth.livejournal.com]

Hehehe, that'll be fun, be interested to know what their opinion is!

[meltie.livejournal.com]

That's incredibly brave!

[azekeil.livejournal.com]

No, just responsible. My broadband provider sent me a letter telling me about the problem. I've just filled in an email form detailing the problem in the hopes they'll be able to provide better support to their customers in the future.

[meltie.livejournal.com]

Wow, unexpectedly fair play on V's part there.

[azekeil.livejournal.com]

Well, to be fair, they did threaten to cut me off if I didn't do anything about it. But I fixed the problem before the letter arrived.

The letter did offer some advice on how to combat the problem if you're using Windows.. the only OS they support.

[gerald_duck]

A lot of cable modems are in reality Ethernet bridges between the cable company's metropolitan-area network and a port for your computer or router. You get an IP address on the cable company's subnet. If you're lucky they've set things up so your neighbour can't impersonate your IP address when they download their kiddy porn.

[azekeil.livejournal.com]

I would try that to see if I was vulnerable, if the penalty for being discovered wasn't more severe than I am willing to entertain.

[meltie.livejournal.com]

Whoops.

[azekeil.livejournal.com]

Yeah. Ah well.