Postfix on 12.3: default listen interface and relay_domains

Hi,

I have some question regarding Postfix 2.9.6-1.2.1.i586 which comes with openSUSE 12.3

  1. /etc/sysconfig has variable POSTFIX_LISTEN
# NOTE: If not set, LISTEN on all interfaces
POSTFIX_LISTEN=""

But it listens only on 127.0.0.1:


# netstat -at | grep smtp
tcp        0      0 localhost:smtp          *:*                     LISTEN  

Shouldn’t it listen on *:smtp as it is described in sysconfig?

  1. This is how Relay described:
# The relay_domains parameter restricts what destinations this system will
# relay mail to.  See the smtpd_recipient_restrictions description in
# postconf(5) for detailed information.
#
# By default, Postfix relays mail
# - from "trusted" clients (IP address matches $mynetworks) to any destination,
# - from "untrusted" clients to destinations that match $relay_domains or
#   subdomains thereof, except addresses with sender-specified routing.
# The default relay_domains value is $mydestination.
# 
# In addition to the above, the Postfix SMTP server by default accepts mail
# that Postfix is final destination for:
# - destinations that match $inet_interfaces or $proxy_interfaces,
# - destinations that match $mydestination
# - destinations that match $virtual_alias_domains,
# - destinations that match $virtual_mailbox_domains.
# These destinations do not need to be listed in $relay_domains.

Right after installing everything looks like it should deny mail which requires relay:

# postconf -d | grep "mydestination\|relay_domains"
fast_flush_domains = $relay_domains
mydestination = $myhostname, localhost.$mydomain, localhost
parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps $alias_maps
relay_domains = $mydestination
relay_domains_reject_code = 554

But I do a test:

# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 extsmtp.test.lan ESMTP
HELO extsmtp
250 extsmtp.test.lan
MAIL FROM:<hacker@external.lan>
250 2.1.0 Ok
RCPT TO:<victim@nonexisting.lan>
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
Spam goes here
.
250 2.0.0 Ok: queued as CCA1F203FC
QUIT
221 2.0.0 Bye
Connection closed by foreign host.

In this test I used nonexisting names, which don’t belong to neigher trusted/untrusted nor to $mydestination. Why is it accepting such mail? Why isn’t it generate “Relay denied” error?

Thanks for any comments

On 2013-03-14 12:16, tosiara wrote:
>
> Hi,
>
> I have some question regarding Postfix 2.9.6-1.2.1.i586 which comes
> with openSUSE 12.3
>
> 1. /etc/sysconfig has variable POSTFIX_LISTEN

You have to run “something” to apply changes there. Previously it was
SuSEconfig, but now they have separated it into different scripts. There
is one for postfix I forget where. Perhaps the release notes say where.


Cheers / Saludos,

Carlos E. R.
(from 11.4, with Evergreen, x86_64 “Celadon” (Minas Tirith))

When Postfix or Sendmail is installed, the default configuration is to allow <only> from Localhost without any conidersation for names and domains. Everything else is denied.

So on initial installation, mail relaying is considered “locked down” with maximum flexibility for the local User. Beware making changes, that is when you can make a mistake and become an Open Relay.

HTH,
TSU

Ok, solved by manually modifying main.cf (after that sysconfig stops serving postfix configuration):

  1. inet_interfaces (set to all)
  2. smtpd_recipient_restrictions (restrict to local domain only)