LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-19-2008, 03:56 PM   #1
musical_spirit
LQ Newbie
 
Registered: May 2008
Posts: 4

Rep: Reputation: 0
Question How to: POSTFIX disable relay / forwarding (mail security) redhat 5.1


Thanks in advance! (Redhat Enterprise 5.1, new installation.)

I am seeking the full sequence of edits to main.cf and/or other files to disable the relay of all mail through my postfix installation. Please consider me a rank novice in need of all the details, except that I have no trouble editing files in emacs or vi.

I am also seeking pointers to software that will allow me to test for security holes in the mail service, specifically spam forwarding.

I work in an environment that is generally hostile to unix, but I prefer to work under unix as long as possible. Understandably our systems people are VERY concerned that spam will be routed through my box. I am faced with either shutting down mail service and losing all the mail from around the world to email addresses I have used for ten years+, or getting the security problems solved.

I want to get simple mail to and from the outside world and my local box for a small set of local users. Every other feature should be disabled.

Unfortunately, it seems I may not have been able to stop the routing of email to the local subnet, and I am not even certain if this is what I want to do, or all that I need to do.

Postfix was installed FOR me (I believe "straight out of the box"), and I have only used sendmail before. Now after it was installed, I am getting complaints that...

"Your server is mis-configured to allow anyone from within [our subnet] to use you as an open relay and freely send e-mail messages (the number one reason we do not allow users to run their own mail server). Please close this and allow only the localhost to do so as this can greatly facilitate spamming and other security issues."



Among other things, here is what I have attempted...

In main.cf I have set the following, then reloaded postfix, and also stopped/started postfix:

mynetworks_style = host

The change seems to have taken hold:

> /usr/sbin/postconf | grep style
/usr/sbin/postconf | grep style
mynetworks_style = host
>

I am not whether this is what I am after, however.

Any step-by-step tips to locking down this mail service will be most appreciated!

-MS



Notes:

Here are other settings that might be relevant:

inet_interfaces = all
proxy_interfaces =
mydestination = $myhostname, localhost.$mydomain, localhost
virtual_alias_domains = $virtual_alias_maps
virtual_alias_maps = $virtual_maps
(No listing for virtual_maps)
virtual_mailbox_domains = $virtual_mailbox_maps
virtual_mailbox_maps =
 
Old 05-19-2008, 10:57 PM   #2
blacky_5251
Member
 
Registered: Oct 2004
Location: Adelaide Hills, South Australia
Distribution: RHEL 4&5, Fedora 10, CentOS 5.4, IPCop
Posts: 569

Rep: Reputation: 55
Hi,

I've just gone through this process on my own Postfix server and locked it down (hopefully) to require TLS or SSL (depending on the email client) for sending and receiving emails. I'm using Dovecot IMAP server (IMAPS only) so maybe some of my settings aren't what you need (Dovecot is the default for RHEL 5.1 so it should be OK).

Anyway, here's what I did.

Generate a certificate (if you don't already have one) for Dovecot and Postfix to share. Go to /etc/pki/tls/certs and run "make" to create your certificate. Visit http://wiki.dovecot.org/SSL to learn how to create your own cerificate.

Changes to main.cf:-
Code:
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated,
   reject_rbl_client zen.spamhaus.org,
   reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spamcop.net,
   reject_rbl_client list.dsbl.org, reject_rbl_client dnsbl.njabl.org,
   reject_rbl_client dnsbl.sorbs.net, permit
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous noplaintext
smtpd_tls_cert_file = /etc/pki/tls/certs/dovecot.pem
smtpd_use_tls = yes
broken_sasl_auth_clients = yes
You'll see here changes to smtpd_client_restrictions which permit local and sasl authenticated users, and reject spam using several dsbl servers. Using saslauthd for authentication requires you to create the sasl user database and contents using "saslpasswd2". Other readers may have better alternatives to this.

Commands to start saslauthd and make sure it starts at boot time are:-
Code:
chkconfig saslauthd on
service saslauthd start
Changes to master.cf (added after the existing smtp line):-
Code:
smtps     inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_security_options=noanonymous
This opens port 465 for Outlook & Outlook Express users to use, because these email clients prefer wrapped SSL rather than TLS. It also removes the noplaintext limitation imposed on port 25 in main.cf.

I hope I've not left anything out, but I can confirm that my server is working well using secure connections. I've tested it using Outlook, Outlook Express and Thunderbird email clients (Win & Linux). Outlook needs to use port 465 for sending emails, because it refused to play by the "noplaintext" rules I set for port 25. This was the whole reason for the changes to master.cf and running smtps without the noplaintext setting. Thunderbird seems happy to use either port.
 
Old 05-19-2008, 11:32 PM   #3
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
The key setting for you is "mynetworks". Out of the box, postfix should only allow clients on these IPs to relay through it. You probably have it set to relay from any machine on the subnets that your NIC(s) is/are on.

That certainly fits with the quote you posted (although that's hardly an open relay - at least you know who's sending internal "spam").

See http://www.postfix.org/postconf.5.html#mynetworks

To restrict to local machine only

mynetworks = 127.0.0.0/8
 
Old 05-20-2008, 09:04 AM   #4
musical_spirit
LQ Newbie
 
Registered: May 2008
Posts: 4

Original Poster
Rep: Reputation: 0
Thanks very much to blacky5251 and billmayday.

The "mynetworks" fix seems to have made the network security people happy, although I still do not have the test they run in hand. For some reason I seem to have had the syntax wrong before in copying the main.cf commented-out example with two ip addresses. Note that on my system, the "mynetworks_style = host" ultimately seems to be producing at least similar results, now, as well.

So, excellent!

The TLS/SSL example is something that I will play with at my own pace now that basic mail service is established, and I very much look forward to "getting" it fully because this will have other benefits as well.

Please accept my gratitude for getting me safely back in contact with the world.

-MS

Note: in case anyone has two-cents' worth to add, given the hyper-sensitivity about security and spam in our current environment, I wonder what the merit is of having relay enabled by default? I am not clear on why my mail program should take on the responsibility of relaying mail?
 
Old 05-20-2008, 07:26 PM   #5
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Postfix isn't an open relay by default - typically it will only allow relaying from your subnet. Since this would typically be a private address, and you firewall should stop any traffic from the big bad world perporting to have a private class address, the only relaying should be by internal machines. If they are sending spam, you've got a bigger problem than your postfix server.

That's my 1c

Edit

I note that the default for mynetwork_style is subnet, so even if you had a public IP, only 253 other machines could spam through you.

Last edited by billymayday; 05-20-2008 at 10:26 PM.
 
Old 05-23-2008, 05:35 PM   #6
musical_spirit
LQ Newbie
 
Registered: May 2008
Posts: 4

Original Poster
Rep: Reputation: 0
I believe that the local subnet is what they were complaining about. But, I know, for example, that at least one of the unix machines has about 19,000 users, so unless I am missing something, I can see that subnet spam is still a problem.

Thanks again!
 
  


Reply

Tags
postfix


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to: POSTFIX disable relay / forwarding (mail security) redhat 5.1 musical_spirit Linux - Newbie 2 05-19-2008 06:39 PM
disable relay in postfix inaki Linux - Server 1 12-05-2007 01:10 PM
Mail Forwarding in postfix/maildrop/redhat (like yahoo mail forwarding) topcat Linux - Software 1 08-31-2007 12:10 PM
Postfix as a mail relay (getting relay access denied) hypexr Linux - Software 3 09-13-2005 07:15 PM
PostFix Mail Relay... CRCool75 Linux - Networking 4 08-20-2004 04:07 AM


All times are GMT -5. The time now is 01:33 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration