Loading ...
Sorry, an error occurred while loading the content.
 

content_filter and firewall rules

Expand Messages
  • Robert Moskowitz
    It seems from my limited testing that with the content_filter option of: content_filter=amavisfeed:[127.0.0.1]:10024 I don t need an iptables rule for port
    Message 1 of 6 , Feb 4, 2013
      It seems from my limited testing that with the content_filter option of:

      content_filter=amavisfeed:[127.0.0.1]:10024

      I don't need an iptables rule for port 10024, as there is no firewall
      blocking of localhost connection to ports.

      As long as I don't do something stupid like:

      content_filter=amavisfeed:myserver.com:10024

      which would route the connection through the server's IP address rather
      than localhost.

      Same with the 10025 injection back into postfix from the content filter.

      Just no reason to open up 10024 & 10025.

      Have I got this correct?
    • Viktor Dukhovni
      ... The something stupid is configuring amavis to listen on a public IP address (or equivalently the wildcard 0.0.0.0 address). How you connect to it from
      Message 2 of 6 , Feb 4, 2013
        On Mon, Feb 04, 2013 at 01:46:37PM -0500, Robert Moskowitz wrote:

        > It seems from my limited testing that with the content_filter option of:
        >
        > content_filter=amavisfeed:[127.0.0.1]:10024
        >
        > I don't need an iptables rule for port 10024, as there is no
        > firewall blocking of localhost connection to ports.
        >
        > As long as I don't do something stupid like:
        >
        > content_filter=amavisfeed:myserver.com:10024

        The "something stupid" is configuring amavis to listen on a public
        IP address (or equivalently the wildcard 0.0.0.0 address). How you
        connect to it from Postfix is not important, but if connecting to
        the public IP address works from Postfix, then it likely works for
        anyone else not explicitly blocked by a firewall, and this is bad.

        So configure Amavis correctly, and the rest takes care of itself.

        > Same with the 10025 injection back into postfix from the content filter.
        >
        > Just no reason to open up 10024 & 10025.
        >
        > Have I got this correct?

        Mostly, but the correct configuration in question is always in
        fact a listener configuration rather than a client configuration,
        the client is then configured to talk to a securely configured
        listener.

        With LMTP filters, Postfix can talk to unix-domain sockets, which
        can be protected also against unauthorized local users. A TLS-enabled
        filter SMTP or LMTP could also require client certs (and use an eNULL
        cipher-suite).

        --
        Viktor.
      • Robert Moskowitz
        ... I figured that and 127.0.0.1 is not exposed. And my current setup only has ports 10024 and 10025 listening on 127.0.0.1. So I have avoided really stupid.
        Message 3 of 6 , Feb 4, 2013
          On 02/04/2013 03:04 PM, Viktor Dukhovni wrote:
          > On Mon, Feb 04, 2013 at 01:46:37PM -0500, Robert Moskowitz wrote:
          >
          >> It seems from my limited testing that with the content_filter option of:
          >>
          >> content_filter=amavisfeed:[127.0.0.1]:10024
          >>
          >> I don't need an iptables rule for port 10024, as there is no
          >> firewall blocking of localhost connection to ports.
          >>
          >> As long as I don't do something stupid like:
          >>
          >> content_filter=amavisfeed:myserver.com:10024
          > The "something stupid" is configuring amavis to listen on a public
          > IP address (or equivalently the wildcard 0.0.0.0 address). How you
          > connect to it from Postfix is not important, but if connecting to
          > the public IP address works from Postfix, then it likely works for
          > anyone else not explicitly blocked by a firewall, and this is bad.

          I figured that and 127.0.0.1 is not exposed. And my current setup only
          has ports 10024 and 10025 listening on 127.0.0.1. So I have avoided
          really stupid.

          >
          > So configure Amavis correctly, and the rest takes care of itself.

          Define correctly. It seems that a number of articles I have found
          recommend using 127.0.0.1. You seem to be recommending something else
          and I am interested in learning more.

          >
          >> Same with the 10025 injection back into postfix from the content filter.
          >>
          >> Just no reason to open up 10024 & 10025.
          >>
          >> Have I got this correct?
          > Mostly, but the correct configuration in question is always in
          > fact a listener configuration rather than a client configuration,
          > the client is then configured to talk to a securely configured
          > listener.
          >
          > With LMTP filters, Postfix can talk to unix-domain sockets, which
          > can be protected also against unauthorized local users. A TLS-enabled
          > filter SMTP or LMTP could also require client certs (and use an eNULL
          > cipher-suite).

          Can you point me to some examples? What I have done so far has been
          guided by a few howtos that probably all have the same heritage.

          master.cf has:

          amavisfeed unix - - n - 2 lmtp
          -o lmtp_data_done_timeout=1200
          -o lmtp_send_xforward_command=yes
          -o disable_dns_lookups=yes
          -o max_use=20


          and for 'injection back':

          127.0.0.1:10025 inet n - n - - smtpd
          -o content_filter=
          -o smtpd_delay_reject=no
          -o smtpd_client_restrictions=permit_mynetworks,reject
          -o smtpd_helo_restrictions=
          -o smtpd_sender_restrictions=
          -o smtpd_recipient_restrictions=permit_mynetworks,reject
          -o smtpd_data_restrictions=reject_unauth_pipelining
          -o smtpd_end_of_data_restrictions=
          -o smtpd_restriction_classes=
          -o mynetworks=127.0.0.0/8
          -o smtpd_error_sleep_time=0
          -o smtpd_soft_error_limit=1001
          -o smtpd_hard_error_limit=1000
          -o smtpd_client_connection_count_limit=0
          -o smtpd_client_connection_rate_limit=0
          -o
          receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters,no_address_mappings
          -o local_header_rewrite_clients=
          -o smtpd_milters=
          -o local_recipient_maps=
          -o relay_recipient_maps=

          and finally in main.cf

          content_filter=amavisfeed:[127.0.0.1]:10024

          I would be more than happy to move away from an IP port approach (even
          localhost) to a unix-domain approach.
        • Viktor Dukhovni
          ... Correctly means a local TCP or unix-domain socket end-point. This includes 127.0.0.1. The point is that the relevant setting is an acceptor setting not an
          Message 4 of 6 , Feb 4, 2013
            On Mon, Feb 04, 2013 at 03:58:15PM -0500, Robert Moskowitz wrote:

            > >So configure Amavis correctly, and the rest takes care of itself.
            >
            > Define correctly. It seems that a number of articles I have found
            > recommend using 127.0.0.1. You seem to be recommending something
            > else and I am interested in learning more.

            Correctly means a local TCP or unix-domain socket end-point. This
            includes 127.0.0.1. The point is that the relevant setting is an
            acceptor setting not an initiator setting.

            > 127.0.0.1:10025 inet n - n - - smtpd

            This is fine.

            > and finally in main.cf
            >
            > content_filter=amavisfeed:[127.0.0.1]:10024

            What's important here is that the Amavis server actually listens
            on 127.0.0.1:10024, merely setting the Postfix SMTP client to initiate
            to 127.0.0.1 is not enough.

            > I would be more than happy to move away from an IP port approach
            > (even localhost) to a unix-domain approach.

            Keep it simple enough for you to understand.

            --
            Viktor.
          • Robert Moskowitz
            ... thanks. I have to get all this going so I can do the testing I REALLY intended to do, besides replace my current server. I am going to be configuring the
            Message 5 of 6 , Feb 4, 2013
              On 02/04/2013 04:40 PM, Viktor Dukhovni wrote:
              > On Mon, Feb 04, 2013 at 03:58:15PM -0500, Robert Moskowitz wrote:
              >
              >>> So configure Amavis correctly, and the rest takes care of itself.
              >> Define correctly. It seems that a number of articles I have found
              >> recommend using 127.0.0.1. You seem to be recommending something
              >> else and I am interested in learning more.
              > Correctly means a local TCP or unix-domain socket end-point. This
              > includes 127.0.0.1. The point is that the relevant setting is an
              > acceptor setting not an initiator setting.
              >
              >> 127.0.0.1:10025 inet n - n - - smtpd
              > This is fine.
              >
              >> and finally in main.cf
              >>
              >> content_filter=amavisfeed:[127.0.0.1]:10024
              > What's important here is that the Amavis server actually listens
              > on 127.0.0.1:10024, merely setting the Postfix SMTP client to initiate
              > to 127.0.0.1 is not enough.
              >
              >> I would be more than happy to move away from an IP port approach
              >> (even localhost) to a unix-domain approach.
              > Keep it simple enough for you to understand.

              thanks. I have to get all this going so I can do the testing I REALLY
              intended to do, besides replace my current server.

              I am going to be configuring the server to support HIP and truly mobile
              clients communicating truly secure over a HIP enabled ESP connection. I
              am suppose to have this in test tomorrow. Gulp. Time to cut and run at
              least this test setup. I have installed the HIPL code and have a few
              more configs there to do.
            • Benny Pedersen
              ... default for some reason :=) ... its waste of firewalls in lo interface since you can trust your own connections hopefully ? note that /usr/sendmail is
              Message 6 of 6 , Feb 4, 2013
                Robert Moskowitz skrev den 2013-02-04 19:46:
                > It seems from my limited testing that with the content_filter option
                > of:
                > content_filter=amavisfeed:[127.0.0.1]:10024

                default for some reason :=)

                > I don't need an iptables rule for port 10024, as there is no firewall
                > blocking of localhost connection to ports.

                its waste of firewalls in lo interface since you can trust your own
                connections hopefully ?

                note that /usr/sendmail is connecting from localhost, so it can be
                done, but amavisd have acl for where it wants connection from / to

                > As long as I don't do something stupid like:
                > content_filter=amavisfeed:myserver.com:10024

                why is this stupid ?

                > which would route the connection through the server's IP address
                > rather than localhost.

                note that amavisd can be used from multiple postfix servers and send
                email back to the postfix that sends it, so listen with amavisd on wan
                ip is not stupid imho :)

                > Same with the 10025 injection back into postfix from the content
                > filter.

                default

                > Just no reason to open up 10024 & 10025.

                was it even closed in the first place ?

                > Have I got this correct?

                geek qestion is "ping 127.0.127.33", shold that be blocked ?

                if you can show me a iptables rule that will send wanip ports via dnat
                to this ip, then it make sense to me :)
              Your message has been successfully submitted and would be delivered to recipients shortly.