Loading ...
Sorry, an error occurred while loading the content.

Re: content_filter and firewall rules

Expand Messages
  • Robert Moskowitz
    ... I figured that and 127.0.0.1 is not exposed. And my current setup only has ports 10024 and 10025 listening on 127.0.0.1. So I have avoided really stupid.
    Message 1 of 6 , Feb 4, 2013
    • 0 Attachment
      On 02/04/2013 03:04 PM, Viktor Dukhovni wrote:
      > On Mon, Feb 04, 2013 at 01:46:37PM -0500, Robert Moskowitz wrote:
      >
      >> It seems from my limited testing that with the content_filter option of:
      >>
      >> content_filter=amavisfeed:[127.0.0.1]:10024
      >>
      >> I don't need an iptables rule for port 10024, as there is no
      >> firewall blocking of localhost connection to ports.
      >>
      >> As long as I don't do something stupid like:
      >>
      >> content_filter=amavisfeed:myserver.com:10024
      > The "something stupid" is configuring amavis to listen on a public
      > IP address (or equivalently the wildcard 0.0.0.0 address). How you
      > connect to it from Postfix is not important, but if connecting to
      > the public IP address works from Postfix, then it likely works for
      > anyone else not explicitly blocked by a firewall, and this is bad.

      I figured that and 127.0.0.1 is not exposed. And my current setup only
      has ports 10024 and 10025 listening on 127.0.0.1. So I have avoided
      really stupid.

      >
      > So configure Amavis correctly, and the rest takes care of itself.

      Define correctly. It seems that a number of articles I have found
      recommend using 127.0.0.1. You seem to be recommending something else
      and I am interested in learning more.

      >
      >> Same with the 10025 injection back into postfix from the content filter.
      >>
      >> Just no reason to open up 10024 & 10025.
      >>
      >> Have I got this correct?
      > Mostly, but the correct configuration in question is always in
      > fact a listener configuration rather than a client configuration,
      > the client is then configured to talk to a securely configured
      > listener.
      >
      > With LMTP filters, Postfix can talk to unix-domain sockets, which
      > can be protected also against unauthorized local users. A TLS-enabled
      > filter SMTP or LMTP could also require client certs (and use an eNULL
      > cipher-suite).

      Can you point me to some examples? What I have done so far has been
      guided by a few howtos that probably all have the same heritage.

      master.cf has:

      amavisfeed unix - - n - 2 lmtp
      -o lmtp_data_done_timeout=1200
      -o lmtp_send_xforward_command=yes
      -o disable_dns_lookups=yes
      -o max_use=20


      and for 'injection back':

      127.0.0.1:10025 inet n - n - - smtpd
      -o content_filter=
      -o smtpd_delay_reject=no
      -o smtpd_client_restrictions=permit_mynetworks,reject
      -o smtpd_helo_restrictions=
      -o smtpd_sender_restrictions=
      -o smtpd_recipient_restrictions=permit_mynetworks,reject
      -o smtpd_data_restrictions=reject_unauth_pipelining
      -o smtpd_end_of_data_restrictions=
      -o smtpd_restriction_classes=
      -o mynetworks=127.0.0.0/8
      -o smtpd_error_sleep_time=0
      -o smtpd_soft_error_limit=1001
      -o smtpd_hard_error_limit=1000
      -o smtpd_client_connection_count_limit=0
      -o smtpd_client_connection_rate_limit=0
      -o
      receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters,no_address_mappings
      -o local_header_rewrite_clients=
      -o smtpd_milters=
      -o local_recipient_maps=
      -o relay_recipient_maps=

      and finally in main.cf

      content_filter=amavisfeed:[127.0.0.1]:10024

      I would be more than happy to move away from an IP port approach (even
      localhost) to a unix-domain approach.
    • Viktor Dukhovni
      ... Correctly means a local TCP or unix-domain socket end-point. This includes 127.0.0.1. The point is that the relevant setting is an acceptor setting not an
      Message 2 of 6 , Feb 4, 2013
      • 0 Attachment
        On Mon, Feb 04, 2013 at 03:58:15PM -0500, Robert Moskowitz wrote:

        > >So configure Amavis correctly, and the rest takes care of itself.
        >
        > Define correctly. It seems that a number of articles I have found
        > recommend using 127.0.0.1. You seem to be recommending something
        > else and I am interested in learning more.

        Correctly means a local TCP or unix-domain socket end-point. This
        includes 127.0.0.1. The point is that the relevant setting is an
        acceptor setting not an initiator setting.

        > 127.0.0.1:10025 inet n - n - - smtpd

        This is fine.

        > and finally in main.cf
        >
        > content_filter=amavisfeed:[127.0.0.1]:10024

        What's important here is that the Amavis server actually listens
        on 127.0.0.1:10024, merely setting the Postfix SMTP client to initiate
        to 127.0.0.1 is not enough.

        > I would be more than happy to move away from an IP port approach
        > (even localhost) to a unix-domain approach.

        Keep it simple enough for you to understand.

        --
        Viktor.
      • Robert Moskowitz
        ... thanks. I have to get all this going so I can do the testing I REALLY intended to do, besides replace my current server. I am going to be configuring the
        Message 3 of 6 , Feb 4, 2013
        • 0 Attachment
          On 02/04/2013 04:40 PM, Viktor Dukhovni wrote:
          > On Mon, Feb 04, 2013 at 03:58:15PM -0500, Robert Moskowitz wrote:
          >
          >>> So configure Amavis correctly, and the rest takes care of itself.
          >> Define correctly. It seems that a number of articles I have found
          >> recommend using 127.0.0.1. You seem to be recommending something
          >> else and I am interested in learning more.
          > Correctly means a local TCP or unix-domain socket end-point. This
          > includes 127.0.0.1. The point is that the relevant setting is an
          > acceptor setting not an initiator setting.
          >
          >> 127.0.0.1:10025 inet n - n - - smtpd
          > This is fine.
          >
          >> and finally in main.cf
          >>
          >> content_filter=amavisfeed:[127.0.0.1]:10024
          > What's important here is that the Amavis server actually listens
          > on 127.0.0.1:10024, merely setting the Postfix SMTP client to initiate
          > to 127.0.0.1 is not enough.
          >
          >> I would be more than happy to move away from an IP port approach
          >> (even localhost) to a unix-domain approach.
          > Keep it simple enough for you to understand.

          thanks. I have to get all this going so I can do the testing I REALLY
          intended to do, besides replace my current server.

          I am going to be configuring the server to support HIP and truly mobile
          clients communicating truly secure over a HIP enabled ESP connection. I
          am suppose to have this in test tomorrow. Gulp. Time to cut and run at
          least this test setup. I have installed the HIPL code and have a few
          more configs there to do.
        • Benny Pedersen
          ... default for some reason :=) ... its waste of firewalls in lo interface since you can trust your own connections hopefully ? note that /usr/sendmail is
          Message 4 of 6 , Feb 4, 2013
          • 0 Attachment
            Robert Moskowitz skrev den 2013-02-04 19:46:
            > It seems from my limited testing that with the content_filter option
            > of:
            > content_filter=amavisfeed:[127.0.0.1]:10024

            default for some reason :=)

            > I don't need an iptables rule for port 10024, as there is no firewall
            > blocking of localhost connection to ports.

            its waste of firewalls in lo interface since you can trust your own
            connections hopefully ?

            note that /usr/sendmail is connecting from localhost, so it can be
            done, but amavisd have acl for where it wants connection from / to

            > As long as I don't do something stupid like:
            > content_filter=amavisfeed:myserver.com:10024

            why is this stupid ?

            > which would route the connection through the server's IP address
            > rather than localhost.

            note that amavisd can be used from multiple postfix servers and send
            email back to the postfix that sends it, so listen with amavisd on wan
            ip is not stupid imho :)

            > Same with the 10025 injection back into postfix from the content
            > filter.

            default

            > Just no reason to open up 10024 & 10025.

            was it even closed in the first place ?

            > Have I got this correct?

            geek qestion is "ping 127.0.127.33", shold that be blocked ?

            if you can show me a iptables rule that will send wanip ports via dnat
            to this ip, then it make sense to me :)
          Your message has been successfully submitted and would be delivered to recipients shortly.