Loading ...
Sorry, an error occurred while loading the content.

Re: Is the absence of "smtpd_relay_restrictions" directive in Postfix versions >= 2.10 a security risk in some default configurations?

Expand Messages
  • /dev/rob0
    ... I am wondering if the confusion is over the version numbering? Are you perhaps confusing major release two, minor release ten with the decimal number
    Message 1 of 8 , May 31, 2013
    • 0 Attachment
      On Fri, May 31, 2013 at 03:06:38PM -0400, Ben Johnson wrote:
      > On 5/31/2013 2:39 PM, Noel Jones wrote:
      > > On 5/31/2013 12:22 PM, Ben Johnson wrote:
      > >> Postfix "postfinger" output for this server (prior to closing
      > >> this "hole"):
      > >>
      > >> http://pastebin.com/QGE3cah5
      > >
      > > ... mail_version = 2.7.0
      > >
      > > This postfix version does not support smtpd_relay_restrictions,
      > > and will not complain about unknown parameters defined in
      > > main.cf.
      >
      > It would be nice if the Postfix manual reflected this fact. The
      > manual states, "This feature is available in Postix 2.10 and
      > later."

      I am wondering if the confusion is over the version numbering?

      Are you perhaps confusing "major release two, minor release ten"
      with the decimal number 2.10, which your mind (as well as any
      electronic calculator) equates with 2.1?

      smtpd_relay_restrictions was introduced in Postfix 2.10, released
      this year (2013).
      --
      http://rob0.nodns4.us/ -- system administration and consulting
      Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
    • Ben Johnson
      ... Thanks, Noel. I really appreciate the thorough explanation. Everything you say makes sense. Also, you re right; I had confused Postfix version 2.10 with
      Message 2 of 8 , May 31, 2013
      • 0 Attachment
        On 5/31/2013 3:52 PM, Noel Jones wrote:
        > On 5/31/2013 2:06 PM, Ben Johnson wrote:
        >
        >> Okay. I understand. The implication here is that it doesn't matter
        >> whether the user-agent connects directly to my server via SMTP to
        >> delivery mail to my users, or he connects through his ISP's SMTP server
        >> to do the same. Correct?
        >
        > Correct. By default, postfix accepts inbound mail from any client
        > because there is no fool-proof way to determine if some random
        > client is authorized to send mail. SPF (not enabled by default)
        > attempts to do this, but is far from perfect. Black-lists (not
        > enabled by default) attempt to list known-bad clients; obviously
        > these lists can never be complete.
        >
        > Postfix can be configured to reject mail from unknown local
        > accounts. This is not enabled by default. See
        > http://www.postfix.org/postconf.5.html#reject_unlisted_sender
        > http://www.postfix.org/postconf.5.html#smtpd_reject_unlisted_sender
        >
        >
        >>
        >>>>
        >>>> Postfix "postfinger" output for this server (prior to closing this "hole"):
        >>>>
        >>>> http://pastebin.com/QGE3cah5
        >>>
        >>> ... mail_version = 2.7.0
        >>>
        >>> This postfix version does not support smtpd_relay_restrictions, and
        >>> will not complain about unknown parameters defined in main.cf.
        >>>
        >>
        >> It would be nice if the Postfix manual reflected this fact. The manual
        >> states, "This feature is available in Postix 2.10 and later."
        >
        >
        > "... available in Postfix X and later" seems pretty unambiguous,
        > regardless if postfix gives an error or not.
        >
        > The BUGS section in the postconf(1) man page supplied with your
        > postfix says something about not reporting unknown parameters
        > defined in main.cf. This was corrected in postfix 2.9.
        >
        >
        >
        >
        > -- Noel Jones
        >

        Thanks, Noel. I really appreciate the thorough explanation. Everything
        you say makes sense.

        Also, you're right; I had confused Postfix version 2.10 with 2.1. I now
        realize that the directive "smtpd_relay_restrictions" is not yet
        available with respect to my version of Postfix.

        Thanks again,

        -Ben
      • Ben Johnson
        ... You were spot-on. I m abashed. Thanks, /dev/rob0, for the clarification.
        Message 3 of 8 , May 31, 2013
        • 0 Attachment
          On 5/31/2013 4:11 PM, /dev/rob0 wrote:
          > On Fri, May 31, 2013 at 03:06:38PM -0400, Ben Johnson wrote:
          >> On 5/31/2013 2:39 PM, Noel Jones wrote:
          >>> On 5/31/2013 12:22 PM, Ben Johnson wrote:
          >>>> Postfix "postfinger" output for this server (prior to closing
          >>>> this "hole"):
          >>>>
          >>>> http://pastebin.com/QGE3cah5
          >>>
          >>> ... mail_version = 2.7.0
          >>>
          >>> This postfix version does not support smtpd_relay_restrictions,
          >>> and will not complain about unknown parameters defined in
          >>> main.cf.
          >>
          >> It would be nice if the Postfix manual reflected this fact. The
          >> manual states, "This feature is available in Postix 2.10 and
          >> later."
          >
          > I am wondering if the confusion is over the version numbering?
          >
          > Are you perhaps confusing "major release two, minor release ten"
          > with the decimal number 2.10, which your mind (as well as any
          > electronic calculator) equates with 2.1?
          >
          > smtpd_relay_restrictions was introduced in Postfix 2.10, released
          > this year (2013).
          >

          You were spot-on. I'm abashed. Thanks, /dev/rob0, for the clarification.
        • Noel Jones
          ... probably combined with the (perhaps surprising) fact that many linux distros provide years-old postfix packages. Your newly-installed postfix 2.7.0 was
          Message 4 of 8 , May 31, 2013
          • 0 Attachment
            On 5/31/2013 3:19 PM, Ben Johnson wrote:
            > Also, you're right; I had confused Postfix version 2.10 with 2.1. I now
            > realize that the directive "smtpd_relay_restrictions" is not yet
            > available with respect to my version of Postfix.
            >
            > Thanks again,
            >
            > -Ben
            >


            probably combined with the (perhaps surprising) fact that many linux
            distros provide years-old postfix packages. Your newly-installed
            postfix 2.7.0 was released in early 2010. You're also missing out
            on the fixes in postfix 2.7.1~2.7.13.


            -- Noel Jones
          Your message has been successfully submitted and would be delivered to recipients shortly.