Closing unwanted ports on dual-view server

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Closing unwanted ports on dual-view server

Stephen Satchell
I have a mail server running PostFix 3.4.13 (Ubuntu 20.04) and I've
implemented several suggestions from the mail list to stop
ne'er-do-wells.  Looking at the currently only ports, I see this for
PostFix:

> tcp        0      0 0.0.0.0:587             0.0.0.0:*               LISTEN      1427/master        
> tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      1427/master        

The server has three interfaces:  127.0.0.1, 10.1.1.33, and a public IP
address interface.  What I want to do is only allow 587 on the first two
interfaces while enabling port 25 on all three interfaces

In main.cf, "inet_interfaces = all"

Current master.cf for submission:

> submission inet n       -       y       -       -       smtpd
>   -o syslog_name=postfix/submission
> #  -o smtpd_tls_security_level=encrypt
> #  -o smtpd_sasl_auth_enable=yes
> #  -o smtpd_tls_auth_only=yes
> #  -o smtpd_reject_unlisted_recipient=no
> #  -o smtpd_client_restrictions=$mua_client_restrictions
> #  -o smtpd_helo_restrictions=$mua_helo_restrictions
> #  -o smtpd_sender_restrictions=$mua_sender_restrictions
> #  -o smtpd_recipient_restrictions=
> #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
> #  -o milter_macro_daemon_name=ORIGINATING

My question is, can I add the following line after the "submission" line
to limit the interface binding for submission?

  -o { inet_interfaces = 127.0.0.1,10.1.1.33 }

If not, what is the proper method and syntax?

(I might decide to limit "submission" to just the 10.1.1.33 interface,
especially if having two addresses raises a problem.)
Reply | Threaded
Open this post in threaded view
|

Re: Closing unwanted ports on dual-view server

Wietse Venema
Stephen Satchell:

> I have a mail server running PostFix 3.4.13 (Ubuntu 20.04) and I've
> implemented several suggestions from the mail list to stop
> ne'er-do-wells.  Looking at the currently only ports, I see this for
> PostFix:
>
> > tcp        0      0 0.0.0.0:587             0.0.0.0:*               LISTEN      1427/master        
> > tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      1427/master        
>
> The server has three interfaces:  127.0.0.1, 10.1.1.33, and a public IP
> address interface.  What I want to do is only allow 587 on the first two
> interfaces while enabling port 25 on all three interfaces

So instead of

    submission inet... smtpd

in master.cf, specify the IP address and port:

     127.0.0.1:submission inet... smtpd
    10.1.1.331:submission inet... smtpd

You can't do this with "smtpd -o" options, because such options are
implemented by smtpd, and it is the master that listens on sockets
before it starts an smtpd process. A chicken and egg thing, as it were.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Closing unwanted ports on dual-view server

Benny Pedersen-2
In reply to this post by Stephen Satchell
On 2021-03-31 00:54, Stephen Satchell wrote:

> (I might decide to limit "submission" to just the 10.1.1.33 interface,
> especially if having two addresses raises a problem.)

submission inet n       -       y       -       -       smtpd

change to

10.1.1.33:submission inet n       -       y       -       -       smtpd

add one more line for loopback if needed