Found someplace else: default postfix config creates backscatter

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Found someplace else: default postfix config creates backscatter

Ralf Hildebrandt
https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/242383
the reasoning seems to make sense.

I'm quite sure we had a discussion here about "relay_domains = $mydestination"
but I cannot find it :)

Ah, found it:
http://securepoint.com/lists/html/postfix-users/2007-08/msg00081.html
if it's pure legacy and induces a backscatter problem, shouldn't it be
dropped?

mail_version = 2.6-20080606
still has
# postconf -d relay_domains
relay_domains = $mydestination

--
Ralf Hildebrandt ([hidden email])          [hidden email]
Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de
Leute die nicht lesen k├Ânnen, sollten keine Rechner administrieren...
Reply | Threaded
Open this post in threaded view
|

Re: Found someplace else: default postfix config creates backscatter

mouss-2
Ralf Hildebrandt wrote:

> https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/242383
> the reasoning seems to make sense.
>
> I'm quite sure we had a discussion here about "relay_domains = $mydestination"
> but I cannot find it :)
>
> Ah, found it:
> http://securepoint.com/lists/html/postfix-users/2007-08/msg00081.html
> if it's pure legacy and induces a backscatter problem, shouldn't it be
> dropped?
>
> mail_version = 2.6-20080606
> still has
> # postconf -d relay_domains
> relay_domains = $mydestination
>
>  

This was discussed multiple times here. The default settings are for
compatibility.

- it is recommended to remove $mydestination from relay_domains unless
you need the compatibility "feature" (relay to all subdomains)

- it is recommended to set
parent_domain_matches_subdomains =
unless you really needed. See
    http://www.postfix.org/postconf.5.html#parent_domain_matches_subdomains

- it is recommended to set relay_recipient_maps. if you don't have a
list of users, use reject_unverified_recipient (with a
check_recipient_access to restrict the check to those domains for which
you don't have a list of recipients)


Reply | Threaded
Open this post in threaded view
|

Re: Found someplace else: default postfix config creates backscatter

Ralf Hildebrandt
* mouss <[hidden email]>:

> This was discussed multiple times here. The default settings are for  
> compatibility.
>
> - it is recommended to remove $mydestination from relay_domains unless  
> you need the compatibility "feature" (relay to all subdomains)

Yes.

> - it is recommended to set
> parent_domain_matches_subdomains =
> unless you really needed. See
>    http://www.postfix.org/postconf.5.html#parent_domain_matches_subdomains
>
> - it is recommended to set relay_recipient_maps. if you don't have a list
> of users, use reject_unverified_recipient (with a check_recipient_access
> to restrict the check to those domains for which you don't have a list of
> recipients)

So if all of this is recommended, why not make it the default in a new
release (2.6) and put an appropriate warning into the RELEASE_NOTES?

--
Ralf Hildebrandt ([hidden email])          [hidden email]
Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de
The problem with America is stupidity. I'm not saying there should be
capital punishment for it or anything, but why don't we just take the
safety labels off everything and let the problem solve itself?
Reply | Threaded
Open this post in threaded view
|

Re: Found someplace else: default postfix config creates backscatter

mouss-2
Ralf Hildebrandt wrote:

> * mouss <[hidden email]>:
>
>  
>> This was discussed multiple times here. The default settings are for  
>> compatibility.
>>
>> - it is recommended to remove $mydestination from relay_domains unless  
>> you need the compatibility "feature" (relay to all subdomains)
>>    
>
> Yes.
>
>  
>> - it is recommended to set
>> parent_domain_matches_subdomains =
>> unless you really needed. See
>>    http://www.postfix.org/postconf.5.html#parent_domain_matches_subdomains
>>
>> - it is recommended to set relay_recipient_maps. if you don't have a list
>> of users, use reject_unverified_recipient (with a check_recipient_access
>> to restrict the check to those domains for which you don't have a list of
>> recipients)
>>    
>
> So if all of this is recommended, why not make it the default in a new
> release (2.6) and put an appropriate warning into the RELEASE_NOTES?
>
>  

I guess the question is: how many people out there would get their setup
broken after an upgrade? you can't rely on people reading RELEASE_NOTS
(:) so a warning should also be issued in the logs or on the console?

Reply | Threaded
Open this post in threaded view
|

Re: Found someplace else: default postfix config creates backscatter

Ralf Hildebrandt
* mouss <[hidden email]>:

> I guess the question is: how many people out there would get their setup  
> broken after an upgrade?

I cannot fathom who would still run such a setup...

> you can't rely on people reading RELEASE_NOTS (:) so a warning should
> also be issued in the logs or on the console?

Yes, definitely. But you can't rely on people reading logs :)-

--
Ralf Hildebrandt ([hidden email])          [hidden email]
Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de
One of my frequent mistakes is to believe users' interpretation
of what is happening.                                 -- Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Found someplace else: default postfix config creates backscatter

Charles Marcus
In reply to this post by Ralf Hildebrandt
On 6/30/2008 3:21 AM, mouss <[hidden email]> wrote:

> This was discussed multiple times here. The default settings are for  
> compatibility.
>
> - it is recommended to remove $mydestination from relay_domains unless  
> you need the compatibility "feature" (relay to all subdomains)
>
> - it is recommended to set
> parent_domain_matches_subdomains =
> unless you really needed. See
>    http://www.postfix.org/postconf.5.html#parent_domain_matches_subdomains
>
> - it is recommended to set relay_recipient_maps. if you don't have a list
> of users, use reject_unverified_recipient (with a check_recipient_access
> to restrict the check to those domains for which you don't have a list of
> recipients)

Ok, well, this is important to me, since mine is currently configured
with the defaults...

Just fixed it, so not a problem any more, but...

I'm concerned that all this time my server has been open to this relay
hole. I had posted postconf -n more than once in the past, asking for
advice on any misconfig, and no one pointed this out. I'm not 'blaming'
anyone else for not spotting this, just pointing out that this is
apparently a problem.

I agree with Ralf that the sooner the default for this is changed, the
better.

--

Best regards,

Charles
Reply | Threaded
Open this post in threaded view
|

Re: Found someplace else: default postfix config creates backscatter

Victor Duchovni
On Mon, Jun 30, 2008 at 09:59:03AM -0400, Charles Marcus wrote:

> I'm concerned that all this time my server has been open to this relay
> hole.

This is not a "relay hole". Lets not over-dramatise the potential for
back-scatter. It is rarely a significant issue in practice.

> I agree with Ralf that the sooner the default for this is changed, the
> better.

Fortunately, Wietse is more passionate about compatibility. Users rightly
don't expect their configurations to suddenly break. So don't expect
miracles (incompatible breakage) in 2.6.

A first step would be to change the default of
"parent_domain_matches_subdomains", and add a compatible override if the
parameter is not set explicitly in main.cf. This forces everyone who is
happy with the new default to set it explicitly anyway, because otherwise
the backwards compatibilty work-around kicks-in on every upgrade.

I think the solution is for main.cf to have a "config_version" parameter,
and for upgrade to only modify main.cf files whose config_version is
not set or is older than the compatibility work-around. Once the upgrade
is completed, "config_version" is set to "$mail_version". This view has
not gained much traction yet...

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Reply | Threaded
Open this post in threaded view
|

Re: Found someplace else: default postfix config creates backscatter

mouss-2
In reply to this post by Charles Marcus
Charles Marcus wrote:

> [snip]
> Ok, well, this is important to me, since mine is currently configured
> with the defaults...
>
> Just fixed it, so not a problem any more, but...
>
> I'm concerned that all this time my server has been open to this relay
> hole. I had posted postconf -n more than once in the past, asking for
> advice on any misconfig, and no one pointed this out. I'm not
> 'blaming' anyone else for not spotting this, just pointing out that
> this is apparently a problem.

I can assure you that I did not notice any backscatter from your domain :)

come one. this is far from a critical. If spammers start sending to
foo.bar.netoyen.net, that would lead them nowhere because there is
nothing to deliver such mail (they only thing they would gain is to be
noticed). so spammers target "main" domains (either MX or A). if there
is no mention of foo.example.com, I doubt you will get any attempt to
this (sub)domain (Among all silly attempts, I have 0 attempts to
anything but the names decalred in DNS, including A hosts that are not
MXes).
>
> I agree with Ralf that the sooner the default for this is changed, the
> better.

that would be good, but this is not a critical issue IMHO.


Reply | Threaded
Open this post in threaded view
|

Re: Found someplace else: default postfix config creates backscatter

Charles Marcus
In reply to this post by Victor Duchovni
On 6/30/2008 12:28 PM, Victor Duchovni wrote:
>> I'm concerned that all this time my server has been open to this relay
>> hole.

> This is not a "relay hole". Lets not over-dramatise the potential for
> back-scatter. It is rarely a significant issue in practice.

Ok, then, thanks for the clarification... not so concerned any more...

:)

--

Best regards,

Charles
Reply | Threaded
Open this post in threaded view
|

Re: Found someplace else: default postfix config creates backscatter

Victor Duchovni
On Mon, Jun 30, 2008 at 02:58:51PM -0400, Charles Marcus wrote:

> On 6/30/2008 12:28 PM, Victor Duchovni wrote:
> >>I'm concerned that all this time my server has been open to this relay
> >>hole.
>
> >This is not a "relay hole". Lets not over-dramatise the potential for
> >back-scatter. It is rarely a significant issue in practice.
>
> Ok, then, thanks for the clarification... not so concerned any more...

I do recommend (with Postfix ~2.3 and later)

        bounce_size_limit = 1

this causes all bounces to return the headers only (not the message
body). If a spammer wanted to use bounces to abuse your server, he only
gets to return the headers to the joe-job victim, which is not terribly
attactive. The down-side is that bounces are not a backup mechanism,
you can't resend bounced messages without having the original on hand
(Sent folder, ...).

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Reply | Threaded
Open this post in threaded view
|

Re: Found someplace else: default postfix config creates backscatter

Charles Marcus
On 6/30/2008, Victor Duchovni ([hidden email]) wrote:
> I do recommend (with Postfix ~2.3 and later)
>
>     bounce_size_limit = 1

Good tip, makes sense... thanks, just implemented...

--

Best regards,

Charles