I rejoined the list earlier this week thinking I might see some mention of
this but as I haven't, here goes. I run Postfix on my Macintosh running
Mac OS X 10.5.5 to serve mail for my domain. This is the standard (client)
version of OS X, not the server version.
Last week, Apple issued a security update that included the following in
the release notes:
====
Postfix
CVE-ID: CVE-2008-3646
Available for: Mac OS X v10.5.5
Impact: A remote attacker may be able to send mail directly to local
users
Description: An issue exists in the Postfix configuration files. For a
period of one minute after a local command-line tool sends mail, postfix
is accessible from the network. During this time, a remote entity who
could connect to the SMTP port may send mail to local users and otherwise
use the SMTP protocol. This issue does not cause the system to be an open
mail relay. This issue is addressed by modifying the Postfix configuration
to prevent SMTP connections from remote machines. This issue does not
affect systems prior to Mac OS X v10.5 and does not affect Mac OS X
Server. Credit to Pelle Johansson for reporting this issue.
====
What the update did was to change all instances of inet_interfaces =
whatever in main.cf to inet_interfaces = localhost making it inaccessible
to the outside world. For those of us running outside facing mailservers,
that was a non-starter of a "fix" (sort of like saying want your computer
absolutely secure, turn it off - yes, it makes it secure but it also makes
it unusable for its intended purpose).
But I'm really curious as to just what the problem is. And why they think
it's a configuration issue and it only affects OS X 10.5.5 client (and not
10.5.5 Server, not my older Mac running 10.4.latest, and not Postfix on
other operating systems.
I also find their language curious: "For a period of one minute after a
local command-line tool sends mail, postfix is accessible from the
network." As am outside facing mail server, I want it aceesible from the
network 24x7 thank you. "During this time, a remote entity who could
connect to the SMTP port may send mail to local users... ". Uh, it's a
mail server. That's what is supposed to happen. "...and otherwise use the
SMTP protocol." Huh?
Since they then add "This issue does not cause the system to be an open
mail relay", I'm at a loss as to just what an outsider can do that I don't
already want them to be able to do. It almost sounds like a few people who
don't really know what mail servers do (or don't understand that some
people actually use the "client" version of OS X as a server) are
mistaking "works as designed" for a vulnerability.
-- Larry Stone
[EMAIL PROTECTED]
