On Sun, Aug 07, 2011 at 03:59:10PM -0500, Noel Jones wrote:
> On 8/7/2011 3:52 PM, /dev/rob0 wrote:
> > On Sun, Aug 07, 2011 at 02:10:35PM -0500, Noel Jones wrote:
> >> # main.cf
> >> smtpd_authorized_xforward_hosts = ip.of.upstream.postfix
> >
> > Apparently this upstream IP is dynamic, he said in IRC. Agreed,
> > it sounds very strange.
>
> If the upstream is dynamic, there would presumably be some way for
> the firewall to be updated. Such an update could also include
> updating the postfix main.cf and loading postfix.
Agreed, that would be best.
> >> Putting static:all or equivalent would allow an unauthorized
> >> client to spoof their IP address.
> >>
> >> (in this case, using static:all might not matter if a firewall
> >> prevents outside access, but it's still wrong.)
> >
> > That was my reasoning, along with "if it breaks, Jack gets to
> > keep both pieces."
>
> When you knowingly give bad advice (not pointing fingers, I do it
> too -- still trying to quit), make sure to clearly label it as
> such. I didn't see any warning on your post to the list.
Good point. I did say something in IRC, but you're right, repetition
here was warranted. An awful mess could ensue if the firewall failed
at the moment an XFORWARD-capable spambot hit. (I don't know if such
ratware exists, but there is no reason why it could not. Only reason
it *might* not is that defaults for announcing XFORWARD are rightly
restricted. Ratware of this type wouldn't accomplish much.)
Another idea, better but not ideal, would be to at least limit the
smtpd_authorized_xforward_hosts to a netblock of possible addresses
for the upstream.
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
