On Mon, Feb 04, 2013 at 01:46:37PM -0500, Robert Moskowitz wrote:
> It seems from my limited testing that with the content_filter option of:
>
> content_filter=amavisfeed:[127.0.0.1]:10024
>
> I don't need an iptables rule for port 10024, as there is no
> firewall blocking of localhost connection to ports.
>
> As long as I don't do something stupid like:
>
> content_filter=amavisfeed:myserver.com:10024
The "something stupid" is configuring amavis to listen on a public
IP address (or equivalently the wildcard 0.0.0.0 address). How you
connect to it from Postfix is not important, but if connecting to
the public IP address works from Postfix, then it likely works for
anyone else not explicitly blocked by a firewall, and this is bad.
So configure Amavis correctly, and the rest takes care of itself.
> Same with the 10025 injection back into postfix from the content filter.
>
> Just no reason to open up 10024 & 10025.
>
> Have I got this correct?
Mostly, but the correct configuration in question is always in
fact a listener configuration rather than a client configuration,
the client is then configured to talk to a securely configured
listener.
With LMTP filters, Postfix can talk to unix-domain sockets, which
can be protected also against unauthorized local users. A TLS-enabled
filter SMTP or LMTP could also require client certs (and use an eNULL
cipher-suite).
--
Viktor.
