On 02/04/2013 03:04 PM, Viktor Dukhovni wrote:
On Mon, Feb 04, 2013 at 01:46:37PM -0500, Robert Moskowitz wrote:
It seems from my limited testing that with the content_filter option of:
content_filter=amavisfeed:[127.0.0.1]:10024
I don't need an iptables rule for port 10024, as there is no
firewall blocking of localhost connection to ports.
As long as I don't do something stupid like:
content_filter=amavisfeed:myserver.com:10024
The "something stupid" is configuring amavis to listen on a public
IP address (or equivalently the wildcard 0.0.0.0 address). How you
connect to it from Postfix is not important, but if connecting to
the public IP address works from Postfix, then it likely works for
anyone else not explicitly blocked by a firewall, and this is bad.
I figured that and 127.0.0.1 is not exposed. And my current setup only
has ports 10024 and 10025 listening on 127.0.0.1. So I have avoided
really stupid.
So configure Amavis correctly, and the rest takes care of itself.
Define correctly. It seems that a number of articles I have found
recommend using 127.0.0.1. You seem to be recommending something else
and I am interested in learning more.
Same with the 10025 injection back into postfix from the content filter.
Just no reason to open up 10024 & 10025.
Have I got this correct?
Mostly, but the correct configuration in question is always in
fact a listener configuration rather than a client configuration,
the client is then configured to talk to a securely configured
listener.
With LMTP filters, Postfix can talk to unix-domain sockets, which
can be protected also against unauthorized local users. A TLS-enabled
filter SMTP or LMTP could also require client certs (and use an eNULL
cipher-suite).
Can you point me to some examples? What I have done so far has been
guided by a few howtos that probably all have the same heritage.
master.cf has:
amavisfeed unix - - n - 2 lmtp
-o lmtp_data_done_timeout=1200
-o lmtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
and for 'injection back':
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o smtpd_restriction_classes=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters,no_address_mappings
-o local_header_rewrite_clients=
-o smtpd_milters=
-o local_recipient_maps=
-o relay_recipient_maps=
and finally in main.cf
content_filter=amavisfeed:[127.0.0.1]:10024
I would be more than happy to move away from an IP port approach (even
localhost) to a unix-domain approach.
