Am 22.12.22 um 01:47 schrieb Samer Afach:
Thank you, Matthias, for your opinion.
Ironically, the proxy part in this whole story is not only the simple
part that I fully understand, but also the part that's very easily
testable with my current knowledge and understanding of networking.
It's easy to look into the IP addresses of incoming connections and
cross-check them with the senders. It's easy to see whether a PROXY
protocol with HAProxy works. I'm looking into that setup as we speak.
All that is easy. I'm actually surprised you're using that part as
argument to why I should shutdown my server.
Thanks to the wonderful people in this email list, now I understand my
mistake with that regard. I learned a lot.
If I were you, I'd focus on my lack of understanding of the email
protocol. Now that, is a part that I still cannot fully understand,
embarrassingly so. I still don't know what ehlo means, except that
it's the first message. I don't know why it matters what address we
put after it. That does make me look like an idiot, doesn't it? :-)
I fully understand your opinion and why you'd want me to shutdown my
server. But if I were you, I'd try to encourage people to learn more
or explain more to them. This whole incident reminds me of people who
fall for scams and pay scammers money. They can be ashamed of it and
never talk about it, or try to learn how to not fall for it again.
Just my humble opinion.
Sam,
your proxy is what underminded Postfix's relay guards, by your own
assessments and descriptions - because it was the proxy that connected
with its own IP address to Postfix's smtpd, and $mynetworks subnets are
usually permitted to relay.
So while you may have understood how the proxy itself works, you have
not identified the implications for operating a mail server proofed
against unintended relaying.
Reading Postfix's documentation thoroughly would have brought you across
XCLIENT (and I was saying application-level or -layer proxy because it
talks SMTP not TCP), and you would have asked specific questions.
And why does your server have to go online BEFORE you have learned the
ropes? I did not ask you to shut down permanently (that should have been
clear, but you are getting defensive so I may have stepped on your toes
after you stepped on the public's), but implied to first learn and then
go online with a safe and possibly reviewed configuration. The public
constantly has to put up with people who experiment in public and ask
for help *after* accidents. Not sure where such dangerous approaches are
taught.
Postfix has been around for a quarter century, and it has always been
*the* example of good design, documentation and compatibility with
predecessor versions.
I would really appreciate if people in general learned BEFORE putting
systems live.
Cheers,
Matthias
Cheers,
Sam
On 21/12/2022 10:21 PM, Matthias Andree wrote:
Am 21.12.22 um 09:45 schrieb Samer Afach:
Thank you for these hints, Benny. I wanna point out that I'm, in no
way, an expert in any of this, and my configuration is based on online
research and some copy/paste.
Then with all due respect, please shut down your mail server and do not
start it again until you have fully understood what your services are
doing, and need to do instead in order to be operated securely. We don't
need more public accidents.
Postfix has ways to let application-level proxies convey actual client
IP (XCLIENT). You will want those in the logs, and not your proxy's IP
address. Sooner or later you will find it necessary to at least
temporarily block offending subnets.
If your proxy can't do that, or you don't know how, or you don't know
how to do that with containers, perhaps use postscreen instead and run
your Postfix on a bridged networked container of VM instead.
I do not believe you (personally - no offense, but after your statement
above) are currently fit for setting up and operating such a complex
setup as you are using with several proxy and NAT layers and all that.
Containers may seem like a good idea, but if they dispose of crucial
information such as the client address, then revise your setup
THOROUGHLY.
Sorry to be blunt without asking, but we've all had our shares of eating
unsolicited e-mail.
Thank you.
S
