Ubuntu
postfix package

default postfix config creates backscatter

Bug #242383 reported by Allison Karlitskaya
8
Affects Status Importance Assigned to Milestone
postfix (Ubuntu)
Fix Released
High
LaMont Jones
Ubuntu ubuntu-8.10-beta

Bug Description

The postfix config file has a 'mydestination' parameter. This is the domains for which your mailserver will deliver mail locally.

It also has a 'relay_domains' parameter. This is the domains for which your mailserver will accept mail for delivery from remote untrusted hosts. As a matter of course, your 'mydestination' should be included here since you want to be able to receive mail for yourself as a precondition for delivering it.

To this end, very sanely, the default setting is:

relay_domains = $mydestination

Unfortunately, there is another configuration parameter 'parent_domain_matches_subdomains'. This parameter is very evil. It lists the names of *other* configuration parameters for which 'domain.com' should be interpreted as '*.domain.com'.

It includes 'relay_domains' in its default list.

So for example:

mydestination = domain.com

then, by default, relay_domains will also equal domain.com.

*but* relay_domains is _interpreted_ as being *.domain.com.

This means that if someone attempts to send mail to <email address hidden> your server will

(1) accept it
(2) attempt to relay it, but notice the subdomain doesn't exist
(3) generate backscatter

The default setup for the mailserver should clearly be that it refuses to accept mail not destined for it from untrusted hosts.

The fix for this is to add 'parent_domain_matches_subdomains =' (ie: set it to empty).

Even the postfix documentation says this feature will be disabled soon:

      This is planned backwards compatibility: eventually,
      all Postfix features are expected to require explicit
      ".domain.tld" style patterns when you really want to
      match subdomains.

 -- http://www.postfix.org/postconf.5.html#parent_domain_matches_subdomains

Cheers

Revision history for this message
Allison Karlitskaya (desrt) wrote :

Note:

setting 'relay_domains =' also fixes the problem: it seems that postfix will accept mail for delivery by virtue of it being in relay_domains -or- mydestination.

Revision history for this message
Allison Karlitskaya (desrt) wrote :

Two more potential (somewhat less good) solutions:

1: You can set
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, reject_unknown_recipient_domain

then your host will accept mail for existent-sub.domain.com but not non-existent-sub.domain.com (this is done by the reject_unknown_recipient_domain). Unfortunately, this will accept mail for any hostname that has an A record, regardless of if an MX is running there or not.

2: You can use the techniques described here: http://www.postfix.org/ADDRESS_VERIFICATION_README.html

Unfortunately this uses a lot of resources and might get you blacklisted by more aggressive mail providers (or rather, mail providers that don't appreciate your particular variety of aggressiveness).

Scott Kitterman (kitterman)
Changed in postfix:
assignee: nobody → lamont
importance: Undecided → High
milestone: none → ubuntu-8.10-beta
status: New → Confirmed
Revision history for this message
Michael Flaig (mflaig) wrote :

mydestination should be set to the hostname of the machine or any domain it accepts mail for and serves it's mailboxes local
If postfix is just the relay for this domain you should set relay_domains and not mydestination

IMHO, there should be no reason for setting mydestination and relay_domains to the same value. Did I miss something?
What is relay_domains = $mydestination then good for?

To Ryan:
In the old days you also sent mail from one host to the any other not using central mailservers. You sent mail to the <email address hidden>

LaMont Jones (lamont)
Changed in postfix:
status: Confirmed → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postfix - 2.5.5-1

---------------
postfix (2.5.5-1) unstable; urgency=low

  [Wietse Venema]

  * local file descriptor leak with 2.6 kernels and epoll.

postfix (2.5.4-2) unstable; urgency=low

  [Nicolas Valcárcel]

  * Add ufw integration (from 2.5.4-1ubuntu2)

  [LaMont Jones]

  * mail_params: drop relay_domains from default
    parent_domain_matches_subdomains. LP: #242383

  [Kees Cook]

  * debian/{control,rules}: enable PIE hardening (from 2.5.4-1ubuntu1)

  [Scott Kitterman]

  * Add postfix-add-{filter,policy} scripts for easier integration of
    same. LP: #247332

 -- LaMont Jones <email address hidden> Wed, 03 Sep 2008 15:04:54 +0100

Changed in postfix:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.