Re: [SLUG] Postfix SNAFU

From: Wayne Pollock (pollock@acm.org)
Date: Sat Jul 10 2004 - 21:23:59 EDT


Modern sendmail is configured to use libwrap (TCP Wrappers). You can
thus add "ALL: ALL" to hosts.deny, and "sendmail: LOCAL" (or something
similar) to hosts.allow. Frankly I like sendmail better than postfix
and I think you should consider making the switch.

To prevent spoofed IP addressed is a simple matter of turning on the
Linux rp_filter for each interface. This filter drops packets with
incorrect source IP addresses (e.g., a src addr of 127.0.0.1 coming in
on eth0). This is done via sysctl.conf in Fedora. Here's a sample
sysctl.conf file showing several security settings:

/etc> more sysctl.conf
# Controls IP packet forwarding
net.ipv4.ip_forward = 0
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
# Disables replies to broadcast ICMP echo (ping), to
# prevent a common DoS attack:
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Disable all source routing and ICMP redirects for security:
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0

Hope this helps!

-Wayne

Stephen Ames wrote:
> The mynetworks has been set to 127.0.0.1/32.
>
> I have not checked the firewall. Is there a command I can put in the
> main.cf to check for spoofed IP's? Is there a way I can get it to not
> accept mail -- period?
>
> Thanks,
>
> Steve
>
>
>
>
> -----Original Message-----
> From: slug@nks.net [mailto:slug@nks.net] On Behalf Of Levi Bard
> Sent: Saturday, July 10, 2004 9:49 AM
> To: slug@nks.net
> Subject: Re: [SLUG] Postfix SNAFU
>
>
>
>
>>They're at it again! Grrrr. I hate spam! >:(
>>
>>I checked the mynetworks line and it had my local subnet and the
>>127.0.0.1/8 entry. I took out the local subnet and left the
>>127.0.0.1/8 entry. The spam is coming from the outside and they are
>>putting nobody@web1.managedwebservices.com in the To line, and
>>somepoordudes@aol.com
>>;) in the CC and BCC lines. I have told it not to accept more than 5
>>recipients, but that only keeps it from getting ridiculous. I really would
>>like to configure it to not accept or relay mail from anybody and only send
>>mail from itself (web contact forms, etc).
>>
>>Here is a section from the main.cf that appears to be talking about
>>just such an idea, but I'm not too sure on how to proceed:
>>
>>
>
>
> Again, I'd set mynetworks to 127.0.0.1/32 , so you're ONLY accepting
> mail from 127.0.0.1 , not 127.*.*.*
>
> Also, have you set your firewall to check for spoofed IPs? E.g. someone
> on your external interface claiming to be 127.0.0.1 ?
>
> Try sending mail through it from somewhere else on your lan - does it work?
> -----------------------------------------------------------------------
> This list is provided as an unmoderated internet service by Networked
> Knowledge Systems (NKS). Views and opinions expressed in messages posted
> are those of the author and do not necessarily reflect the official policy
> or position of NKS or any of its employees.
>
>
> -----------------------------------------------------------------------
> This list is provided as an unmoderated internet service by Networked
> Knowledge Systems (NKS). Views and opinions expressed in messages
> posted are those of the author and do not necessarily reflect the
> official policy or position of NKS or any of its employees.
-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:23:07 EDT