Default installation should be Local Only
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
postfix (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
At the moment, an apt-get install postfix has Internet Site as the default, which leaves postfix running and listening on all interfaces. I'm aware of some history around this, i.e. bug 29741, but I don't think that rationale actually makes sense.
We should listen on localhost for the default installation path, i.e. Local Only should be the default.
There are two important reasons why listening on localhost only is sensible:
1. MTA interactions are "stateful", and by this I mean: once an email server is listening as an MX, a transmitting MTA will consider answers from it definitive. If the MX says user doesn't exist, or otherwise rejects the email, then that is final.
2. Once you run an MTA on a public interface on a public host, such as on a public cloud instance, it is immediately available over to probing and attacking.
The first is actually what bit me personally -- I have a highly customized set up, with vhosts, ldap, etc, and I installed the package first to be able to configure it, and immediately after installed I started dropping email.
Others have discussed this in the past, including https:/
description: | updated |
tags: | added: server-triage-discuss |
Changed in postfix (Ubuntu): | |
status: | Incomplete → Confirmed |
Hello Christian, thanks for filing this bug in Ubuntu.
I think your point number 2 has been discussed many times in the past, and it's one of the opinionated differences between debian systems and, say fedora ones. In debian, the opinion is that services should be running with sensible defaults right after installation. There are pros and cons to both.
The first point is a bit more concerning, though. I was just wondering what led you to this situation, given there are debconf questions covering exactly this use case.
Was it a "next -> next -> finish" type of install, and as such you got that undesired (in your case) default by accident, or was this some sort of automated install where debconf questions cannot be answered unless they are seeded beforehand, like landscape-client for example?