default postfix config creates backscatter
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | postfix (Ubuntu) |
High
|
LaMont Jones | ||
Bug Description
The postfix config file has a 'mydestination' parameter. This is the domains for which your mailserver will deliver mail locally.
It also has a 'relay_domains' parameter. This is the domains for which your mailserver will accept mail for delivery from remote untrusted hosts. As a matter of course, your 'mydestination' should be included here since you want to be able to receive mail for yourself as a precondition for delivering it.
To this end, very sanely, the default setting is:
relay_domains = $mydestination
Unfortunately, there is another configuration parameter 'parent_
It includes 'relay_domains' in its default list.
So for example:
mydestination = domain.com
then, by default, relay_domains will also equal domain.com.
*but* relay_domains is _interpreted_ as being *.domain.com.
This means that if someone attempts to send mail to <email address hidden> your server will
(1) accept it
(2) attempt to relay it, but notice the subdomain doesn't exist
(3) generate backscatter
The default setup for the mailserver should clearly be that it refuses to accept mail not destined for it from untrusted hosts.
The fix for this is to add 'parent_
Even the postfix documentation says this feature will be disabled soon:
This is planned backwards compatibility: eventually,
all Postfix features are expected to require explicit
".domain.tld" style patterns when you really want to
match subdomains.
-- http://
Cheers
| Ryan Lortie (desrt) wrote : | #1 |
| Ryan Lortie (desrt) wrote : | #2 |
Two more potential (somewhat less good) solutions:
1: You can set
smtpd_recipient
then your host will accept mail for existent-
2: You can use the techniques described here: http://
Unfortunately this uses a lot of resources and might get you blacklisted by more aggressive mail providers (or rather, mail providers that don't appreciate your particular variety of aggressiveness).
| Changed in postfix: | |
| assignee: | nobody → lamont |
| importance: | Undecided → High |
| milestone: | none → ubuntu-8.10-beta |
| status: | New → Confirmed |
| Michael Flaig (mflaig) wrote : | #3 |
mydestination should be set to the hostname of the machine or any domain it accepts mail for and serves it's mailboxes local
If postfix is just the relay for this domain you should set relay_domains and not mydestination
IMHO, there should be no reason for setting mydestination and relay_domains to the same value. Did I miss something?
What is relay_domains = $mydestination then good for?
To Ryan:
In the old days you also sent mail from one host to the any other not using central mailservers. You sent mail to the <email address hidden>
| Changed in postfix: | |
| status: | Confirmed → Fix Committed |
| Launchpad Janitor (janitor) wrote : | #4 |
This bug was fixed in the package postfix - 2.5.5-1
---------------
postfix (2.5.5-1) unstable; urgency=low
[Wietse Venema]
* local file descriptor leak with 2.6 kernels and epoll.
postfix (2.5.4-2) unstable; urgency=low
[Nicolas Valcárcel]
* Add ufw integration (from 2.5.4-1ubuntu2)
[LaMont Jones]
* mail_params: drop relay_domains from default
parent_
[Kees Cook]
* debian/
[Scott Kitterman]
* Add postfix-
same. LP: #247332
-- LaMont Jones <email address hidden> Wed, 03 Sep 2008 15:04:54 +0100
| Changed in postfix: | |
| status: | Fix Committed → Fix Released |
Note:
setting 'relay_domains =' also fixes the problem: it seems that postfix will accept mail for delivery by virtue of it being in relay_domains -or- mydestination.