default postfix config creates backscatter
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
postfix (Ubuntu) |
Fix Released
|
High
|
LaMont Jones |
Bug Description
The postfix config file has a 'mydestination' parameter. This is the domains for which your mailserver will deliver mail locally.
It also has a 'relay_domains' parameter. This is the domains for which your mailserver will accept mail for delivery from remote untrusted hosts. As a matter of course, your 'mydestination' should be included here since you want to be able to receive mail for yourself as a precondition for delivering it.
To this end, very sanely, the default setting is:
relay_domains = $mydestination
Unfortunately, there is another configuration parameter 'parent_
It includes 'relay_domains' in its default list.
So for example:
mydestination = domain.com
then, by default, relay_domains will also equal domain.com.
*but* relay_domains is _interpreted_ as being *.domain.com.
This means that if someone attempts to send mail to <email address hidden> your server will
(1) accept it
(2) attempt to relay it, but notice the subdomain doesn't exist
(3) generate backscatter
The default setup for the mailserver should clearly be that it refuses to accept mail not destined for it from untrusted hosts.
The fix for this is to add 'parent_
Even the postfix documentation says this feature will be disabled soon:
This is planned backwards compatibility: eventually,
all Postfix features are expected to require explicit
".domain.tld" style patterns when you really want to
match subdomains.
-- http://
Cheers
Changed in postfix: | |
assignee: | nobody → lamont |
importance: | Undecided → High |
milestone: | none → ubuntu-8.10-beta |
status: | New → Confirmed |
Changed in postfix: | |
status: | Confirmed → Fix Committed |
Note:
setting 'relay_domains =' also fixes the problem: it seems that postfix will accept mail for delivery by virtue of it being in relay_domains -or- mydestination.