V-38622: Restricted mail relaying

This option is configurable and documented.

Implements: blueprint security-hardening

Change-Id: I315fb71dc9495c805cf1c799469418cbcb06136d
This commit is contained in:
Major Hayden 2015-10-13 08:18:19 -05:00
parent 9bac117f6e
commit 4bcfe2e26c
4 changed files with 47 additions and 0 deletions

View File

@ -177,3 +177,14 @@ disable_usb_storage: no
#
sysctl_tunable:
tcp_syncookies: 1 # V-38539
## Postfix
# The STIG requires inet_interfaces to be set to 'localhost', but Ubuntu will
# configure it to be 'all' when dpkg-reconfigure is unavailable (as it is when
# Ansible installs packages). The default here is 'localhost' to meet the STIG
# requirement, but some deployers may want this set to 'all' if their hosts
# need to receive emails over the network (which isn't common).
#
# See the documentation for V-38622 for more details.
#
postfix_inet_interfaces: localhost # V-38622

View File

@ -0,0 +1,19 @@
The STIG requires that postfix only listens on the localhost so that it isn't
abused as a mail relay. The Ansible task will adjust the ``inet_interfaces``
line in the Postfix configuration and restart postfix if the line is changed.
Although it's not common, some deployers may need to configure hosts so they
can receive email over the network. In that case, deployers would need to set
the following Ansible variable:
.. code-block:: yaml
postfix_inet_interfaces: all
Note that postfix can have ``inet_interfaces`` set to ``localhost`` and it can
still send email on the network. The ``inet_interfaces`` directive only
controls where postfix **listens** for incoming email.
For more information, review the postfix documentation for `inet_interfaces`_.
.. _inet_interfaces: http://www.postfix.org/postconf.5.html#inet_interfaces

View File

@ -24,6 +24,11 @@
name: chrony
state: restarted
- name: restart postfix
service:
name: postfix
state: restarted
- name: restart ssh
service:
name: ssh

View File

@ -46,3 +46,15 @@
- mail
- cat2
- V-38446
- name: V-38622 - Mail relaying must be restricted
lineinfile:
dest: /etc/postfix/main.cf
regexp: "^(#)?inet_interfaces"
line: "inet_interfaces = {{ postfix_inet_interfaces }}"
notify:
- restart postfix
tags:
- mail
- cat2
- V-38622