V-38622: Restricted mail relaying
This option is configurable and documented. Implements: blueprint security-hardening Change-Id: I315fb71dc9495c805cf1c799469418cbcb06136d
This commit is contained in:
Major Hayden
parent
9bac117f6e
commit
4bcfe2e26c
@ -177,3 +177,14 @@ disable_usb_storage: no
|
|||||||
#
|
#
|
||||||
sysctl_tunable:
|
sysctl_tunable:
|
||||||
tcp_syncookies: 1 # V-38539
|
tcp_syncookies: 1 # V-38539
|
||||||
|
|
||||||
|
## Postfix
|
||||||
|
# The STIG requires inet_interfaces to be set to 'localhost', but Ubuntu will
|
||||||
|
# configure it to be 'all' when dpkg-reconfigure is unavailable (as it is when
|
||||||
|
# Ansible installs packages). The default here is 'localhost' to meet the STIG
|
||||||
|
# requirement, but some deployers may want this set to 'all' if their hosts
|
||||||
|
# need to receive emails over the network (which isn't common).
|
||||||
|
#
|
||||||
|
# See the documentation for V-38622 for more details.
|
||||||
|
#
|
||||||
|
postfix_inet_interfaces: localhost # V-38622
|
||||||
|
|||||||
19
doc/source/developer-notes/V-38622.rst
Normal file
19
doc/source/developer-notes/V-38622.rst
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
The STIG requires that postfix only listens on the localhost so that it isn't
|
||||||
|
abused as a mail relay. The Ansible task will adjust the ``inet_interfaces``
|
||||||
|
line in the Postfix configuration and restart postfix if the line is changed.
|
||||||
|
|
||||||
|
Although it's not common, some deployers may need to configure hosts so they
|
||||||
|
can receive email over the network. In that case, deployers would need to set
|
||||||
|
the following Ansible variable:
|
||||||
|
|
||||||
|
.. code-block:: yaml
|
||||||
|
|
||||||
|
postfix_inet_interfaces: all
|
||||||
|
|
||||||
|
Note that postfix can have ``inet_interfaces`` set to ``localhost`` and it can
|
||||||
|
still send email on the network. The ``inet_interfaces`` directive only
|
||||||
|
controls where postfix **listens** for incoming email.
|
||||||
|
|
||||||
|
For more information, review the postfix documentation for `inet_interfaces`_.
|
||||||
|
|
||||||
|
.. _inet_interfaces: http://www.postfix.org/postconf.5.html#inet_interfaces
|
||||||
@ -24,6 +24,11 @@
|
|||||||
name: chrony
|
name: chrony
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
||||||
|
- name: restart postfix
|
||||||
|
service:
|
||||||
|
name: postfix
|
||||||
|
state: restarted
|
||||||
|
|
||||||
- name: restart ssh
|
- name: restart ssh
|
||||||
service:
|
service:
|
||||||
name: ssh
|
name: ssh
|
||||||
|
|||||||
@ -46,3 +46,15 @@
|
|||||||
- mail
|
- mail
|
||||||
- cat2
|
- cat2
|
||||||
- V-38446
|
- V-38446
|
||||||
|
|
||||||
|
- name: V-38622 - Mail relaying must be restricted
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/postfix/main.cf
|
||||||
|
regexp: "^(#)?inet_interfaces"
|
||||||
|
line: "inet_interfaces = {{ postfix_inet_interfaces }}"
|
||||||
|
notify:
|
||||||
|
- restart postfix
|
||||||
|
tags:
|
||||||
|
- mail
|
||||||
|
- cat2
|
||||||
|
- V-38622
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user