V-38622: Restricted mail relaying

This option is configurable and documented. Implements: blueprint security-hardening Change-Id: I315fb71dc9495c805cf1c799469418cbcb06136d
2015-10-13 08:18:19 -05:00 · 2015-10-13 08:18:19 -05:00 · 4bcfe2e26c
commit 4bcfe2e26c
parent 9bac117f6e
4 changed files with 47 additions and 0 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -177,3 +177,14 @@ disable_usb_storage: no
 #
 sysctl_tunable:
  tcp_syncookies: 1                               # V-38539
+
+## Postfix
+# The STIG requires inet_interfaces to be set to 'localhost', but Ubuntu will
+# configure it to be 'all' when dpkg-reconfigure is unavailable (as it is when
+# Ansible installs packages). The default here is 'localhost' to meet the STIG
+# requirement, but some deployers may want this set to 'all' if their hosts
+# need to receive emails over the network (which isn't common).
+#
+# See the documentation for V-38622 for more details.
+#
+postfix_inet_interfaces: localhost                # V-38622
--- a/doc/source/developer-notes/V-38622.rst
+++ b/doc/source/developer-notes/V-38622.rst
@ -0,0 +1,19 @@
+The STIG requires that postfix only listens on the localhost so that it isn't
+abused as a mail relay. The Ansible task will adjust the ``inet_interfaces``
+line in the Postfix configuration and restart postfix if the line is changed.
+
+Although it's not common, some deployers may need to configure hosts so they
+can receive email over the network. In that case, deployers would need to set
+the following Ansible variable:
+
+.. code-block:: yaml
+
+    postfix_inet_interfaces: all
+
+Note that postfix can have ``inet_interfaces`` set to ``localhost`` and it can
+still send email on the network. The ``inet_interfaces`` directive only
+controls where postfix **listens** for incoming email.
+
+For more information, review the postfix documentation for `inet_interfaces`_.
+
+.. _inet_interfaces: http://www.postfix.org/postconf.5.html#inet_interfaces
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -24,6 +24,11 @@
    name: chrony
    state: restarted

+- name: restart postfix
+  service:
+    name: postfix
+    state: restarted
+
 - name: restart ssh
  service:
    name: ssh
--- a/tasks/mail.yml
+++ b/tasks/mail.yml
@ -46,3 +46,15 @@
    - mail
    - cat2
    - V-38446
+
+- name: V-38622 - Mail relaying must be restricted
+  lineinfile:
+    dest: /etc/postfix/main.cf
+    regexp: "^(#)?inet_interfaces"
+    line: "inet_interfaces = {{ postfix_inet_interfaces }}"
+  notify:
+    - restart postfix
+  tags:
+    - mail
+    - cat2
+    - V-38622