Writing

Software, technology, sysadmin war stories, and more. Feed
Wednesday, November 7, 2012

Postfix's default relay settings might be trouble

A recent consulting gig where I needed to configure Postfix reminded me of some interesting problems I encountered while working as a web hosting support tech. One of them is that all of the servers used by customers tend to share address space with other customers who are completely unrelated. They may be in the same subnet as you and might even be physically racked right next to you, but that's it. They have no right to access your systems or anything else of the sort.

However, one of the ways Postfix can be installed is to allow relaying for the same subnet as the server. So, if you're 192.168.1.10 with a netmask of 255.255.255.0, then 192.168.1.123 can shoot mail through you without so much as a login. Normally, this isn't a problem, since people with their own servers tend to just send mail directly. However, when a server runs evil code, those holes tend to be found and exploited.

One night, we had a customer contact us because he had been listed as a spam source. I did some looking around, and sure enough, his machine had been blasting out garbage to the world. Further inspection of the headers showed that it was being relayed for some other box which was nearby due to that naive setting.

Sure, I imagine that once upon a time, you could assume that another host on the same network as you was probably okay in terms of relaying. I used to set up my sendmail instances this way, back before the days of SMTP AUTH and things like that. If you had one of my IPs, you could relay through me.

Trouble is, with a shared network such as those used by web hosting providers, that just doesn't work. Those defaults are a huge hole just waiting to be exploited by someone who sniffs around and notices it.

I'm sure there are plenty of other things out there which assume a "kinder, gentler LAN" where nearby hosts which could be trusted. I also have a feeling we're going to see more of this as IPv6 ramps up and people lose track of exactly what is theirs and what might be someone else. I already wrote about the problems of forgetting to firewall IPv6 services earlier this year. In short, even if you don't have IPv6 connectivity to the world, you probably have it to your subnet neighbors! If you're relying on iptables alone, you'd better read up on ip6tables too.

As for my customer with the open relay, I fixed his config issue and told him what was up. The last I heard was that he was taking it up with the AUP department to see about starting some kind of legal matter with the other customer. I'm sure that was a barrel of laughs, and I'm definitely glad I didn't have to participate in it.

Regarding Postfix and defaults, well, if you're running it on a network you don't trust, you might want to see just what you have in your 'mynetworks' setting. What you find might frighten you.