Discussion:
mynetworks w/out 127.0.0.1
(too old to reply)
Chris
2004-08-03 03:24:52 UTC
Permalink
What are the ramifications if I don't list 127.0.0.1/8
in mynetworks?

Example:
mynetworks = 123.123.123.123/8

Being that there are inst any users loging on to the server itself.
--
Best regards,
Chris
Terry Gilsenan
2004-08-03 04:02:17 UTC
Permalink
From: "Chris" <***@makeworld.com>
To: "Postfix - Users" <postfix-***@postfix.org>
Sent: Tuesday, August 03, 2004 1:24 PM
Subject: mynetworks w/out 127.0.0.1
Post by Chris
What are the ramifications if I don't list 127.0.0.1/8
in mynetworks?
mynetworks = 123.123.123.123/8
Being that there are inst any users loging on to the server itself.
I could be waaaaaay wrong here, but I would guess that if you are using
filtering and other processes that you would either have a really seriously
insecure server, or you would have a configuration nightmare.

But, having said that, I am more often wrong (about almost(??) everything)
than I am right.

T
Chris
2004-08-03 04:07:29 UTC
Permalink
Post by Terry Gilsenan
Sent: Tuesday, August 03, 2004 1:24 PM
Subject: mynetworks w/out 127.0.0.1
Post by Chris
What are the ramifications if I don't list 127.0.0.1/8
in mynetworks?
mynetworks = 123.123.123.123/8
Being that there are inst any users loging on to the server itself.
I could be waaaaaay wrong here, but I would guess that if you are using
filtering and other processes that you would either have a really seriously
insecure server, or you would have a configuration nightmare.
But, having said that, I am more often wrong (about almost(??) everything)
than I am right.
T
Ok - lemme rephase. Along with a legit IP in the above example, is it
required to have 127.0.0.1/8? If yes, what happens if it not there.
If no - are there ramifications.

Perhaps I didn't articulate (being late and working long hours).
--
Best regards,
Chris
Rob Chanter
2004-08-03 04:28:28 UTC
Permalink
Post by Chris
Ok - lemme rephase. Along with a legit IP in the above example, is it
required to have 127.0.0.1/8? If yes, what happens if it not there.
If no - are there ramifications.
Should be 127.0.0.0/8 or 127.0.0.1/32.
Post by Chris
Perhaps I didn't articulate (being late and working long hours).
Not required AFAIK, but it won't prevent mail being submitted locally
unless you also secure the sendmail binary and anything else that might
invoke postdrop or otherwise put things in the maildrop queue.

Even then, someone logged in locally can still connect to the
non-loopback address. Apart from multi-instance setups, I can't think of
any reason you'd want to omit localhost from inet_interfaces.

cheers
rob c
Victor Duchovni
2004-08-03 12:01:41 UTC
Permalink
Post by Rob Chanter
Post by Chris
Ok - lemme rephase. Along with a legit IP in the above example, is it
required to have 127.0.0.1/8? If yes, what happens if it not there.
If no - are there ramifications.
Should be 127.0.0.0/8 or 127.0.0.1/32.
Yes, good catch!
Post by Rob Chanter
Post by Chris
Perhaps I didn't articulate (being late and working long hours).
Not required AFAIK, but it won't prevent mail being submitted locally
unless you also secure the sendmail binary and anything else that might
invoke postdrop or otherwise put things in the maildrop queue.
Local mail submission is not via SMTP, so mynetworks does not apply.
There is no requirement to list 127.0.0.1 in mynetworks unless there
are applications that need relay rights and talk SMTP to 127.0.0.1
on port 25 (re-injection from content_filters is usually handled with
explicit restrictions in master.cf or a second Postfix instance also
with separate restrictions).
Post by Rob Chanter
Even then, someone logged in locally can still connect to the
non-loopback address. Apart from multi-instance setups, I can't think of
any reason you'd want to omit localhost from inet_interfaces.
Yes, there is not much to be gained by leaving it out, note the OP is
talking about mynetworks (relay access) not inet_interfaces (where the
server listens).
--
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:***@postfix.org?body=unsubscribe%20postfix-users>
Rob Chanter
2004-08-03 23:39:03 UTC
Permalink
Post by Victor Duchovni
Post by Rob Chanter
Post by Chris
Ok - lemme rephase. Along with a legit IP in the above example, is it
required to have 127.0.0.1/8? If yes, what happens if it not there.
If no - are there ramifications.
Should be 127.0.0.0/8 or 127.0.0.1/32.
Yes, good catch!
Post by Rob Chanter
Post by Chris
Perhaps I didn't articulate (being late and working long hours).
Not required AFAIK, but it won't prevent mail being submitted locally
unless you also secure the sendmail binary and anything else that might
invoke postdrop or otherwise put things in the maildrop queue.
Local mail submission is not via SMTP, so mynetworks does not apply.
There is no requirement to list 127.0.0.1 in mynetworks unless there
are applications that need relay rights and talk SMTP to 127.0.0.1
on port 25 (re-injection from content_filters is usually handled with
explicit restrictions in master.cf or a second Postfix instance also
with separate restrictions).
I should have worded it better. By local I meant "someone who is logged
on locally managing to send mail". I think we're in violent agreement.

We have some apps here in which the developers chose to use SMTP to
localhost rather than local submission. I'm sure they have their
reasons.
Post by Victor Duchovni
Post by Rob Chanter
Even then, someone logged in locally can still connect to the
non-loopback address. Apart from multi-instance setups, I can't think of
any reason you'd want to omit localhost from inet_interfaces.
Yes, there is not much to be gained by leaving it out, note the OP is
talking about mynetworks (relay access) not inet_interfaces (where the
server listens).
Oops. But the same considerations mostly apply. Now I think of it, if
you define a border MTA as untrusted (that is, assumed to be potentially
compromised at any time) and you want to be paranoid, it might make some
sense to omit localhost from trusted networks. But even then, probably
not.

cheers
rob
Peter Hessler
2004-08-04 05:11:39 UTC
Permalink
On Wed, 4 Aug 2004 09:34:59 +1000, Rob Chanter
Post by Rob Chanter
We have some apps here in which the developers chose to use SMTP to
localhost rather than local submission. I'm sure they have their
reasons.
chroot'd apps are an excellent example.

Continue reading on narkive:
Loading...