Your message dated Sun, 08 Apr 2018 21:41:01 +0000
with message-id <8c867c8d-0a56-40cc-8c33-473ae2960...@kitterman.com>
and subject line Re: Bug#895238: postfix: consider changing the default mailer
type to "Local only" instead of "Internet site"
has caused the Debian Bug report #895238,
regarding postfix: consider changing the default mailer type to "Local only"
instead of "Internet site"
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
895238: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895238
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: postfix
Version: 3.3.0-1
Severity: wishlist
Hi,
I report this bug following my own advice in [1].
I have set the severity to wishlist, but from a security point of view,
it could be considered much higher.
The default Postfix configuration, when keeping the default debconf
answers, listens on all network interfaces. Unlike what's said in
#418511, this doesn't make it an open relay though, since mynetworks is
restricted to localhost. Nevertheless, OP in [1] is IMHO quite right,
this is still a "network-exposed attack surface".
My rationale is : until Stretch, the "standard" installation comprised
exim4-daemon-light, which fulfilled all dependencies on the
"mail-transport-agent" virtual package, which in turn implicated that
users installing Postfix did so manually, and knew what they were doing.
Unfortunately, from Stretch onward, now that no MTA is present in the
standard installation, some dependencies chains can end up installing a
random MTA "unexpectedly" (I put quotes around "unexpectedly", because
one should always carefully read the list of installed dependencies when
installing a package, but we all know that users are not always that
careful).
IMHO it would be wise to change the default answer to the debconf
question "postfix/main_mailer_type" to "Local only" instead of "Internet
site", in order to limit the security risk in case Postfix was installed
"unexpectedly" due of an overlooked dependency chain.
[1] https://bugs.launchpad.net/debian/+source/tlp/+bug/1758798
Regards,
--
Raphaël Halimi
--- End Message ---
--- Begin Message ---
On April 8, 2018 6:31:25 PM UTC, "Raphaël Halimi" <raphael.hal...@gmail.com>
wrote:
>Le 08/04/2018 à 20:26, Scott Kitterman a écrit :
>> Your example isn't relevant to Debian. In Ubuntu, Postfix is the
>> default MTA. In Debian, it's not. If a non-default MTA is being
>> pulled in by a package that only needs a generic MTA, then it's buggy
>> and should be fixed.
>
>Ah, sorry, I don't use Ubuntu, so I didn't know.
>
>Feel free to close the bug then, if you think it's not relevant.
Closing then.
Thanks,
Scott K
--- End Message ---
