On April 8, 2018 5:41:37 PM UTC, "Raphaël Halimi" <raphael.hal...@gmail.com> wrote: >Package: postfix >Version: 3.3.0-1 >Severity: wishlist > >Hi, > >I report this bug following my own advice in [1]. > >I have set the severity to wishlist, but from a security point of view, >it could be considered much higher. > >The default Postfix configuration, when keeping the default debconf >answers, listens on all network interfaces. Unlike what's said in >#418511, this doesn't make it an open relay though, since mynetworks is >restricted to localhost. Nevertheless, OP in [1] is IMHO quite right, >this is still a "network-exposed attack surface". > >My rationale is : until Stretch, the "standard" installation comprised >exim4-daemon-light, which fulfilled all dependencies on the >"mail-transport-agent" virtual package, which in turn implicated that >users installing Postfix did so manually, and knew what they were >doing. > >Unfortunately, from Stretch onward, now that no MTA is present in the >standard installation, some dependencies chains can end up installing a >random MTA "unexpectedly" (I put quotes around "unexpectedly", because >one should always carefully read the list of installed dependencies >when >installing a package, but we all know that users are not always that >careful). > >IMHO it would be wise to change the default answer to the debconf >question "postfix/main_mailer_type" to "Local only" instead of >"Internet >site", in order to limit the security risk in case Postfix was >installed >"unexpectedly" due of an overlooked dependency chain. > >[1] https://bugs.launchpad.net/debian/+source/tlp/+bug/1758798 > >Regards,
Your example isn't relevant to Debian. In Ubuntu, Postfix is the default MTA. In Debian, it's not. If a non-default MTA is being pulled in by a package that only needs a generic MTA, then it's buggy and should be fixed. Scott K
