There is a lot of flawed reasoning about security ...take for example:
On Mon, 9 Dec 2019, LuKreme wrote:
On Dec 9, 2019, at 12:58, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote
[...]
unauthenticated loopback (and other "mynetworks")
traffic is normal.
The configuration as posted, and specifically the line I quoted directly
above my comment, allowed unauthenticated traffic from anything on the
LAN. This means random printers, IOT devices, android phones, etc were
allowed to send mail unchecked. I consider that a security hole.
"Am I secure?" That's a philosophical question. Will I have enough for
retirement? Can I ever feel secure as long as there is a dolphin in danger
on the planet? Or... there's no point in trying, because a meteoroid will
wipe us all out. Go on, knock yourself out.
"Do I know the ground on which I fight?" That is not a philosophical
question. Have you prepared a welcome reception for unexpected guests? Do
you know what they will find when they climb over that fence? Do you you
know what it will look like if someone is actively nosing around?
"Will they cry and wish for a job flipping burgers?" Good job! Very good
job, indeed!
But seriously now: what's the risk? What happens if that risk is realized
(severity)?
If someone sends unauthenticated mail outbound to my mail server, is that
a problem? Doesn't that depend on where the mail is being delivered? Could
mail be wrongly addressed (and hence wrongly delivered)? Will anything I
do around authentication mitigate that?
Case in point, (because journald hasn't solved the problem), I still find
it convenient to send unencrypted logs with UDP and emailed system
notifications to a central collector. If I didn't see email then
eventually I'd notice and be suspicious enough to take a look. But really,
experience shows that I'm more likely to notice a problem because there is
something out of the ordinary in one of those ordinary emails. I really,
really want to get those emails if they're being sent; I want them sooo
bad, I don't want anything to get in the way of that. Like authentication.
They're not encrypted, either. What's the danger if someone reads a system
notification in transit or on the central collector? Seriously, this is a
trick question; I'll wait while you formulate a mental answer.
Ok ready? The danger is that they're in my fabric or collector!
If I had people randomly showing up and attempting to send emails from
random devices which I allowed to connect to the network I control, I'd
have a different security posture.
If I was providing this as a service to random personnel, I'd authenticate
them; if they were supposed to have a clue however I'd pwn their network
connection, after all, I have to determine who's really in control of that
device. ;-)
Further TTPs left to the imagination of the reader, because OpSec.
Some may recall me as the author of TruAlias, which I run on localhost on
my mail server. I'm seriously thinking of opening it up to other machines
I (personally) expect people to send email from however, because it's
handy to be able to test aliases (without sending email to them). Maybe
I'll make it a web service: is it really that much different in practice
from a corporate directory?
Postfix's local(8) considers TCP maps for alias resolution a Security Risk
To Be Prevented, even on loopback. I take all of this very seriously,
since it prevents me from running TruAlias for local delivery. I take it
so seriously, I disable the security checks which prevent it and
recompile. More as a point of comic relief, I observe that altering the
source code and recompiling means that exploits crafted against a widely
distributed binary have a greatly diminished chance of functioning
properly; but I really should hammer local(8) for pwnage this way some
day.
I run a copy of TruAlias naked exposed to the internet as a demo as well.
Theoretically I suspect you could lock up a core, but it hasn't happened;
I'd notice.
It's the system's fault...
--
Fred Morris
