Changeset 2375


Ignore:
Timestamp:
Feb 21, 2013, 11:59:19 PM (9 years ago)
Author:
andersk
Message:
Tighten scripts vhost mail security

Broken MTAs such as MIT’s will rewrite anyone@awesome-cname.mit.edu to
anyone@scripts-vhosts.mit.edu, in violation of RFC 2821.  (This can be
fixed with the Sendmail nocanonify feature or DontExpandCnames option,
which, bewilderingly, are still not the default.)  To prevent such
mail from being misdirected, remove scripts-vhosts from $mydestination
and let it bounce.

Correct r1452 to match literal periods in scripts.mit.edu.

Reserve the well-known (RFC 2142) email addresses
{abuse,hostmaster,noc,postmaster,security}@every-domain for our own
purposes; /etc/aliases maps these to root.

Tested on scripts-f17-dev.
Location:
trunk/server/fedora/config/etc/postfix
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/server/fedora/config/etc/postfix/main.cf

    r2354 r2375  
    1010alias_database = hash:/etc/aliases
    1111myorigin = scripts.mit.edu
    12 mydestination = scripts.mit.edu, scripts, $myhostname, scripts-test.mit.edu, scripts-test, scripts-vhosts.mit.edu, scripts-vhosts, localhost
     12mydestination = scripts.mit.edu, scripts, $myhostname, scripts-test.mit.edu, scripts-test, localhost
    1313relayhost =
    1414mynetworks_style = host
  • trunk/server/fedora/config/etc/postfix/virtual

    r983 r2375  
    44@webzephyr.mit.edu webzephyr
    55# Domains also match here
     6scripts-vhosts.mit.edu true
    67szs.mit.edu true
    78webzephyr.mit.edu true
  • trunk/server/fedora/config/etc/postfix/virtual_re

    r1452 r2375  
    1 /^(.*)@scripts.mit.edu$/ $1@scripts.mit.edu
     1/^(.*)@scripts\.mit\.edu$/ $1@scripts.mit.edu
     2/^(abuse|hostmaster|noc|postmaster|security)@/ $1@scripts.mit.edu
    23/^(.*)@([^@]*)\.scripts\.mit\.edu$/ $2+$1
    34/^([^@]*)\.scripts\.mit\.edu$/ true
Note: See TracChangeset for help on using the changeset viewer.