tech-userlevel: Re: pppoe(4) man page in conjunction with Postfix leaves gaping relay

Subject: Re: pppoe(4) man page in conjunction with Postfix leaves gaping relay
To: None <TeCeEm@gmx.de>
From: Jun-ichiro itojun Hagino <itojun@itojun.org>
List: tech-userlevel
Date: 10/02/2003 09:39:52

> the pppoe(4) man page suggests:
> 
> EXAMPLES
>       A typical /etc/ifconfig.pppoe0 file looks like this:
> 
>             [...]
>             inet 0.0.0.0 0.0.0.1
>             [...]
> 
> At first, I simply adopted this example, with the effect that my pppoe0
> interface had a netmask of 0xff000000. This went completely unnoticed. I
> also run Postfix. As per Postfix' default configuration ($mynetworks
> parameter):
> 
> # You can specify the list of "trusted" network addresses by hand
> # or you can let Postfix do it for you (which is the default).
> 
> This means Postfix looks at each interface and uses the ip/mask as an
> indication of trust to allow relaying. I only noticed this when doing
> postconf(1) one day to browse through options wrt fixing another problem.
> 
> I think it's clear that with a pppoe0 interface with mask 0xff000000 any
> user of your provider (and likely more) is allowed to relay through you
> per default, which is unacceptable imho.

	0.0.0.0/8 will not match any source address.  am i mistaken?

itojun