Subject: Re: pppoe(4) man page in conjunction with Postfix leaves gaping
To: Wolfgang S. Rupprecht <wolfgang+gnus20031001T202141@wsrcc.com>
From: Greg Troxel <firstname.lastname@example.org>
Date: 10/02/2003 08:32:01
From: wolfgang+gnus20031001T202141@wsrcc.com (Wolfgang S. Rupprecht)
mynetworks = 127.0.0.1/32, [::1/128]
I basically agree, but this is perhaps a little tight; I would accept
the IP addresses (not networks) actually configured on interfaces.
But I suppose this only matters if people set their own IP address
instead of 127.0.0.1 as a SMTP server.
Being a bit stronger than Wolfgang:
Postfix is *broken* to accept relaying from any address that does not
belong to the local machine. The notion that the local net can
generally be trusted is simply untenable, and relaying for it - be it
a /30, a /24 or a /8 - should only be turned on by a conscious
decision to do so.
I have to fix this every time I configure postfix; many of my machines
are on networks where I don't wish to trust the rest of the machines.
Whether or not the netmask for the pppoe device ought to be
changed/fixed is another story; netmasks are not particularly
semantically meaningful for PPP devices, and thus arguably /32 makes
sense. But this is really quite separable from the postfix issue.
Greg Troxel <email@example.com>