[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: trying to restrict postfix use of port [was trying to restrict exim smtp to specific IP]

On Thu, 21 Jan 2010 13:11:58 +0000, Adam Hardy wrote:

> Camaleón on 21/01/10 12:29, wrote:

>> Didn't you say this?
>> 
>> ***
>> It should listen like this (or all hell breaks loose on their server
>> farm):
>> 
>> tcp        0      0 10.20.30.40:25          0.0.0.0:*              
>> LISTEN ***
>> 
>> So if that remains true, you do need to open port 25 "locally" and bind
>> Postfix to listen in that IP.
>> 
>> But opening a port "locally" does not mean your SMTP server can be used
>> from remote, in fact it cannot unless:
>> 
>> a) The router (frame relay, xdsl line...) of your ISP/hosting provider
>> is actually forwarding the requests to port 25 to your machine (by
>> using NAT or iptables).
> 
> Yes I did say I wanted postfix to listen on 10.20.30.40:25 but that was
> while I was still trying to work out the basic configuration. Now that I
> am happy that I know why postfix is doing something and that it works, I
> would like to know whether I can completely close port 25.

Mmm... okay, let's paint the big picture (please, correct me if I'm 
wrong) :-)

- You need to be notified by e-mail (remote account) about crontab tasks.

- You do not need a remote e-mail server neither a local e-mail server. 
Only the host running crontab will be allowed to send e-emails from the 
MTA (postfix, exim, whatever...)

So you setup crontab variable "MAILTO=user@mydomain.com" or 
"MAILTO=localuser".

In every case (being a local or remote user), the mail should follow the 
configured path, that is, it will arrive to the MTA you have installed in 
the host (say Postix, Exim or any other facility).

Once the e-mail arrives into the MTA, it will be delivered to the e-mail 
address you have defined, and you don't need to do anything.

> One person reckons port 25 has to be open for smtp to send - is that so?
> I don't think so, I thought smtp would open some high numbered port
> temporarily.

In fact, in my *desktop* computer, I've got that port open:

***
sm01@stt008:~$ netstat -an | grep 25
tcp        0      0 127.0.0.1:25            0.0.0.0:*            LISTEN 
***

And I am not running here any mail server: it's just the default desktop 
installation, running Exim.

So, yes, the MTA is listening in that port and I cannot find any 
objection (security issue) to that. No one can send an e-mail from my 
Exim unless it's inside my own computer :-)

> Or does smtp pick up the emails to be sent via port 25?

I think so.

> It just bugs me from a security point of view that the whole world can
> see port 25 open when they look at that machine and some might take it
> into their heads to aim their spam canons at it.

That is quite hard to happen. Only if your own host gets cracked by 
someone in first place but in no way your computer can be reached by 
"telnetting" remotely through port 25.

Greetings,

-- 
Camaleón
Reply to: