Rules Related To 'postfix'

Component overview

Relevant packages:

Relevant groups:

Changelog:

No changes recorded.

Relevant rules:

Rule details

The Postfix package is installed

package_postfix_installed

Description

A mail server is required for sending emails. The postfix package can be installed with the following command:

$ sudo yum install postfix

Rationale

Emails can be used to notify designated personnel about important system events such as failures or warnings.

Configure System to Forward All Mail For The Root Account

postfix_client_configure_mail_alias

Description

Make sure that mails delivered to root user are forwarded to a monitored email address. Make sure that the address $var_postfix_root_mail_alias is a valid email address reachable from the system in question. Use the following command to configure the alias:

$ sudo echo "root: $var_postfix_root_mail_alias" >> /etc/aliases
$ sudo newaliases

Rationale

A number of system services utilize email messages sent to the root user to notify system administrators of active or impending issues. These messages must be forwarded to at least one monitored email address.

Configure System to Forward All Mail From Postmaster to The Root Account

postfix_client_configure_mail_alias_postmaster

Description

Verify the administrators are notified in the event of an audit processing failure. Check that the "/etc/aliases" file has a defined value for "root".

$ sudo grep "postmaster:\s*root$" /etc/aliases

postmaster: root

Rationale

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.

Configure System to Forward All Mail through a specific host

postfix_client_configure_relayhost

Description

Set up a relay host that will act as a gateway for all outbound email. Edit the file /etc/postfix/main.cf to ensure that only the following relayhost line appears:

relayhost = $var_postfix_relayhost

Rationale

A central outbound email location ensures messages sent from any network host can be audited for potential unexpected content. Tooling on the central server may help prevent spam or viruses from being delivered.

Disable Postfix Network Listening

postfix_network_listening_disabled

Description

Edit the file /etc/postfix/main.cf to ensure that only the following inet_interfaces line appears:

inet_interfaces = $var_postfix_inet_interfaces

Rationale

This ensures postfix accepts mail messages (such as cron job reports) from the local system only, and not from the network, which protects it from network attack.

Prevent Unrestricted Mail Relaying

postfix_prevent_unrestricted_relay

Description

Modify the

/etc/postfix/main.cf
file to restrict client connections to the local network with the following command:
$ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'

Rationale

If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.

Configure SMTP Greeting Banner

postfix_server_banner

Description

Edit /etc/postfix/main.cf, and add or correct the following line, substituting some other wording for the banner information if you prefer:

smtpd_banner = $myhostname ESMTP

Rationale

The default greeting banner discloses that the listening mail process is Postfix. When remote mail senders connect to the MTA on port 25, they are greeted by an initial banner as part of the SMTP dialogue. This banner is necessary, but it frequently gives away too much information, including the MTA software which is in use, and sometimes also its version number. Remote mail senders do not need this information in order to send mail, so the banner should be changed to reveal only the hostname (which is already known and may be useful) and the word ESMTP, to indicate that the modern SMTP protocol variant is supported.

Enable Postfix Service

service_postfix_enabled

Description

The Postfix mail transfer agent is used for local mail delivery within the system. The default configuration only listens for connections to the default SMTP port (port 25) on the loopback interface (127.0.0.1). It is recommended to leave this service enabled for local mail delivery. The postfix service can be enabled with the following command:

$ sudo systemctl enable postfix.service

Rationale

Local mail delivery is essential to some system maintenance and notification tasks.