Mail relaying must be restricted.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-23952	GEN004710	SV-45875r1_rule		Medium

Description
If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending SPAM or other unauthorized activity.

STIG	Date
SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide	2018-09-19

Details

Check Text ( C-43192r1_chk )
If the system uses sendmail, locate the sendmail.cf file. Procedure: # find / -name sendmail.cf Determine if sendmail only binds to loopback addresses by examining the “DaemonPortOptions” configuration options. Procedure: # grep -i “O DaemonPortOptions” If there are uncommented DaemonPortOptions lines, and all such lines specify system loopback addresses, this is not a finding. Otherwise, determine if sendmail is configured to allow open relay operation. Procedure: # find / -name sendmail.mc # grep -i promiscuous_relay If the promiscuous relay feature is enabled, this is a finding. If the system uses Postfix, locate the main.cf file. Procedure: # find / -name main.cf Determine if Postfix only binds to loopback addresses by examining the “inet_interfaces” line. Procedure: # grep inet_interfaces If “inet_interfaces” is set to “loopback-only” or contains only loopback addresses such as 127.0.0.1 and [::1], Postfix is not listening on external network interfaces, and this is not a finding. Otherwise, determine if Postfix is configured to restrict clients permitted to relay mail by examining the “smtpd_client_restrictions” line. Procedure: # grep smtpd_client_restrictions If the “smtpd_client_restrictions” line is missing, or does not contain “reject”, this is a finding. If the line contains “permit” before “reject”, this is a finding. If the system is using other SMTP software, consult the software’s documentation for procedures to verify mail relaying is restricted.

Check Text ( C-43192r1_chk )

If the system uses sendmail, locate the sendmail.cf file.
Procedure:
# find / -name sendmail.cf

Determine if sendmail only binds to loopback addresses by examining the “DaemonPortOptions” configuration options.
Procedure:
# grep -i “O DaemonPortOptions”

If there are uncommented DaemonPortOptions lines, and all such lines specify system loopback addresses, this is not a finding.

Otherwise, determine if sendmail is configured to allow open relay operation.
Procedure:
# find / -name sendmail.mc
# grep -i promiscuous_relay

If the promiscuous relay feature is enabled, this is a finding.

If the system uses Postfix, locate the main.cf file.
Procedure:
# find / -name main.cf

Determine if Postfix only binds to loopback addresses by examining the “inet_interfaces” line.
Procedure:
# grep inet_interfaces

If “inet_interfaces” is set to “loopback-only” or contains only loopback addresses such as 127.0.0.1 and [::1], Postfix is not listening on external network interfaces, and this is not a finding.

Otherwise, determine if Postfix is configured to restrict clients permitted to relay mail by examining the “smtpd_client_restrictions” line.
Procedure:
# grep smtpd_client_restrictions

If the “smtpd_client_restrictions” line is missing, or does not contain “reject”, this is a finding. If the line contains “permit” before “reject”, this is a finding.

If the system is using other SMTP software, consult the software’s documentation for procedures to verify mail relaying is restricted.

Fix Text (F-39253r1_fix)
If the system uses sendmail, edit the sendmail.mc file and remove the "promiscuous_relay" configuration. Rebuild the sendmail.cf file from the modified sendmail.mc and restart the service. If the system does not need to receive mail from external hosts, add one or more DaemonPortOptions lines referencing system loopback addresses (such as "O DaemonPortOptions=Addr=127.0.0.1,Port=smtp,Name=MTA") and remove lines containing non-loopback addresses. Restart the service. If the system uses Postfix, edit the main.cf file and add or edit the "smtpd_client_restrictions" line to have contents "permit mynetworks, reject" or a similarly restrictive rule. If the system does not need to receive mail from external hosts, add or edit the "inet_interfaces" line to have contents "loopback-only" or a set of loopback addresses for the system. Restart the service. If the system is using other SMTP software, consult the software's documentation for procedures to restrict mail relaying.

Fix Text (F-39253r1_fix)

If the system uses sendmail, edit the sendmail.mc file and remove the "promiscuous_relay" configuration. Rebuild the sendmail.cf file from the modified sendmail.mc and restart the service. If the system does not need to receive mail from external hosts, add one or more DaemonPortOptions lines referencing system loopback addresses (such as "O DaemonPortOptions=Addr=127.0.0.1,Port=smtp,Name=MTA") and remove lines containing non-loopback addresses. Restart the service.

If the system uses Postfix, edit the main.cf file and add or edit the "smtpd_client_restrictions" line to have contents "permit mynetworks, reject" or a similarly restrictive rule. If the system does not need to receive mail from external hosts, add or edit the "inet_interfaces" line to have contents "loopback-only" or a set of loopback addresses for the system. Restart the service.

If the system is using other SMTP software, consult the software's documentation for procedures to restrict mail relaying.