postfix: Mail for root at localhost forwarded to root at isp

Håvard Dahle havard at aerosat.co.za
Thu Nov 10 09:13:06 UTC 2005 

Package: postfix
Version: 2.2.4-1ubuntu2
Severity: grave
Justification: user security hole


I have tagged the report Severity: grave because of the possibility of
sensitive information leak. 

PROBLEM:
After installation setup, mail for root was delivered locally without problems. 
However after I reconfigured postfix (using dpkg-reconfigure, of course)
as a "Internet with smarthost" system, all root mail thereafter was
forwarded to root at isp.

Not only is this embarrassing, but also a big security hole. I do not
normally trust my isp to read through my sysadmin notices, nor would I
like to begin now. Who knows what people work there?

Note that I have never manually edited postfix config files (before
this).


WORKAROUND:
Looking at the Postfix faq, it was suggested[1] that I set up a virtual
lookup table. 

I did so, replacing the value of $virtual_alias_maps with
"hash:/etc/aliases.virtual" (its original value was "$virtual_maps", a
non-existing key!) and entered local addresses into that file.

Rebuilt with `postmap /etc/aliases.virtual` and reloaded postfix:
`postfix reload`. Now root at localhost messages are delivered locally like
they should.

[1]: http://www.postfix.org/faq.html#some_local

WHAT UBUNTU SHOULD HAVE DONE:
If the abovementioned procedure is indeed the (best) solution, the
dpkg-reconfigure process should set up $virtual_alias_maps so that email
for root at localhost and postmaster at localhost always is delivered locally
by default.


Thanks for your time,

Håvard
-- System Information:
Debian Release: testing/unstable
  APT prefers breezy-updates
  APT policy: (500, 'breezy-updates'), (500, 'breezy-security'), (500, 'breezy')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-9-k7
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages postfix depends on:
ii  adduser                3.64ubuntu1       Add and remove users and groups
ii  debconf [debconf-2.0]  1.4.56ubuntu2     Debian configuration management sy
ii  dpkg                   1.13.10ubuntu4    Package maintenance system for Deb
ii  libc6                  2.3.5-1ubuntu12   GNU C Library: Shared libraries an
ii  libdb4.2               4.2.52-19ubuntu4  Berkeley v4.2 Database Libraries [
ii  libsasl2               2.1.19-1.5ubuntu4 Authentication abstraction library
ii  libssl0.9.7            0.9.7g-1ubuntu1.1 SSL shared libraries
ii  lsb-base               3.0-1ubuntu8      Linux Standard Base 2.0 init scrip
ii  netbase                4.21ubuntu3       Basic TCP/IP networking system

Versions of packages postfix recommends:
ii  evolution 2.4.1-0ubuntu7                 The groupware suite
ii  mailx [ma 1:8.1.2-0.20040524cvs-4ubuntu1 A simple mail user agent
ii  mozilla-t 1.0.7-0ubuntu05.10             Mozilla Thunderbird standalone mai
ii  mutt [mai 1.5.9-2ubuntu1                 Text-based mailreader supporting M
pn  resolvcon <none>                         (no description available)

-- debconf information:
  postfix/master_upgrade_warning:
  postfix/db_upgrade_warning: true
* postfix/mailname: aerosat.co.za
  postfix/tlsmgr_upgrade_warning:
  postfix/dynamicmaps_upgrade_warning:
* postfix/recipient_delim: +
* postfix/main_mailer_type: Internet with smarthost
  postfix/transport_map_warning:
* postfix/relayhost: smtp.aerosat.co.za
* postfix/procmail: false
  postfix/bad_recipient_delimiter:
* postfix/chattr: false
* postfix/root_address: havard
  postfix/rfc1035_violation: false
* postfix/mynetworks: 127.0.0.0/8
* postfix/destinations: localhost.localdomain, localhost, rasha
  postfix/nqmgr_upgrade_warning:
  postfix/not_configured:
* postfix/mailbox_limit: 0

More information about the ubuntu-users mailing list