Prevent Unrestricted Mail Relaying

An XCCDF Rule

Description

Modify the

/etc/postfix/main.cf

file to restrict client connections to the local network with the following command:

$ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'

Rationale

If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.

ID: xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay
Severity: Medium
References: CCI-000366

SRG-OS-000480-GPOS-00227

SV-204619r603261_rule
Updated: about 1 year ago

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q postfix; then

if ! grep -q ^smtpd_client_restrictions /etc/postfix/main.cf; then
	echo "smtpd_client_restrictions = permit_mynetworks,reject" >> /etc/postfix/main.cf
else	sed -i "s/^smtpd_client_restrictions.*/smtpd_client_restrictions = permit_mynetworks,reject/g" /etc/postfix/main.cf
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - DISA-STIG-RHEL-07-040680
  - low_complexity  - low_disruption
  - medium_severity
  - no_reboot_needed
  - postfix_prevent_unrestricted_relay
  - restrict_strategy

- name: Prevent Unrestricted Mail Relaying
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/postfix/main.cf
      create: true
      regexp: ^[ \t]*smtpd_client_restrictions\s*=\s*
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: Deduplicate values from /etc/postfix/main.cf
    lineinfile:
      path: /etc/postfix/main.cf
      create: true
      regexp: ^[ \t]*smtpd_client_restrictions\s*=\s*
      state: absent
    when: dupes.found is defined and dupes.found > 1

  - name: Insert correct line to /etc/postfix/main.cf
    lineinfile:
      path: /etc/postfix/main.cf
      create: true
      regexp: ^[ \t]*smtpd_client_restrictions\s*=\s*
      line: smtpd_client_restrictions = permit_mynetworks,reject
      state: present
  when:
  - '"postfix" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - DISA-STIG-RHEL-07-040680
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - postfix_prevent_unrestricted_relay
  - restrict_strategy

Prevent Unrestricted Mail Relaying

Description

Rationale

Remediation - Shell Script

Remediation - Ansible