Profile Applicability:
• Level 1
Description:
Mail Transfer Agents (MTAs) like Postfix or Sendmail manage the sending and receiving of email. Configuring MTAs for local-only mode restricts mail transmission and reception to the local system, preventing the server from acting as an open relay and reducing exposure to external threats.
Rationale:
Limiting MTAs to local-only mode prevents unauthorized relay of mail through the system, reducing spam abuse and mitigating potential email-based attacks.
Impact:
Pros:
Prevents misuse of the server as an open mail relay.
Limits attack surface related to mail services.
Cons:
Restricts legitimate mail sending and receiving to local processes only.
Default Value:
MTAs may be configured to accept external mail by default; verification and adjustment are necessary.
Pre-requisites:
Root or sudo privileges to configure mail server settings.
Remediation:
Test Plan:
Using Linux command line:
1. Check MTA listening interfaces:
netstat -plnt | grep postfix postfix status
2. Verify MTA configuration files restrict listening to localhost or 127.0.0.1:
grep '^inet_interfaces' /etc/postfix/main.cf
3. Confirm it is set to localhost or 127.0.0.1.
Implementation Plan:
Using Linux command line:
1. Modify MTA configuration to listen on localhost only:
inet_interfaces = localhost
2. Restart the MTA service:
systemctl restart postfix
3. Verify the service listens only on localhost:
netstat -plnt | grep postfix
Backout Plan:
Using Linux command line:
Revert inet_interfaces to previous value if needed (e.g., all or specific IPs).
Restart MTA service and verify functionality.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
Postfix Configuration
Tags:
, , , , ,