Open cfm opened 3 years ago
There is the (poorly documented) ossec_from_address
https://docs.securedrop.org/en/stable/ossec_alerts.html#not-receiving-emails which is supposed to address this case - this error is coming from mail.riseup.net in the case above, as mon-prod isn't a valid domain. In cases where the remote SMTP server needs a valid domain (and/or one that it will relay for), you can set this variable in site_specific
to override the default choice of the local hostname.
Yes, absolutely, @zenmonkeykstop. But it looks like ossec_from_address
(or at least its documentation) predates #5924's work to support Focal's use of ossec@${hostname}
rather than ossec@ossec.server
, and it's that hostname-based rewriting that I mean to flag here as fragile in this case. But I concede that this may be less of a bug
and more just new evidence in support of #3603, and I'll downgrade the tags accordingly. :-)
Let me know, of course, if I'm missing something else in my interpretation here....
Description
If the
monitor_hostname
value configured insite-specific
does not match the Monitor Server's actual hostname, the configured Postfix mapping will not apply, and outbound OSSEC alerts will not be delivered via an SMTP relay that authenticates theFrom
header.Steps to Reproduce
As encountered during https://github.com/freedomofpress/securedrop/issues/6103#issuecomment-938341940:
molecule create -s libvirt-prod-focal
, yielding VM with the following hostnames:app-prod
mon-prod
./securedrop sdconfig
, including an authenticated SMTP relay, leaving the following settings lazily at their defaults:app_hostname: app
monitor_hostname: mon
./securedrop-admin install
/admin/config
, under Alerts, select Send a Test Alert.Expected Behavior
If step (3) did not error, step (4) should deliver an OSSEC alert to the configured SMTP relay.
Actual Behavior
Observe Postfix delivery failure indicating that no mapping was performed against the Monitor Server's actual hostname:
Comments
More work: #3603. In other words, #5924 uses the configured or given, not the actual, hostnames.
Less work: In Ansible role
prepare-servers
, error if configured{app,monitor}_hostname
values do not match actual hostnames.