search

zulip / zulip

Zulip server and web application. Open-source team chat that helps teams stay productive and focused.
https://zulip.com
Apache License 2.0
21.18k stars 7.66k forks source link

`zulip::postfix_localmail` should not include `permit_mynetworks` in ACLs by default #18600

Open alexmv opened 3 years ago

alexmv commented 3 years ago

On hosts which include zulip::postfix_localmail, a local postfix service is installed, to allow incoming mail to be fed into Zulip. In service of this, puppet/zulip/templates/postfix/main.cf.erb gets written out as /etc/postfix/main.cf.

In main.cf, the smtpd_relay_restrictions and smtpd_recipient_restrictions lines control what connections are allowed to deliver email to where. Postfix's configuration is complicated by the fact that it is designed to deal with accepting incoming mail, as well as send outgoing email -- a connection from localhost is "outgoing mail" and should support any destination, and a connection from anywhere else is "incoming mail" and should only be accepted if Zulip itself is the destination.

The current configuration in puppet/zulip/templates/postfix/main.cf.erb is meant for a server that can function in both those use cases -- permit_mynetworks in both smtpd_relay_restrictions and smtpd_recipient_restrictions allows connections from localhost to try to deliver to anywhere. This is more permissive than is strictly necessary -- it means that the configuration supports EMAIL_HOST = 'localhost', but also means that misconfigurations which expose 127.0.0.1:25 to an external IP address create an open relay. Not allowing outgoing mail from localhost is also in line with ensuring that Zulip does not offer any unprotected IP-ACL'd services by default.

We should:

  1. Add another config option in /etc/zulip/zulip.conf (e.g. postfix.outgoing_enabled) which defaults to false
  2. If that configuration is true, include permit_mynetworks in smtpd_relay_restrictions and permit_mynetworks
  3. Remove permit_sasl_authenticated from smtpd_relay_restrictions -- we don't do any SASL authentication, so it's meaningless to include it
  4. Document in https://zulip.readthedocs.io/en/latest/production/email.html#using-system-email that using localhost with zulip::postfix_localmail is supported if postfix.outgoing_enabled is set in /etc/zulip/zulip.conf
  5. Add a changelog entry to highlight that the default zulip::postfix_localmail configuration no longer allows outgoing mail, and how to adjust zulip.conf to re-enable it.
andersk commented 3 years ago

If we add an outgoing_enabled setting, I think we should mark it as clearly deprecated and plan to remove it in a future release. Writing a reasonable outgoing Postfix configuration for the modern internet has become a freakishly complicated endeavor with SPF, DKIM, DMARC, DANE, TLSA, MTA-STS, TLS-RPT…and this has nothing to do with our core product.