Bug 97170

Summary: w. config as shipped, normal spam loads lead to denial of service
Product: [Retired] Red Hat Linux Reporter: Karl O. Pinc <kop>
Component: postfixAssignee: John Dennis <jdennis>
Status: CLOSED WONTFIX QA Contact:
Severity: high Docs Contact:
Priority: medium    
Version: 7.3   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2003-06-12 14:40:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Karl O. Pinc 2003-06-11 05:44:20 UTC 
Description of problem:

The amount of spam has increased to the point where the mail logs
fill up the disk.  Here's why:

Spam comes into the box and postfix discovers
that there's no local mailbox, so it generates a bounce message.
The spammer is not receiving mail at the return address, but
does not issue a 5xx error.  Or perhaps the mx doesn't exist,
or whatever.  So the bounce sits in the outbound queue and postfix
periodically tries to deliver it until eventually it times out.
Meanwhile, each delivery attempt generates log messages.  The
maillog gets really big, and can easily fill the partition.
At which point mail, logging, and other things are not likely to
work.

The solution is to ship /etc/postfix/main.cf with the
local_recipient_maps line uncommented.  This causes postfix
to reject incoming mail for which there is no local recipient
with a 5xx SMTP message, and the bounce then becomes the sender's
problem.

This also means that /etc/postfix/master.cf must be shipped with
the smtpd deamon _not_ chrooted.  While this opens up other
potential security holes, it closes an actual denial of service
that is likely, if not inevitable given the incrasing amount of
spam.  (I had this problem on a box supporting 6 users, with
a 4GB /var partition and 3 times the number of old maillogs
than are kept on a stock system.)  The smtpd deamon could go
back to being chrooted if, for example, authentication related
to the mail system was kept in a LDAP database.  But that's
a major change.

I forget whether old maillogs are compressed on a stock redhat
install.  Compressing the logs will help, but will really only
delay the inevitable.  Not to mention, lots of bounces plogging
up the outbound mail queue and generating lots of log entries
makes administering a mail system grody.

You may wish to consider reclassifying the severity of this
problem to "security" as large parts of the system break under
conditions controlled by outside entities.
Comment 1 John Dennis 2003-06-12 14:40:02 UTC 
Red Hat is now shipping version 2 of postfix.

From the LOCAL_RECIPIENT_README in version 2:

"As of Postfix version 2.0, the Postfix SMTP server now rejects mail
for recipients in $mydestination domains that it does not know about.
This feature was optional with previous Postfix versions.
The benefit is that this keeps undeliverable mail out of your queue."

Given that changing a default configuration parameter prior to V2 would require
every installation to be aware of the change and its impact, that it is easy for
a local installation to modify its configuration based on its own needs, and
that the currently shipping version addresses the issue I'm not sure I can
justify this change in a obsolete package.