Postfix myhostname 4.2

Dear Community,

I want to setup a mailserver with a public DNS record. There are already some threads here in the forum, but the most relevant I could find is five years old (Postfix myhostname) and the bug report is closed (https://forge.univention.org/bugzilla/show_bug.cgi?id=30350).

My server admin book is telling me that it is very important, that postconf myhostname will prompt the DNS registered fdqn. In UCS it is the local DNS fdqn - having the internal domain name in it (can be resolved also from public DNS).

The solution can of course go in different directions:

• don’t care to change local DNS name in the public sphere
• changing the myhostname setting in main.cf

The question is: what is - for security reasons as well as for system stability - the way I should go? As changing myhostname is not possible through a ucr registry entry. Perhaps telling the world the internal domain-name isn’t a big problem too?

Any thoughts on this are appreciated, kind regards
Bernd

Hey,

Postfix’s myhostname variable isn’t that important in this context. What actually is important, is the name Postfix sends as part of the HELO…/EHLO… SMTP command. That host name must be resolvable to an IP address.

Luckily Postfix has a separate variable for that: smtp_helo_name. And there is a UCR variable for that: mail/smtp/helo/name. It defaults to the server’s (most likely internal) FQDN, but can be changed to a name that is publicly resolvable.

Don’t touch myhostname. There’s no need for it. But do make sure that smtp_helo_name is publicly resolvable.

Kind regards,
mosu

Hey musu,

thank you for taking your time again to answer - you are very helpful for this community!
I will read more into this - but on a functional level you are absolutely right - everything is working fine. Still, the server will write its myhostname to email headers.

Kind regards,
Bernd

Hey,

you mean e.g. Received-From? That’s normal, intentional, and nothing to worry about. The host names in those headers don’t have to be resolvable from outside of their respective networks.

Kind regards,
mosu

Hey mosu,

yes, I know, there is even information about the mailclient and client computer if used…
I wondered if disclosing the internal domain name is of any relevance for computer/ network security. But I just write this issue at the very end of my security-concern-list
(and of course the domainmaster server isn’t listed in any public dns)

Thanks again,
Bernd

There are some people who are indeed concerned about disclosing internal hostnames and ip-addresses.
In case you want to strip them off for your outgoing messages you can read for example https://falkhusemann.de/blog/2012/08/postfix-header-anonymisieren/ or simply use the search engine of your choice with the query “postfix remove header”.

hth,
Dirk

Hi!

Just a small side note:
Since UCS 4.2-3 erratum 288 it is possible to add custom postfix options to the file /etc/postfix/main.cf.local. They are automatically included in main.cf if ucr commit /etc/postfix/main.cf is called after each modification of main.cf.local.

So you can add the myhostname setting to main.cf.local, but please be aware that

• postfix prints a warning during reload/restart if a config option in mentioned twice in the main.cf. Since the last option wins, this is only a cosmetic issue.
• you have to comment out all options in your main.cf.local if you have any trouble with your postfix setup, to get back to a sane state.

Cheers

Sönke

If you really need/want to hide internal information a better solution is using a firewall which is capable of removing all internal “revived from” headers and other possibly unwanted “X headers” like X-Mailer if not part of a DKIM signature. Or you may want to have a look at some thing like this:

https://major.io/2013/04/14/remove-sensitive-information-from-email-headers-with-postfix/