Postfix myhostname 4.2

ucs-4-2
postfix

#1

Dear Community,

I want to setup a mailserver with a public DNS record. There are already some threads here in the forum, but the most relevant I could find is five years old (Postfix myhostname) and the bug report is closed (https://forge.univention.org/bugzilla/show_bug.cgi?id=30350).

My server admin book is telling me that it is very important, that postconf myhostname will prompt the DNS registered fdqn. In UCS it is the local DNS fdqn - having the internal domain name in it (can be resolved also from public DNS).

The solution can of course go in different directions:

  • don’t care to change local DNS name in the public sphere
  • changing the myhostname setting in main.cf

The question is: what is - for security reasons as well as for system stability - the way I should go? As changing myhostname is not possible through a ucr registry entry. Perhaps telling the world the internal domain-name isn’t a big problem too?

Any thoughts on this are appreciated, kind regards
Bernd


Postfix PTR error
Postfix PTR error
#2

Hey,

Postfix’s myhostname variable isn’t that important in this context. What actually is important, is the name Postfix sends as part of the HELO…/EHLO… SMTP command. That host name must be resolvable to an IP address.

Luckily Postfix has a separate variable for that: smtp_helo_name. And there is a UCR variable for that: mail/smtp/helo/name. It defaults to the server’s (most likely internal) FQDN, but can be changed to a name that is publicly resolvable.

Don’t touch myhostname. There’s no need for it. But do make sure that smtp_helo_name is publicly resolvable.

Kind regards,
mosu


Hostname für ausgehende Mails ändern
#3

Hey musu,

thank you for taking your time again to answer - you are very helpful for this community!
I will read more into this - but on a functional level you are absolutely right - everything is working fine. Still, the server will write its myhostname to email headers.

Kind regards,
Bernd


#4

Hey,

you mean e.g. Received-From? That’s normal, intentional, and nothing to worry about. The host names in those headers don’t have to be resolvable from outside of their respective networks.

Kind regards,
mosu


#5

Hey mosu,

yes, I know, there is even information about the mailclient and client computer if used…
I wondered if disclosing the internal domain name is of any relevance for computer/ network security. But I just write this issue at the very end of my security-concern-list :slight_smile:
(and of course the domainmaster server isn’t listed in any public dns)

Thanks again,
Bernd


#6

There are some people who are indeed concerned about disclosing internal hostnames and ip-addresses.
In case you want to strip them off for your outgoing messages you can read for example https://falkhusemann.de/blog/2012/08/postfix-header-anonymisieren/ or simply use the search engine of your choice with the query “postfix remove header”.

hth,
Dirk


#7

Hi!

Just a small side note:
Since UCS 4.2-3 erratum 288 it is possible to add custom postfix options to the file /etc/postfix/main.cf.local. They are automatically included in main.cf if ucr commit /etc/postfix/main.cf is called after each modification of main.cf.local.

So you can add the myhostname setting to main.cf.local, but please be aware that

  • postfix prints a warning during reload/restart if a config option in mentioned twice in the main.cf. Since the last option wins, this is only a cosmetic issue.
  • you have to comment out all options in your main.cf.local if you have any trouble with your postfix setup, to get back to a sane state.

Cheers

Sönke


#8

If you really need/want to hide internal information a better solution is using a firewall which is capable of removing all internal “revived from” headers and other possibly unwanted “X headers” like X-Mailer if not part of a DKIM signature. Or you may want to have a look at some thing like this: