Major Hayden 4bcfe2e26c V-38622: Restricted mail relaying
This option is configurable and documented.

Implements: blueprint security-hardening

Change-Id: I315fb71dc9495c805cf1c799469418cbcb06136d
2015-10-14 12:54:39 -05:00

841 B

The STIG requires that postfix only listens on the localhost so that it isn't abused as a mail relay. The Ansible task will adjust the inet_interfaces line in the Postfix configuration and restart postfix if the line is changed.

Although it's not common, some deployers may need to configure hosts so they can receive email over the network. In that case, deployers would need to set the following Ansible variable:

postfix_inet_interfaces: all

Note that postfix can have inet_interfaces set to localhost and it can still send email on the network. The inet_interfaces directive only controls where postfix listens for incoming email.

For more information, review the postfix documentation for inet_interfaces.