Restrict mail relaying [+Docs]
This patch adds tasks that check for postfix and set restrictions for mail relaying. Documentation is included. Implements: blueprint security-rhel7-stig Change-Id: I8c0ae38f2264fae20fe9055fde47e9abbb355767
This commit is contained in:
parent
14fa6e5060
commit
fc2c356bc4
|
@ -564,6 +564,8 @@ security_grub_password_hash: grub.pbkdf2.sha512.10000.7B21785BEAFEE3AC71459D8210
|
||||||
security_rhel7_session_timeout: 600 # RHEL-07-040160
|
security_rhel7_session_timeout: 600 # RHEL-07-040160
|
||||||
# Enable chrony for NTP time synchronization.
|
# Enable chrony for NTP time synchronization.
|
||||||
security_rhel7_enable_chrony: yes # RHEL-07-040210
|
security_rhel7_enable_chrony: yes # RHEL-07-040210
|
||||||
|
# Restrict mail relaying.
|
||||||
|
security_rhel7_restrict_mail_relaying: yes # RHEL-07-040480
|
||||||
|
|
||||||
## Packages (packages)
|
## Packages (packages)
|
||||||
# Remove packages from the system as required by the STIG. Set any of these
|
# Remove packages from the system as required by the STIG. Set any of these
|
||||||
|
|
|
@ -1,7 +1,14 @@
|
||||||
---
|
---
|
||||||
id: RHEL-07-040480
|
id: RHEL-07-040480
|
||||||
status: not implemented
|
status: implemented
|
||||||
tag: misc
|
tag: misc
|
||||||
---
|
---
|
||||||
|
|
||||||
This STIG requirement is not yet implemented.
|
The ``smtpd_client_restrictions`` configuration in postfix is set to
|
||||||
|
``permit_mynetworks, reject`` to meet the STIG's requirements.
|
||||||
|
|
||||||
|
Deployers can opt out of this change by setting the following Ansible variable:
|
||||||
|
|
||||||
|
.. code-block:: yaml
|
||||||
|
|
||||||
|
security_rhel7_restrict_mail_relaying: no
|
||||||
|
|
|
@ -265,3 +265,23 @@
|
||||||
- medium
|
- medium
|
||||||
- misc
|
- misc
|
||||||
- RHEL-07-040470
|
- RHEL-07-040470
|
||||||
|
|
||||||
|
- name: Check for postfix configuration file
|
||||||
|
stat:
|
||||||
|
path: /etc/postfix/main.cf
|
||||||
|
register: postfix_conf_check
|
||||||
|
tags:
|
||||||
|
- always
|
||||||
|
|
||||||
|
- name: RHEL-07-040480 - Prevent unrestricted mail relaying
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/postfix/main.cf
|
||||||
|
regexp: '^smtpd_client_restrictions'
|
||||||
|
line: 'smtpd_client_restrictions = permit_mynetworks, reject'
|
||||||
|
when:
|
||||||
|
- postfix_conf_check.stat.exists
|
||||||
|
- security_rhel7_restrict_mail_relaying | bool
|
||||||
|
tags:
|
||||||
|
- medium
|
||||||
|
- misc
|
||||||
|
- RHEL-07-040480
|
||||||
|
|
Loading…
Reference in New Issue