From 035ab8d2191155dbbfc3395b93800371292eb1e5 Mon Sep 17 00:00:00 2001 From: andryyy Date: Wed, 6 May 2020 20:09:25 +0200 Subject: [PATCH] Add hint about trusted rfc1918, thanks to @Programmierus --- docs/firststeps-rfc-1918.md | 11 +++++++++++ mkdocs.yml | 1 + 2 files changed, 12 insertions(+) create mode 100644 docs/firststeps-rfc-1918.md diff --git a/docs/firststeps-rfc-1918.md b/docs/firststeps-rfc-1918.md new file mode 100644 index 000000000..d99fbb5c0 --- /dev/null +++ b/docs/firststeps-rfc-1918.md @@ -0,0 +1,11 @@ +Per default, mailcow considers all private RFC1918 networks (i.e. 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) as trusted. Though it is reasonable in most cases, you may want to restrict this setting under certain circumstances. In particular, if you are using some kind of reverse proxy for SMTP TCP ports. If your reverse proxy host is located in a private net, mailcow will consider all traffic from it as trusted, which may result in an open relay. + +To change this behaviour override the default value of `mynetworks` parameter through the `data/conf/postfix/extra.cf` configuration file. + +**Important**: Do **not** remove the networks listed as `IPV4_NETWORK` and `IPV6_NETWORK` in your mailcow.conf. You should also keep local addresses. + +The default values for those variables - `172.22.1.0/24` and `fd4d:6169:6c63:6f77::/64` - would result in the following, minimal configuration: + +``` +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0/24 [fd4d:6169:6c63:6f77::]/64 +``` diff --git a/mkdocs.yml b/mkdocs.yml index 770791e05..d81ea0f0e 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -29,6 +29,7 @@ nav: - 'Update': 'i_u_m_update.md' - 'Migration': 'i_u_m_migration.md' - 'First Steps (optional)': + - 'Untrust RFC 1918': 'firststeps-rfc-1918.md' - 'Advanced SSL': 'firststeps-ssl.md' - 'Rspamd UI': 'firststeps-rspamd_ui.md' - 'Reverse Proxy': 'firststeps-rp.md'