[SOLVED] Security best-practices question
Hey people, I'm looking for opinions on the best practice for configuring my firewalls and/or Zimbra so I can get security notices from the firewalls.
My firewall is capable of sending out both notices of failed logins, intrusions, etc, and also backup files to an email address I specify. This feature uses a SMTP engine (Exim) built right into the firewall to kick the notices out, and they go out through the WAN IP of the box. If I send them to a nearly-unfiltered account I have elsewhere (not on Zimbra) the messages come thru, even with Fetchmail grabbing them down to a Zimbra account. However, if I direct these same messages to an account on my Zimbra box, they are rejected by Postfix:
I know WHY this is happening--I have the various MTA restrictions turned on, including:
Feb 26 11:23:35 mail postfix/smtpd: NOQUEUE: reject: RCPT from unknown[XXX.XXX.XXX.XXX]: 504 <firewall-hostname>: Helo command rejected: need fully-qualified hostname; fro
m=<firstname.lastname@example.org> to=<myaddress> proto=ESMTP helo=<firewall-hostname>
And guess what, it's following my instructions to the letter! :D I don't really want to turn these features off because they stop a lot of trash, but I DO want to get my firewall notices. I can see a couple less-than-desirable options:
Would appreciate any ideas you all might have.
- Add the WAN IP addresses of my "Allowed senders" relay list. My concern with this is that I don't much like to have a relay open to ANY public IPs
- Register my WAN IPs in a DNS I control. I don't much like putting the gateways to my networks in a phone book. . .seems kinda like inviting trouble.
- There ought to be a way to whitelist the addresses I create, but my first attempts at whitelisting didn't work--it seems Postfix is rejecting the message before SpamAssassin gets a chance to whitelist it.
I'm an idiot, forget I posted this!
I'm truly embarrassed by what I discovered is the problem. I've been putting an address formatted like an email (email@example.com) into the FQDN field of my firewall. Not surprisingly, Postfix sees that as an invalid domain and rejects the email. It had nothing to do with a reverse lookup, and everything to do with me overlooking the blindingly obvious.:p
Putting in a FQDN of my own invention that just looks right was good enough.