CCE-95500-5Platform: cpe:/o:amazon:linux:2, cpe:/o:centos:centos:7, cpe:/o:oracle:linux:7, cpe:/o:oracle:linux:8, cpe:/o:redhat:enterprise_linux:7, cpe:/o:redhat:enterprise_linux:8, cpe:/o:redhat:enterprise_linux:9 | Date: (C)2021-03-05 (M)2023-07-04 |
Description:
Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming
mail and transfer the messages to the appropriate user or mail server. If the system is not
intended to be a mail server, it is recommended that the MTA be configured to only process
local mail.
Rationale:
The software for all Mail Transfer Agents is complex and most have a long history of
security issues. While it is important to ensure that the system can process local mail
messages, it is not necessary to have the MTAs daemon listening on a port unless the
server is intended to be a mail server that receives and processes mail from other systems.
Audit:
Run the following command to verify that the MTA is not listening on any non-loopback
address ( 127.0.0.1 or ::1 )
Nothing should be returned
# ss -lntu | grep -E :25s' | grep -E -v s(127.0.0.1|::1):25s
Remediation:
Edit /etc/postfix/main.cf and add the following line to the RECEIVING MAIL section. If
the line already exists, change it to look like the line below:
inet_interfaces = loopback-only
Run the following command to restart postfix
# systemctl restart postfix
Parameter:
[yes/no]
Technical Mechanism:
Edit /etc/postfix/main.cf and add the following line to the RECEIVING MAIL section. If
the line already exists, change it to look like the line below:
inet_interfaces = loopback-only
Run the following command to restart postfix
# systemctl restart postfix
CCSS Severity: | CCSS Metrics: |
CCSS Score : 8.8 | Attack Vector: NETWORK |
Exploit Score: 2.8 | Attack Complexity: LOW |
Impact Score: 5.9 | Privileges Required: NONE |
Severity: HIGH | User Interaction: REQUIRED |
Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | Scope: UNCHANGED |
| Confidentiality: HIGH |
| Integrity: HIGH |
| Availability: HIGH |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:68651 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:73051 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:72022 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:72840 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:84262 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:72388 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:72946 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:72737 |