I am looking for some clarification on why Ispconfig creates the following lines in /etc/amavis/conf.d/50-user: # IP-Addresses for internal networks => load policy MYNETS # - requires -o smtp_send_xforward_command=yes in postfix master.cf @mynetworks = qw(0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 [::1] [FE80::]/10 [FEC0::]/10); # Allow SMTP access from IPs in @inet_acl to amvisd SMTP Port @inet_acl = qw( 127.0.0.1 [::1] 192.168.0.0/16 ); Specifically the ip address 0.0.0.0/8. I understood this to be open to exploitation by someone spoofing ip addresses. I do not believe that the developers would take that risk. I am sure I am missing something. Can anyone clarify? Longtime Ispconfig users. Thank you Barbara
RFC 5735 (“Special-Use IPv4 Addresses”) calls 0.0.0.0/8 “this network.”, it is a placeholder block. Placing 0.0.0.0/8 in @mynetworks tells amavisd “treat these IPs as internal”. That way a message that was produced on the host itself is recognised as MYNETS / originating and can: receive DKIM signatures or disclaimers meant only for mail you originate, be exempted from spam/virus checks you reserve for external mail, trigger any other “internal-mail” policy bank settings you use. Keep it if you routinely generate mail on the server (cron jobs, PHP, etc.) and rely on MYNETS rules (signing, relaxed spam checks, etc.). Remove it (or leave it out) if you are not using those MYNETS-specific features, or if you are unsure that every external SMTP connection will arrive with a real IP address—otherwise you might unintentionally trust and underscan some mail.[/LIST]
