#!/usr/bin/env bash{a_output=();a_output2=();a_port_list=("25""465""587")forl_port_numberin"${a_port_list[@]}";doifss-plntu|grep-P--':'"$l_port_number"'\b'|grep-Pvq--'\h+(127\.0\.0\.1|\[?::1\]?):'"$l_port_number"'\b';thena_output2+=(" - Port \"$l_port_number\" is listening on a non-loopback network interface")elsea_output+=(" - Port \"$l_port_number\" is not listening on a non-loopback network interface")fidoneifcommand-vpostconf&>/dev/null;thenl_interfaces="$(postconf-ninet_interfaces)"elifcommand-vexim&>/dev/null;thenl_interfaces="$(exim-bPlocal_interfaces)"elifcommand-vsendmail&>/dev/null;thenl_interfaces="$(grep-i"0 DaemonPortOptions="/etc/mail/sendmail.cr|grep-oP'?<=Addr=)[^,+]+')"fiif[-n"$l_interfaces"];thenifgrep-Pqi'\ball\b'<<<"$l_interfaces";thena_output2+=(" - MTA is bound to all network interfaces")elif!grep-Pqi'(inet_interfaces\h*=\h*)?(0\.0\.0\.0|::1|loopback-only)'<<<"$l_interfaces";thena_output2+=(" - MTA is bound to a network interface""\"$l_interfaces\"")elsea_output+=(" - MTA is not bound to a non loopback network interface""\"$l_interfaces\"")fielsea_output+=(" - MTA not detected or in use")fiif["${#a_output2[@]}"-le0];thenprintf'%s\n'"""- Audit Result:"" ** PASS **""${a_output[@]}"elseprintf'%s\n'"""- Audit Result:"" ** FAIL **"" * Reasons for audit failure *""${a_output2[@]}"""["${#a_output[@]}"-gt0]&&printf'%s\n'"- Correctly set:""${a_output[@]}"fi}
Edit /etc/postfix/main.cf and add the following line to the RECEIVING MAIL section. If the line already exists, change it to look like the line below:
inet_interfaces=loopback-only
Run the following command to restart postfix:
# systemctl restart postfix
Note:
- This recommendation is designed around the postfix mail server.
- Depending on your environment you may have an alternative MTA installed such as exim4. If this is the case consult the documentation for your installed MTA to configure the recommended state.