postfix : how to prevent open relay?

Postfix by default installation allows emails can be sent without authentication. So anyone can send email with any email address using postfix server with default settings. This will allow spammers to use your servers to send emails and even malware /virus. Receiver will see your server as the MTA and will result ip in spam list.

There are three main curtial settings in /etc/postfix/main.cf:

smtpd_sender_restrictions: Restrict sender for sending email only if given criteria matched. Best two options are reject_unknown_sender_domain and permit_sasl_autheticated. Which only allows domains in your servers are allowed to send emails and authentication is required to send email. You can also add more options as below:

smtpd_sender_restrictions =
        reject_sender_login_mismatch,
        reject_non_fqdn_sender,
        reject_unlisted_sender,
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination,
        reject_invalid_hostname,
        reject_unknown_sender_domain,
    reject_unauth_pipelining

smtpd_recipient_restrictions: This options allow to filter incoming emails based on criteria which will help to minimize spam emails: Some of the important options are: reject_non_fqdn_recipient, reject_unlisted_reciepient, permit_sasl_authenticated and reject_invalid_hostname. More options can be added as follows.

smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
reject_unlisted_recipient
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_invalid_hostname,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_pipelining

smtpd_relay_restrictions: Prevent others to use your server to send emails. Most important setting is permit_sasl_authenticated. More options can be added as follows:

 smtpd_relay_restrictions = permit_mynetworks, 
        permit_sasl_authenticated,
        reject_unauth_destination

You can also force authentication by uncometing following option in /etc/postfix/master.cf

-o smtpd_relay_restrictions=permit_sasl_authenticated,reject

For more information visit: http://www.postfix.org/SMTPD_ACCESS_README.html

Elasticsearch: FORBIDDEN/12/index read-only / allow delete (api) error

Elasticsearch considers available disk space to calculate and allocate shard on that node. if there is less space left on disk, Elasticsearch put itself into read-only mode.
By default these setting are enabled in Elasticsearch.

cluster.routing.allocation.disk.threshold_enabled: By default its true and will enable following settings.

cluster.routing.allocation.disk.watermark.low: Default to 85%, which means, elastic search will not create more shards on the node with more than 85% disk space used.

cluster.routing.allocation.disk.watermark.high: Default to 90%, which means, Elasticsearch will try to move shard from node with 90% or more disk spaced used.

cluster.routing.allocation.disk.watermark.flood_stage: Default to 95%, which means, Elasticsearch will enforce read-only mode to all the index that has one or more shard on any of the node with 95% disk space used.

Solution:

Free up some disk space: If possible, free up disk spaced so that free space be more than 5%. After disk is freed up need to unlock read only access.

PUT /twitter/_settings
{
“index.blocks.read_only_allow_delete”: null
}

Disable or change settings: We can change watermark setting to low value, example of settings are as below.

PUT _cluster/settings

{

“transient”: {

“cluster.routing.allocation.disk.watermark.low”: “100gb”,

“cluster.routing.allocation.disk.watermark.high”: “50gb”,

“cluster.routing.allocation.disk.watermark.flood_stage”: “10gb”,

“cluster.info.update.interval”: “1m”

}

more information on this issue can be found here: https://www.elastic.co/guide/en/elasticsearch/reference/6.2/disk-allocator.html