{"description": "Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to\nlisten for incoming mail and transfer the messages to the appropriate\nuser or mail server. If the system is not intended to be a mail server,\nit is recommended that the MTA be configured to only process local mail.", "rationale": "The software for all Mail Transfer Agents is complex and most have a\nlong history of security issues. While it is important to ensure that\nthe system can process local mail messages, it is not necessary to have\nthe MTA's daemon listening on a port unless the server is intended to\nbe a mail server that receives and processes mail from other systems.", "severity": "medium", "references": {"cis": ["2.1.21"]}, "control_references": {"cis": ["2.1.21"]}, "components": [], "identifiers": {}, "ocil_clause": "MTA is listening on any non-loopback address", "ocil": "Run the following command to verify that the MTA is not listening on\nany non-loopback address (127.0.0.1 or ::1).\n<pre># ss -lntu | grep -E ':25\\s' | grep -E -v '\\s(127.0.0.1|::1):25\\s'</pre>\nNothing should be returned", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Ensure Mail Transfer Agent is not Listening on any non-loopback Address", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/mail/has_nonlocal_mta/rule.yml", "template": null}