[Mimedefang] Inappropriate packet filtering on lists.roaringpenguin.com
Nicholas Brealey
nick at brealey.org
Sun Jan 13 02:56:04 EST 2002
Hello David
This is not a complaint. I just thought people might
find it interesting:
I just noticed that it appears that your mail server
lists.roaringpenguin.com will not accept connections to
the smtp port from source ports < 1024.
I noticed this because I had
define(`SMTP_MAILER_FLAGS', `R')
in my sendmail config file so that sendmail would
send mail from a privileged source port. Combining this
with an egress packet filter which only allowed outgoing
smtp connections if the source port was < 1024 stopped
user processes from sending e-mail messages except
via sendmail (where MIMEdefang could scan them) and closed
the hole in the firewall at port 25 as far as non root users
are concerned.
Surprisingly, lots of mail servers block connections from
privileged source ports while allowing connections from
unprivileged ports and this idea is not usually practical.
The usual solution is to have a dedicated mail relay machine
with no user logins permitted. Alternatively I could use my
ISP's relay as a smart host or add mailertable entries to use
my ISP's relay for problem addresses.
Regards
Nick
More information about the MIMEDefang
mailing list