Log with iptalbes which user is delivering email to port 25
Posted
by
Maus
on Server Fault
See other posts from Server Fault
or by Maus
Published on 2012-11-11T12:31:20Z
Indexed on
2012/11/11
23:02 UTC
Read the original article
Hit count: 204
Because we got blacklisted on CBL I set up the following firewall rules with iptables:
#!/bin/bash
iptables -A OUTPUT -d 127.0.0.1 -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 25 -m owner --gid-owner mail -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 25 -m owner --uid-owner root -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 25 -m owner --uid-owner Debian-exim -j ACCEPT
iptables -A OUTPUT -p tcp -m limit --limit 15/minute -m tcp --dport 25 -j LOG --log-prefix "LOCAL_DROPPED_SPAM"
iptables -A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable
I'm not able to connect to port 25 from localhost with another user than root or a mail group member -> So it seems to work.
Still some questions remain:
- How effective do you rate this rule-set to prevent spam coming from bad PHP-Scripts hosted on the server?
- Is there a way to block port 25 and 587 within the same statement?
- Is the usage of
/usr/sbin/sendmail
also limited or blocked by this rule-set? - Is there a way to log the username of all other attempts which try to deliver stuff to port 25?
© Server Fault or respective owner