Dear, i'm finding a way to permit the connection to the smtp daemon (from localhost to localhost) for only certain users. This because, actually with the perfect-server configuration the localhost relay is without auth, so basically, if I (or a spammer) write a simple script (on a defaced website) that open a socket to the 25, he can send email without any kind of limitation. An example of the script could be: PHP: //Server Address$SmtpServer="127.0.0.1";$SmtpPort="25"; //default$SmtpUser="username"; // no need to specify them$SmtpPass="password"; // no need to specify themclass SMTPClient{ function SMTPClient ($SmtpServer, $SmtpPort, $SmtpUser, $SmtpPass, $from, $to, $subject, $body){ $this->SmtpServer = $SmtpServer; $this->SmtpUser = base64_encode ($SmtpUser); $this->SmtpPass = base64_encode ($SmtpPass); $this->from = $from; $this->to = $to; $this->subject = $subject; $this->body = $body; if ($SmtpPort == ""){ $this->PortSMTP = 25; }else{ $this->PortSMTP = $SmtpPort; } } function SendMail (){ if ($SMTPIN = fsockopen ($this->SmtpServer, $this->PortSMTP)){ fputs ($SMTPIN, "EHLO ".$HTTP_HOST."\r\n"); $talk["hello"] = fgets ( $SMTPIN, 1024 ); fputs($SMTPIN, "auth login\r\n"); $talk["res"]=fgets($SMTPIN,1024); fputs($SMTPIN, $this->SmtpUser."\r\n"); $talk["user"]=fgets($SMTPIN,1024); fputs($SMTPIN, $this->SmtpPass."\r\n"); $talk["pass"]=fgets($SMTPIN,256); fputs ($SMTPIN, "MAIL FROM: <".$this->from.">\r\n"); $talk["From"] = fgets ( $SMTPIN, 1024 ); fputs ($SMTPIN, "RCPT TO: <".$this->to.">\r\n"); $talk["To"] = fgets ($SMTPIN, 1024); fputs($SMTPIN, "DATA\r\n"); $talk["data"]=fgets( $SMTPIN,1024 ); fputs($SMTPIN, "DATA\r\n"); $talk["data"]=fgets( $SMTPIN,1024 ); fputs($SMTPIN, "To: <".$this->to.">\r\nFrom: <".$this->from.">\r\nSubject:".$this->subject."\r\n\r\n\r\n".$this->body."\r\n.\r\n"); $talk["send"]=fgets($SMTPIN,256); //CLOSE CONNECTION AND EXIT ... fputs ($SMTPIN, "QUIT\r\n"); fclose($SMTPIN); // } return $talk; }}// Sendif($_SERVER["REQUEST_METHOD"] == "POST"){ $to = $_POST['to']; $from = $_POST['from']; $subject = $_POST['sub']; $body = $_POST['message']; $SMTPMail = new SMTPClient ($SmtpServer, $SmtpPort, $SmtpUser, $SmtpPass, $from, $to, $subject, $body); $SMTPChat = $SMTPMail->SendMail();}?><form method="post" action="">To: <input type="text" name="to" /> <br>From: <input type='text' name="from" /> <br>Subject: <input type='text' name="sub" /> <br>Message :<textarea name="message"></textarea> <br> <input type="submit" value=" Send " /> <br></form> So in order to limit this, i would like to limit the 25 connection, only to certain users (eg. mail, vmail, mailman, root, postfix), so that the webuser could not open the socket. In order to archive that, i have customize the Bastille firewall with the pre-chain-split.sh (/etc/Bastille/firewall.d/pre-chain-split.sh) with the following rules: Code: #/sbin/iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -p tcp -m tcp --dport 25 -m owner --uid-owner mail -j ACCEPT #/sbin/iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -p tcp -m tcp --dport 25 -m owner --uid-owner vmail -j ACCEPT #/sbin/iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -p tcp -m tcp --dport 25 -m owner --uid-owner mailman -j ACCEPT #/sbin/iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -p tcp -m tcp --dport 25 -m owner --uid-owner root -j ACCEPT #/sbin/iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -p tcp -m tcp --dport 25 -m owner --uid-owner postfix -j ACCEPT #/sbin/iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -p tcp -m tcp --dport 25 -j DROP #/sbin/iptables -A PUB_IN -s 127.0.0.1 -d 127.0.0.1 -p tcp -m tcp --dport 25 -j DROP #/sbin/iptables -A PUB_OUT -s 127.0.0.1 -d 127.0.0.1 -p tcp -m tcp --dport 25 -j DROP #/sbin/iptables -A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable But this doesn't look works good (i can run correctly the script in any case). I can't figure out what i'm gonna to wrong there. Any helps? ty
No, was a wrong in copy&paste The iptables line are correctly charge (checked as always with iptables -L)...but doesn't works :-(