I have a rule that I add to my mail gateway to cut down on spambots bombarding the server by preventing them attempting to login on unencrypted SMTP.
This is the rule I run at the prompt:
iptables -A INPUT -p tcp --dport 25 -m string --string="AUTH LOGIN" --algo bm -j REJECT
The Custom Firewall rule look like:
$IPTABLES -A INPUT -p tcp --dport 25 -m string --string="AUTH LOGIN" --algo bm -j REJECT
It returns: Firewall rule is invalid.
when trying to save and activate the rule.
I can run it at the prompt and it works fine.
I know there are other ways to run this at startup, and I also know that there are SMTP server side options that will work too.
I just thought the custom firewall app should accept almost any valid IPTABLES rule.
This is the rule I run at the prompt:
iptables -A INPUT -p tcp --dport 25 -m string --string="AUTH LOGIN" --algo bm -j REJECT
The Custom Firewall rule look like:
$IPTABLES -A INPUT -p tcp --dport 25 -m string --string="AUTH LOGIN" --algo bm -j REJECT
It returns: Firewall rule is invalid.
when trying to save and activate the rule.
I can run it at the prompt and it works fine.
I know there are other ways to run this at startup, and I also know that there are SMTP server side options that will work too.
I just thought the custom firewall app should accept almost any valid IPTABLES rule.
Share this post:
Responses (8)
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
I have filed a bug - https://gitlab.com/clearos/clearfoundation/app-firewall-custom/-/issues/4.
I know you said it could be handled elsewhere, but you rule is operating on both the LAN and WAN. It is easier just to turn off SMTP authentication in the SMTP server. It is a webconfig option. -
Accepted Answer
I do allow authenticated users to use the submission port (587) to send email through the server. I wasn't sure that turning off SMTP authentication would also turn off submission authentication. In any case. I still like using a firewall if it can be done. Keeps the logs from getting cluttered.
I'll turn off the SMTP auth as well, just to see what it does. -
Accepted Answer
-
Accepted Answer
Yeah. I looked at it. I typically block smtps as well. I know some sites allow it, but it was never really official.
On a side question. Do ClearOS updates ever rewrite the configuration files if they're manually edited? I know I had 5.2 do that to me, I just can't remember what package it was, but I know it was my certificate setup. It's been a while. -
Accepted Answer
ClearOS certainly can rewrite configuration files, but it tries to do it in a safe way. For example there is an update to app-smtp in updates-testing at the moment . One thing it will try to do in /etc/postfix/main.cf is remove reject_unauth_destination from the smtpd_recipient_restrictions and add a new parameter, smtpd_relay_restrictions instead.
I am editing my earlier post as well. Submission and SMTPS are configured in master.cf and not main.cf as I originally stated. -
Accepted Answer
I think submission is handled by the submission section in master.cf. SMTPS is the unofficial, port 465 hack to SMTP that was never accepted as a standard but supported by Postfix.
submission inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_tls_security_level=may -o smtpd_client_restrictions=permit_sasl_authenticated,reject
In any case, turning off SMTP authentication doesn't affect submission. Thanks for the tip.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »