To clarify the .sig, I generally read list mail. The Subject header
concerns offlist mail only. I often don't even collect mail at this
address, and in fact it has been more than a week since I did. I read
list mail from a different subscribed address in my own domain.
On Tuesday 2005-August-23 04:38, darren@xxxxxxxxxxx wrote:
> I want to allow the qmail to send mail out from the box and allow php
> scripts to use the MX functions to identify bad domains. The problem
> is that this means I need to have all ports open for outgoing . Is
I generally do not recommend restricting OUTPUT. You can, if you know
all source ports or destination ports or destination IP's you need, but
the gain in security is far less than the loss of functionality. Thus
I'd say, don't worry, leave OUTPUT open.
> there a way to set up for outgoing mail and mx record checks to be
> done without opening all ports.
As described above. Outgoing mail will always have destination port
25/tcp. Outgoing DNS queries will always go to the nameservers listed
in your resolv.conf, and to 53/tcp and 53/udp.
Experiment with LOG rules to see what other external connections are
being initiated. Perhaps you will find that your PHP has already been
0wn3d. ;)
More on the security of OUTPUT filtering: if an intruder has a
functional shell on your system, chances are high that a privilege
escalation will occur. At that time whatever ports are wanted can be
opened by and for the intruder's use. Furthermore in the few
compromised systems I have seen, a common use of it is to send phish
spams. You'll be allowing that anyway.
--
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
