I'm well aware that sendmail operates on the incoming ports 25 and
587. However, I'm wondering about from what ports sendmail send
outgoing mail from.. does it use 25 still? or does it just use a
random high port? I'm trying create a firewall rule, that would limit
any mail leaving the server unless it was sent through sendmail. (as
opposed to a local user setting up their own smtp server in their pine
or something)

I'm hoping it does use 25 to send outgoing as well, then i could
create a rule to only allow outgoing packets to port 25 IF it is
coming FROM the local port 25..

Any answer here, or any alternative would be great.. just try to limit
outgoing mail..

Thanks
alex

alex49201 wrote:
> I'm well aware that sendmail operates on the incoming ports 25 and 587.
> However, I'm wondering about from what ports sendmail send outgoing mail
> from.. does it use 25 still? or does it just use a random high port?
> I'm trying create a firewall rule, that would limit any mail leaving the
> server unless it was sent through sendmail. (as opposed to a local user
> setting up their own smtp server in their pine or something)
>
> I'm hoping it does use 25 to send outgoing as well, then i could create
> a rule to only allow outgoing packets to port 25 IF it is coming FROM
> the local port 25..
>
> Any answer here, or any alternative would be great.. just try to limit
> outgoing mail..

Sendmail will use for outgoing connections unique (not random) high
local port numbers.

What prevents you to only allow your mail server(s) to setup a TCP
connections to a remote port 25? You only have to filter on local
IP number and remote port 25.
Filtering on local port 25 would be useless anyway. It doesn't
distinguish between your mail servers and other systems that are
running some kind of a MTA.

Regards,

Kees.

--
Kees Theunissen.

Kees Theunissen wrote:
> alex49201 wrote:
>> random high port? I'm trying create a firewall rule, that would limit
>> any mail leaving the server unless it was sent through sendmail. (as
>> opposed to a local user setting up their own smtp server in their pine
>> or something)
[ ...]
> What prevents you to only allow your mail server(s) to setup a TCP
> connections to a remote port 25? You only have to filter on local
> IP number and remote port 25.
> Filtering on local port 25 would be useless anyway. It doesn't
> distinguish between your mail servers and other systems that are
> running some kind of a MTA.

Sorry about this answer.
I didn't read your question with enough care, and supposed you were
configuring an external firewall.

Regards,

Kees.

--
Kees Theunissen.

"alex49201" <alex@aeshells.org> ha scritto nel messaggio
news:%7cjh.11425$hI.3632@newssvr11.news.prodigy.ne t...

> I'm hoping it does use 25 to send outgoing as well, then i could
> create a rule to only allow outgoing packets to port 25 IF it is
> coming FROM the local port 25..
>
> Any answer here, or any alternative would be great.. just try to limit
> outgoing mail..

Just limit, on your firewall, the port 25 for incoming mail (permit in
port25) and port 25 for outgoing mail (permit out port 25). For next time,
just think what service, or protocol, you want to use on remote side (or
better: server side). The port opened on local side (or better: client side)
is randomly selected by stack TCP/IP where the number is high of 1024.

For example: WWW server is listening on port 25, the SMTP server is
listening on port 25 (the IANA assigned port). And you are client (WWW) and
recipient mail (or incoming). Your connection to www server is on "remote
side=80,client side=1025", connection from SMTP server to you is on "remote
site=25, client side=1026" and so on.

If you want to configure a firewall stateful, just rememeber it to keep
track the state of the connection (on IPFilter, for example, the "keep
state" keyword) and you will safe on both direction.

Hope this help.

Cesare

alex49201 wrote:
> I'm well aware that sendmail operates on the incoming ports 25 and 587.
> However, I'm wondering about from what ports sendmail send outgoing mail
> from.. does it use 25 still? or does it just use a random high port?
> I'm trying create a firewall rule, that would limit any mail leaving the
> server unless it was sent through sendmail. (as opposed to a local user
> setting up their own smtp server in their pine or something)
>
> I'm hoping it does use 25 to send outgoing as well, then i could create
> a rule to only allow outgoing packets to port 25 IF it is coming FROM
> the local port 25..
>
> Any answer here, or any alternative would be great.. just try to limit
> outgoing mail..
>
> Thanks
> alex

I'm gonna try to clarify this a little bit, perhaps that will help
everyone. I'm running just a simple web/mail server for various
clients. I design most of the websites on the server, but not all of
them. Some of the ones I've not designed are operating very
insecuring, such as they are vulnerable to including remote pages.

So the result of this, is these insecure php pages are being attacked
and are sending spam directly from the php scripts to other mail
servers. The mails are not being sent from the local sendmail.
Basically, the php scripts are acting as a client, sending to a remote
smtp server. I could of course block connects to any outgoing port
25, but that would also block mail being sent from sendmail.

How can I create a rule that allows only sendmail to establish a
connection to a remote port 25?

I want to block ALL outgoing mail from the server, unless it comes
from sendmail. How can i do that?

Thanks again,
alex

alex49201 wrote:
> I'm gonna try to clarify this a little bit, perhaps that will help
> everyone. I'm running just a simple web/mail server for various
> clients. I design most of the websites on the server, but not all of
> them. Some of the ones I've not designed are operating very insecuring,
> such as they are vulnerable to including remote pages.

If an attacker is able to include remote scripts in dynamic pages
on your server, then your problem is _a lot_ bigger than just spam
relaying.
>
> So the result of this, is these insecure php pages are being attacked
> and are sending spam directly from the php scripts to other mail

And probably the attackers are
-- installing back doors and zombie clients,
-- inspecting every document on the server that will be readable
with the access rights of your http daemon,
-- using your server to attack other systems,
-- doing everything you can imagine, or even more.
_Their_ imagination is the limit.

> servers. The mails are not being sent from the local sendmail.
> Basically, the php scripts are acting as a client, sending to a remote
> smtp server. I could of course block connects to any outgoing port 25,
> but that would also block mail being sent from sendmail.
>
> How can I create a rule that allows only sendmail to establish a
> connection to a remote port 25?

Packet filters act only on IP numbers and port numbers. So you
cannot do this with a simple packet filter.

>
> I want to block ALL outgoing mail from the server, unless it comes from
> sendmail. How can i do that?

You can't.
And your problem is not outgoing mail. Your problem is third parties
being able to run any software they choose on your system. If there
is any "suid root" executable on your system with a local exploitable
bug they might even gain root privilege.

The first thing to do is shut down at least those web pages that are
proved vulnerable.
You should at least inspect your system thoroughly for further damage,
but it might be safer and less work to do a complete reinstall from
known good media/backups.

Regards,

Kees.

--
Kees Theunissen.