0

Is there a way to block port 25 for everything but mail communication? Had no luck finding an answer to this yet. Maybe it's possible to block every application but those related to above usage?

I am using qmail, if that is important.

user3094719
  • 65
  • 1
  • 6
  • No, iptables does not block applications, so you can not limit port 80 to firefox with iptables. You would have to look into alternate tools such as selinux or apparmor (or similar) (depending on your distro). – Panther Jan 03 '14 at 23:57
  • You could possibily use string matching in iptables to determine whether traffic on port 25 conforms to SMTP but it would be very difficult. The best bet is to let iptables pass port 25 traffic through to the email server only and let the email server decide whether it is valid email, and discard it if not. – Paul Jan 04 '14 at 00:05
  • @Paul letting iptables pass port 25 traffic through to the email server only seems almost exactly like what I've been looking for! What would that look like approx.? – user3094719 Jan 04 '14 at 01:17
  • 1
    What exactly is the problem? Are you trying to limit outgoing traffic on port 25 or incoming traffic? Incoming trafic should already be limited to mail because you would only forward port 25 to the server (unless this is a server in a dmz/exposed to the internet) and only qmail can be listening on port 25. Are you experiencing problems with users using port 25 for other things? – Rik Jan 04 '14 at 13:20

2 Answers2

1

Assuming no malicious software is running on your host, or no specific port mapping, no specific routing, then most probably your mail application is using port 25 as its socket, and no other apps are using this port.

If it happens that any other apps sends traffic to port 25 on your host, your mail app will read it, find it's not mail, and discards it.

aseaudi
  • 476
  • 2
  • 3
0

I think you may be mixing different issues. If you have qmail running in standard configuration, it will be listening on port 25. You can check that with the command:

   sudo ss -lntp | grep 25

This command will show you the process (the -p option) listening on port 25.

Now let us imagine that a different application from anther pc sends packets to your port 25: what is going to happen? Nothing, unless that application is asking exactly for qmail. So there is no need (and no possibility either) to bar applications on any given port. If some pc sends packet destined for an application X to a port where Y is listening, nothing will happen. So there is no need (and no possibility) to use iptables to bar applications.

If you do not believe me, just try to load a Web page from port 25, or to establish an ssh connection to it, and see what happens.

MariusMatutiae
  • 46,990
  • 12
  • 80
  • 129