Firewall rule to only allow Postfix to send email through SMTP on port 25

user5858 asked:

As suggested in How do you detect a spambot on your network? how can I setup firewall rule to allow only Postifx to send emails using SMTP on port 25 and disallow all other applications to send on port 25?

Mine is on Ubuntu VPS.

Something related is being talked here but not sure of the Iptables rules.

My answer:


Do two things:

  1. Run Postfix under its own user account. It should already be doing so, on any sane system.

  2. Set an iptables rule with a uid match for that account, which blocks outgoing traffic to destination port 25 not from that user.

    For example: Here we assume the username is postfix, though it may be something different on your system.

    iptables -I OUTPUT -m owner ! --uid-owner postfix -m tcp -p tcp --dport 25 -j REJECT --reject-with icmp-admin-prohibited
    ip6tables -I OUTPUT -m owner ! --uid-owner postfix -m tcp -p tcp --dport 25 -j REJECT --reject-with icmp6-adm-prohibited
    

    Note that when you save the rule, the user name will be converted to a numeric uid.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.