Question about SMTP Tweak

[Rogerio]

Hello,

when I use "SMTP Restrictions" tweak, it creates 4 rules on my Iptables, like:

-A OUTPUT -p tcp -m multiport --dports 25,465,587 -m owner --gid-owner 994 -j ACCEPT
-A OUTPUT -p tcp -m multiport --dports 25,465,587 -m owner --gid-owner 12 -j ACCEPT
-A OUTPUT -d 127.0.0.1/32 -p tcp -m multiport --dports 25,465,587 -m owner --uid-owner 202 -j ACCEPT
-A OUTPUT -p tcp -m multiport --dports 25,465,587 -m owner --uid-owner 0 -j ACCEPT

Searching for this on Google, someone commented "this is not enough, you have to create a REJECT rule after these four rules" and posted:

-A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable

Makes sense, because INPUT and FORWARD has similar rules.

Please, can you confirm if this is true or not necessary?

Another point: I had to create manually the rules on my ip6tables file. My server has a IPv6 but it's not active. This is expected or cPanel does not create these rules on IPv6 Iptables file?

Thanks,
Rogerio

 

[cPanelMichael]

Hello @Rogerio,

Searching for this on Google, someone commented "this is not enough, you have to create a REJECT rule after these four rules" and posted:

I've been unable to reproduce any problems with the functionality of this feature in terms of it producing the desired affect of blocking local users from making SMTP connections to remote SMTP Servers.

Another point: I had to create manually the rules on my ip6tables file. My server has a IPv6 but it's not active. This is expected or cPanel does not create these rules on IPv6 Iptables file?

The SMTP Restrictions feature is not currently designed to work with IPv6. We do have an internal case open to request support for IPv6 with this feature, but there's currently no time to offer on it's implementation. The case number is CPANEL-21141, and I'll update this thread with more information on it's status as it becomes available.

Thank you.