The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SMTP Tweak

Discussion in 'E-mail Discussions' started by protocol, Oct 6, 2005.

  1. protocol

    protocol Well-Known Member
    PartnerNOC

    Joined:
    Apr 13, 2004
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    Can someone explain to me the exact workings of SMTP Tweak. I understand it stops people bypassing mail function in php etc and connecting directly to port 25. However the options are:

    1. Disabled
    2. Enabled
    3. Enabled + allow users to connect to port 25 on localhost

    I am not completely clear on the differences in 2 and 3 and the documentation is not clear?

    Also how does this work - is it with iptables or changes in the exim.conf?

    Thanks in advance.
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    It uses iptables mostly.

    1. Disabled - anyone that authenticates (via SMTP AUTH or POP before SMTP), or is a script on the local server, can relay email through the mail server either by running the mail binary (exim directly or /usr/sbin/sendmail which is a wrapper binary)

    2. Enabled - no one apart from root and the mailnull account can relay email by connecting to port 25 on the server itself or remotely. Only scripts on the server running the exim binary or sendmail wrapper can relay

    3. Enabled+ allow users to connect to port 25 on localhost. Same as 2. except scripts can relay email on the local server by connecting to port 25 as well as the binaries

    It's basically a crude method to block all SMTP relaying at different levels. I've never seen much point in it unless you basically want to prevent users from using their email clients to connect to your server and send out emails (i.e. force them to use their local ISP's SMTP servers instead).
     
  3. protocol

    protocol Well-Known Member
    PartnerNOC

    Joined:
    Apr 13, 2004
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    Thanks Chirpy

    So you are saying if it is enabled no customer can send mail with their mail client (SMTP AUTH or POP before SMTP).

    The reason I question this is i noticed it was set differently on several servers we have I have not seen any problems with clients sending mail. All our customers are encouraged to use SMTP AUTH.
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Are you using an iptables script such as APF? If so, then APF removes the iptables rules that cPanel adds depending on when you restart apf or when you restart cPanel, i.e. they override each other ;)
     
  5. protocol

    protocol Well-Known Member
    PartnerNOC

    Joined:
    Apr 13, 2004
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    That makes sence but we don't use that - we have a hardware firewall.
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Well, that just ruined the theory :p OK, with the tweak enabled, check iptables with:

    iptables -L -n

    it should look like:

    Code:
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    ACCEPT     tcp  --  0.0.0.0/0            127.0.0.1          tcp dpt:25 
    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:25 OWNER GID match 12 
    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:25 OWNER GID match 503 
    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:25 OWNER UID match 0 
    REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:25 reject-with icmp-port-unreachable 
    
     
  7. protocol

    protocol Well-Known Member
    PartnerNOC

    Joined:
    Apr 13, 2004
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    Yes I can see those changes okay. At least we can see it is doing something.
     
  8. TheKog

    TheKog Active Member

    Joined:
    Dec 23, 2004
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    Is a reboot required for this to take effect? I want all users to use their ISPs SMTP server.

    The only things I want to allow to use our SMTP is our local phpBB board.

    It seems to have no effect whatsoever. I want someone who attempts to use smtp.ourserver.com as a SMTP server to fail, however even with the tweak enabled it seems anyone can send email using our SMTP.

    How can I shut this down?
     
    #8 TheKog, Nov 23, 2005
    Last edited: Nov 23, 2005
  9. lagoth

    lagoth Member

    Joined:
    Apr 5, 2003
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    Sorry to Wake an 10 month Old thread, but It's topic is perfect and has full description of the SMTP Tweak.

    Basically from what i understand is users doing POP before SMTP can actually then SPAM like mad for 30 minutes ??!?? since they are allowed to relay? and it wont count against there domain limit? Theres gotta be a better way to limit people sending emails!

    Chirpy? You seem to be the expert on this :)

    Right now FREEBSD does not have that tweak block thingee but it has IPFW which can do the same..
     
Loading...

Share This Page