Builtin block port 25 (SMTP)

Yesterday I was chatting with @filippo_carletti about the builtin block policy on port 25, developed here as a SME-server legacy rule

Enhancement #2894: Mail filter: block port 25 from LAN to external network - NethServer 6 - NethServer.org

It’s a builtin firewall rule enforced by gateways if the mail-filter package is installed.

Our proposal is to not enforce the builtin rule on new mail2 installations, based on the rspamd software.

For existing installations based on amavisd, the mail2-upgrade procedure can migrate the firewall rule to a “visible” state, under Firewall rules page, like any other firewall rule.

See also /cc @rasi @transocean @pike @planet_jeroen

1 Like

I disagree, 'cause this will permit to an infected client to spread emails on the WAN side

I can’t see no valid reasons to not enforce such a rule

I’d remove the rule and document the changed behavior in for the mail2 package.
There is no needs to create complex migration code :slight_smile:

I understand the rationale behind the original policy, and I agree with you: it’s a safe default

However we must make the rule more visible. It seems documenting it is not enough.

Existing systems must not change their behavior suddenly.

This is a possible solution. However I’d prefer to enforce the rule by default also in mail2, avoiding policy changes. And make it visible from Firewall rules.

About migration code: it’s not very complex.

ok… a better documentation and a bigger visibility are the way :wink:

FWIW, i agree with this option.