Builtin block port 25 (SMTP)


(Davide Principi) #1

Yesterday I was chatting with @filippo_carletti about the builtin block policy on port 25, developed here as a SME-server legacy rule

http://dev.nethserver.org/issues/2894

It’s a builtin firewall rule enforced by gateways if the mail-filter package is installed.

Our proposal is to not enforce the builtin rule on new mail2 installations, based on the rspamd software.

For existing installations based on amavisd, the mail2-upgrade procedure can migrate the firewall rule to a “visible” state, under Firewall rules page, like any other firewall rule.


See also /cc @rasi @transocean @pike @planet_jeroen


Nethserver-rspamd a new module
(Stefano Zamboni) #2

I disagree, 'cause this will permit to an infected client to spread emails on the WAN side

I can’t see no valid reasons to not enforce such a rule


(Giacomo Sanchietti) #3

I’d remove the rule and document the changed behavior in for the mail2 package.
There is no needs to create complex migration code :slight_smile:


(Davide Principi) #4

I understand the rationale behind the original policy, and I agree with you: it’s a safe default

However we must make the rule more visible. It seems documenting it is not enough.

Existing systems must not change their behavior suddenly.

This is a possible solution. However I’d prefer to enforce the rule by default also in mail2, avoiding policy changes. And make it visible from Firewall rules.

About migration code: it’s not very complex.


(Stefano Zamboni) #5

ok… a better documentation and a bigger visibility are the way :wink:


(Michael Kicks) #6

FWIW, i agree with this option.