Firewall rule to only allow Postfix to send email through SMTP on port 25

user5858 asked:

As suggested in How do you detect a spambot on your network? how can I setup firewall rule to allow only Postifx to send emails using SMTP on port 25 and disallow all other applications to send on port 25?

I want to control email server of single machine.

Something related is being talked here but not sure of the Iptables rules.

My answer:

Do two things:

  1. Run Postfix under its own user account. It should already be doing so, on any sane system.

  2. Set an iptables rule with a uid match for that account, which blocks outgoing traffic to destination port 25 not from that user.

    For example: Here we assume the username is postfix, though it may be something different on your system.

    iptables -I OUTPUT -m owner ! --uid-owner postfix -m tcp -p tcp --dport 25 -j REJECT --reject-with icmp-admin-prohibited
    ip6tables -I OUTPUT -m owner ! --uid-owner postfix -m tcp -p tcp --dport 25 -j REJECT --reject-with icmp6-adm-prohibited

    Note that when you save the rule, the user name will be converted to a numeric uid.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.