On Wed, Oct 26, 2005 at 02:05:56PM -0400, trainier@kalsec.com wrote:
> > SMTP is allowed through your squid program itself, not the squid server.
> This is not correct. Although it might be possible to pass email through
> squid, squid does not natively
> allow smtp proxying. Squid proxies and caches http traffic and nothing
If it allows traffic to port 25 on another host, then it's possible to
spam.
>
> > Disable squid from allowing itself to connect to foreign hosts on port
> 25,
> > or else you will continually be tracking people down rather than just
> > preventing the problem from happening in the first place.
>
> I'm curious to know your recommendation on this one. It's not like
> there's an acl or config notation that
> states: allow_smtp <yes|no>
>
> How would you suggest doing this?
We only use SSL on 443 and we only allow Squid to connect to TCP ports
80/443/21, so I have squid setup the following way:
acl SSL_ports port 443
acl CONNECT method CONNECT
http_access deny CONNECT !SSL_ports
acl Safe_ports port 80 # http
acl Safe_ports port 443 # https
acl Safe_ports port 21 # ftp
http_access deny !Safe_ports
With this setup, any attempt to connect to a host on a port other than
80/443/21 will be denied.
--- Chris Covington IT Plus One Health Management 75 Maiden Lane Suite 801 NY, NY 10038 646-312-6269 http://www.plusoneactive.comReceived on Wed Oct 26 2005 - 12:30:44 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Nov 01 2005 - 12:00:05 MST