(I've removed Doug from the CCs, as I reckon he isn't interested in
Squid conversations--and if he is, he probably hangs out here too.)
An open proxy can be exploited in a number of ways to allow connections
to a mail server. It may be possible to use CONNECT through the proxy
to actually send email, but that isn't the only risk of operating an
open proxy (and by default Squid won't allow a CONNECT to port
25--unless your "http_access allow all" is /really/ making trouble and
comes before all of the important bits that keep Squid from being a
menace to internet society).
I'm not sure I understand the question, "can this be fixed in
squid"...If I understood the previous messages on the Postfix list, the
problem your site has been blacklisted for /is/ the open Squid proxy.
If you stop running an open proxy, you stop having a problem (unless, of
course, you're also running an open mail relay, which Squid has nothing
to do with and since you're running Postfix would also require some
misconfiguration on the administrators part, since it is not an open
relay by default).
So, delete the "http_access allow all" line, and replace it with
"http_access deny all". Just above that line (and below all of the
other access control lines that restrict CONNECTs, Safe_ports, etc.) add
a line the allows access to /only/ your local network clients. As I
mentioned in my previous message, this is well documented in the FAQ.
squid.conf has pretty good 'acl' and 'http_access' documentation, as
well. Give those a read, and let us know if you have problems with
creating appropriate rules for your network.
Peņa, Botp wrote:
> Hi Joe,
>
> can this be fixed in squid. I mean what has port 80 got to do w email port
> 25?
> Sorry for the newbie question.
>
> thanks in advance,
> -botp
-- Joe Cooper <joe@swelltech.com> Web caching appliances and support. http://www.swelltech.comReceived on Sun Jul 28 2002 - 22:13:32 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:23 MST