mailing list archives
Re: UPDATE: [wcolburn () nmt edu: SMTP relay through checkpoint firewall]
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Thu, 21 Feb 2002 13:26:51 +1300
On Tue, Feb 19, 2002 at 02:19:50PM -0800, Steve VanDevender wrote:
It's not just Checkpoint Firewall that has a problem with HTTP CONNECT.
From what I can tell default installations of the CacheFlow web proxy
software, some Squid installations, some Apache installations with
proxying enabled, and some other web proxy installations I haven't
identified allow anyone to use the HTTP CONNECT method. This is being
used more and more often to relay spam. This is a boon for spammers
The authors of Squid sorted that problem out YEARS ago. The default ACLs
within Squid state:
acl SSL_ports port 443 563
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
i.e. you can only use the CONNECT proxy option for ports 443 and 563.
I'm amazed this isn't the default in other products...
This is a really old problem...
Information Security Manager
Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417