[spambayes-bugs] [ spambayes-Patches-797579 ] Disable connections to POP3 and SMTP from remote hosts

SourceForge.net noreply at sourceforge.net
Mon Sep 1 19:21:21 EDT 2003 

Patches item #797579, was opened at 2003-08-29 18:43
Message generated for change (Comment added) made by kgiordano
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=498105&aid=797579&group_id=61702

Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Khouri Giordano (kgiordano)
Assigned to: Tony Meyer (anadelonbrin)
Summary: Disable connections to POP3 and SMTP from remote hosts

Initial Comment:
I wasn't comfortable having ports 25 and 110 open on my
machine at work. The mail servers that the proxy
redirects to are public, but that doesn't mean I want
the whole company able to poke at my machine.

On the config page, you can now allow or disallow
connections from remote machines. There are separate
settings for POP3 and SMTP.

Any connection from a remote machine, whether accepted
or rejected, will be logged to the console. This
applies to any POP3, SMTP or config (port 8880) connection.

As a bonus...

Three things annoyed me while reviewing messages:

1) Unless I made the browser window large enough to
accomodate every subject, every line took two lines
because "Show clues" would line break on the space.
That space is now non-breaking.

2) Since I get huge amounts of spam every day (200+),
the table is very tall. I kept forgetting which column
of radio buttons was which. So I labeld each Discard,
Defer, Ham and Spam radio button with X, O, H and S,
respectively.

3) The Discard, Defer, Ham and Spam radio buttons
didn't actually line up with the headers, so now they
have their own columns.

These three changes will be applied if you update
ui.html and ui_html.py.

The NoRemotes.zip file contains replacements for
several files. I made these changes based on v1.0a4.

Note:

I am a native C++ programmer and Python is very new to
me. There may be better ways to do what I did. In
reality, connections are always accepted. The
"rejected" ones are closed immediately. This means that
they DO show up on a port scan. I don't know if there
is way to check the peer address without accepting the
connection.

TODO:

For ultimate flexibility, some remote connections
should be alllowed. I'm thinking of the way that Samba
accepts a list of host/netmasks.

----------------------------------------------------------------------

>Comment By: Khouri Giordano (kgiordano)
Date: 2003-09-01 21:21

Message:
Logged In: YES 
user_id=855266

PITA = Pain In The Ass.

I agree that a proxy is not a blatant security exposure,
but, as I mentioned in my original comment, I don't want the
whole company (any any viruses they might have) able to
connect to ports on my machine.

----------------------------------------------------------------------

Comment By: Romain Guy (gfx)
Date: 2003-08-31 19:23

Message:
Logged In: YES 
user_id=6845

I agree HTTP auth and IP filtering must be kept together. I
was just saying that using different settings was not useful
if HTTP auth is here. Anyway I agree with you : proxies are
not very annoying when opened. By the way, what does "PITA"
mean ? :)

----------------------------------------------------------------------

Comment By: Tony Meyer (anadelonbrin)
Date: 2003-08-31 19:16

Message:
Logged In: YES 
user_id=552329

Restricting pop3/smtp access should be a different setting to 
restricting http access.  Realistically, there's no reason why 
you should want to restrict pop3/smtp access, since the 
proxy is only a proxy (no access to the machine or your mail 
is provided) - and a firewall is a better way of restricting this 
if you do want to do it for some reason.

Restricting http access, OTOH, is something that you would 
want to do.  I think even if http auth is added, the permitted 
ip code should stay, so that you can set ips that don't have 
to jump through the auth stuff (which is a PITA, IMO).

----------------------------------------------------------------------

Comment By: Romain Guy (gfx)
Date: 2003-08-30 10:18

Message:
Logged In: YES 
user_id=6845

I'm volunteer to adapt the web interface remote connections
management to pop3 and smtp proxies (but if kgiordano wants
to do it) code. I was only wondering wether there should be
only one settings for the three servers (web, pop3 and smtp)
or there should be one setting per server (thus allowing an
IP to fetch mails but not to change the administration
options). Note that this question becomes quite irrevelant
if HTTP authentication is added to the web interface. In
this case, only one setting should be enough (and I guess it
would suit most users needs).

----------------------------------------------------------------------

Comment By: Romain Guy (gfx)
Date: 2003-08-30 10:01

Message:
Logged In: YES 
user_id=6845

Concerning the TODO : check my patch #790615 (state :
closed) which handles the remote connections problem for the
web interface. It allows to define allowed hosts as a list
of IPs, as ranges of IPs and so on. It is mainly regex
based. See onIncomingConnection() in UserInterface.py from
the CVS.

I guess you might use this code to achieve the same thing in
the proxies, thus having something more flexible than the
simple "remote hosts allowed/refused". The code itself is 6
or 8 lines long.

----------------------------------------------------------------------

Comment By: Richie Hindle (richiehindle)
Date: 2003-08-30 05:07

Message:
Logged In: YES 
user_id=85414

Thanks for the patch, Khouri!  A couple of notes:

 o The "Show clues" line-split is already fixed in CVS.
 o We now have a more sophisticated connection-
   management system for the web interface, so that
   should probably be applied here in place of your fix
   (as you say in your TODO section).
 o The reason the radio buttons are not in their own
   columns in so that they are a consistent width apart.
   Call me trivial, but I think that's important, partly for
   the look of the thing and partly because it makes it
   ergonomically easier to click them with the mouse.
   The radio buttons should line up fairly well under their
   headings already - if they're out by a large margin for
   you, could you tell us the OS and browser you're using,
   and attach a screenshot?


----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=498105&aid=797579&group_id=61702

More information about the Spambayes-bugs mailing list