Block outgoing SMTP traffic for non-postfix users

I still administer a LAMP webhosting server and I had issue with outgoing spam. The problem was, that Postfix logs gave no information about sent spams. It was not send through local MTA, but PHP connected to remote MTA's directly. This could be disabled with something in PHP or better (since there is also CGI) on system level - with iptables.

Postfix has it's own system user, what means that SMTP traffic can by only initiated by postfix user. Block outgoing SMTP traffic which does not come from postfix user can be done by iptables with -m owner –uid-owner or –guid-owner flags. Example:

# iptables -A OUTPUT -d 127.0.0.1 -p tcp -m tcp --dport 25 -j ACCEPT
# iptables -A OUTPUT -p tcp -m tcp --dport 25 -m owner --gid-owner postfix -j ACCEPT
# iptables -A OUTPUT -p tcp -m tcp --dport 25 -m owner --uid-owner root -j ACCEPT
# iptables -A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable

This approach be used to other raw network communication restrictions based on UID/GID. Thank's to great tool iptables:-)

#cli #linux