On Tue, 2006-01-03 at 10:43 +0100, Császár Péter wrote: > acl SSL_ports port 443 563 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 563 # https, snews > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http As expected, there's no POP3 (110), IMAP (143), nor SMTP (25) ports in that list. There are even warnings about blocking SMTP port 25 from the server to prevent problems: "25.2 Mail relaying "SMTP and HTTP are rather similar in design. This, unfortunately, may allow someone to relay an email message through your HTTP proxy. To prevent this, you must make sure that your proxy denies HTTP requests to port 25, the SMTP port. "Squid is configured this way by default. The default squid.conf file lists a small number of trusted ports. See the Safe_ports ACL in squid.conf. Your configuration file should always deny unsafe ports early in the http_access lists: "http_access deny !Safe_ports (additional http_access lines ...) "Do NOT add port 25 to Safe_ports (unless your goal is to end up in the RBL). You may want to make a cron job that regularly verifies that your proxy blocks access to port 25. "$Id: FAQ.sgml,v 1.156 2002/12/21 21:14:06 hno Exp $" Local documentation, if you installed it with Squid: <file:///usr/share/doc/squid-2.5.STABLE11/FAQ-25.html#ss25.2> -- Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists.
