On Wed, 23 Jul 2003, William A. Rowe, Jr. wrote: > At 04:20 PM 7/23/2003, Joshua Slive wrote: > >Another thought on this issue: > > > >Should we include > >ProxyBlock :25 > >in our recommended configuration? > > > >I haven't tested this, but it seems like it should be effective at > >stopping the http->smtp gateway. And really, this type of gateway is a > >bad idea, even on properly secured proxies. > > If you look at how restrictive the default AllowConnect directive is, then > it isn't unreasonable to consider the reporter's orginal suggestion for some > AllowProxy directive as well. Your suggestion would eliminate port 25, > if it behaves as we expect, but that doesn't solve the problem for other ports.
I thought about this, and the idea of an Allow(Forward)Proxy directive isn't bad, but I don't think I would want it in the default config. We would be encouraging a policy where a proxy administrator would say "http is only allowed on ports 80 and 8080". And I think most of us agree that is silly and doesn't do much to help security. Joshua.
