[CentOS] preventing apache from being a mail relay

Sun Mar 3 22:12:52 UTC 2013
Robert Moskowitz <rgm at htt-consult.com>

On 03/03/2013 04:58 PM, zGreenfelder wrote:
> On Sun, Mar 3, 2013 at 4:37 PM, John R Pierce <pierce at hogranch.com> wrote:
>> On 3/3/2013 1:30 PM, Robert Moskowitz wrote:
>>> Seems I recall that last when I set up my apache server, the spammers
>>> were posting to it so it would send out the spam on port 25.  There was
>>> some conf that I did to block this, but I did not document it, and I
>>> can't find any reference to this.
>>
>> a webserver can't send email unless you've got email cgi or forms on/in
>> your webpages
>>
>>
> I have vague (and very distant ~98ish?) memories of apache deployments
> coming with a mail.cgi that was poorly secured and often exploited to
> send out emails, but I think that's long since gone the way of the
> dodo birds.   you have to go to some lengths to make webservers
> interact with email servers.  if you're really worried about it, you
> should also look into removing/blocking proxy connections:
>
> http://ihazem.wordpress.com/2010/12/08/apache-forward-proxy-relay-security-problem/

That may have been the attack vector way back when. Now the proxy 
directives come commented out, so supposedly you are suppose to know the 
risks of running a proxy.