File: //proc/self/root/scripts.20110531.215904.25158/smtpmailgidonly
#!/usr/bin/perl
# cpanel - smtpmailgidonly Copyright(c) 2010 cPanel, Inc.
# All rights Reserved.
# copyright@cpanel.net http://cpanel.net
# This code is subject to the cPanel license. Unauthorized copying is prohibited
BEGIN { unshift @INC, '/usr/local/cpanel'; }
use strict;
use Cpanel::FileUtils ();
use Cpanel::SafeRun ();
use Cpanel::Sys::OS ();
my $version = '1.9';
my $action = lc( ( grep( /^o(?:n|ff)$/i, @ARGV ) )[0] ) || 0;
my $no_run_header = "$0 version $version - Copyright(C) 2010 cPanel, Inc.\nThis may be freely redistributed under the terms of the Artistic License.";
if ( Cpanel::Sys::OS::getos() eq 'freebsd' ) {
print STDERR <<"EOM";
$no_run_header
This configuration setting is not applicable to FreeBSD.
EOM
exit 1;
}
elsif ( !$action ) {
print STDERR <<"EOM";
$no_run_header
usage: $0 <on|off>
EOM
exit 1;
}
my $mailgid = ( getgrnam('mail') )[2];
my $cpaneluid = ( getpwnam('cpanel') )[2];
my $mailmangid;
my $hasmailman = 0;
if ( $mailmangid = ( getgrnam('mailman') )[2] ) {
$hasmailman = 1;
}
smtpgidoff();
if ( $action eq 'on' ) {
Cpanel::SafeRun::saferunallerrors( '/sbin/iptables', '-I', 'OUTPUT', '--protocol', 'tcp', '--dport', '25', '-j', 'REJECT' );
my $ipresult = Cpanel::SafeRun::saferunallerrors( '/sbin/iptables', '-I', 'OUTPUT', '--protocol', 'tcp', '--dport', '25', '-m', 'owner', '--uid-owner', '0', '-j', 'ACCEPT' );
if ( $ipresult =~ m/(?:No\s+chain|target\s+problem|Unknown\s+error|cannot\s+open\s+shared\s+object\s+file)/i ) {
smtpgidoff();
print "SMTP Mail protection has been disabled. All users may make smtp connections.\n";
print "There was a problem setting up iptables. You either have an older kernel or a broken iptables install, or ipt_owner could not be loaded.\n";
exit 1;
}
Cpanel::FileUtils::touchfile('/var/cpanel/smtpgidonlytweak');
if ($hasmailman) {
Cpanel::SafeRun::saferunallerrors( '/sbin/iptables', '-I', 'OUTPUT', '--protocol', 'tcp', '--dport', '25', '-m', 'owner', '--gid-owner', $mailmangid, '-j', 'ACCEPT' );
}
Cpanel::SafeRun::saferunallerrors( '/sbin/iptables', '-I', 'OUTPUT', '--protocol', 'tcp', '--dport', '25', '-m', 'owner', '--gid-owner', $mailgid, '-j', 'ACCEPT' );
Cpanel::SafeRun::saferunallerrors( '/sbin/iptables', '-I', 'OUTPUT', '--protocol', 'tcp', '-d', '127.0.0.1', '--dport', '25', '-j', 'ACCEPT' );
Cpanel::SafeRun::saferunallerrors( '/sbin/iptables', '-I', 'OUTPUT', '--protocol', 'tcp', '-d', '127.0.0.1', '--dport', '25', '-m', 'owner', '--uid-owner', $cpaneluid, '-j', 'ACCEPT' );
print "SMTP Mail protection has been enabled. Only users with the gid mail or mailman may make smtp connections.\n";
}
else {
unlink '/var/cpanel/smtpgidonlytweak'; # For WHM
print "SMTP Mail protection has been disabled. All users may make smtp connections.\n";
}
exit;
sub smtpgidoff {
Cpanel::SafeRun::saferunallerrors( '/sbin/iptables', '-D', 'OUTPUT', '--protocol', 'tcp', '-d', '127.0.0.1', '--dport', '25', '-m', 'owner', '--uid-owner', $cpaneluid, '-j', 'ACCEPT' );
Cpanel::SafeRun::saferunallerrors( '/sbin/iptables', '-D', 'OUTPUT', '--protocol', 'tcp', '-d', '127.0.0.1', '--dport', '25', '-j', 'ACCEPT' );
Cpanel::SafeRun::saferunallerrors( '/sbin/iptables', '-D', 'OUTPUT', '--protocol', 'tcp', '--dport', '25', '-m', 'owner', '--uid-owner', '0', '-j', 'ACCEPT' );
Cpanel::SafeRun::saferunallerrors( '/sbin/iptables', '-D', 'OUTPUT', '--protocol', 'tcp', '--dport', '25', '-m', 'owner', '--gid-owner', $mailgid, '-j', 'ACCEPT' );
if ($hasmailman) {
Cpanel::SafeRun::saferunallerrors( '/sbin/iptables', '-D', 'OUTPUT', '--protocol', 'tcp', '--dport', '25', '-m', 'owner', '--gid-owner', $mailmangid, '-j', 'ACCEPT' );
}
Cpanel::SafeRun::saferunallerrors( '/sbin/iptables', '-D', 'OUTPUT', '--protocol', 'tcp', '--dport', '25', '-j', 'REJECT' );
}