= phenomenon =
New (trivial) functionality has been identified for system-config-firewall (adding 2 new common inbound services, "ntp" and "msa" [mail submission]) to the list of well-known ports that are selectable by name (rather than requiring the user to know the protocol and port #).
A fix in the form of a patch has been provided, and it's been locally tested here.
Several updates to system-config-firewall have gone out, yet known of them have included this fix.
No review of this fix has indicated it being unsuitable in any way.
= background analysis =
Many site administrators still configure their sites to have clients submitting email to their outgoing MTA via SMTP. This creates vulnerability to spoofing (and thereby spamming).
Correct use of the MSA port (587/tcp) for the sending client to submit to the local MTA provides a mechanism to separate outgoing, locally originated email, from inbound relayed email, and to apply separate policy controls to both (for instance, applying SPF and HELO delays on port 25, and requiring authentication on port 587).
Such measures will go a long way to providing means to combat spam and phishing on the Internet, even with stock installations of sendmail/postfix or with minimal trivial hardening.
Also included in this fix is adding NTP (network time protocol), which is useful for synchronizing clocks and protecting against attacks on time-sensitive credentials (SSL, X.509 certs, Kerberos, etc) using maliciously slewed clocks.
= implementation recommendation =
Integrate the patch with minimal further delay.
I am working on a new system-config-firewall version. It should be finished soon.
Cool. Closing ticket. Feel free to reopen if the problem doesn't get solved.
to comment on this ticket.