On 10/19/2014 01:24 PM, Kees Goossens wrote:
Lesson (for me at least): since HTTP was used, even a very reduced exit policy is does not make one immune to abuse problems. At this point I reverted back to being a non-exit relay, as I have no interest in having to deal with this.
Well, no need to give up - I made similar experiences with the reduced exit policy. Even then my provider's inbox was hammered with DMCA mails. But what worked (for me) is a further reduced policy containing ports below 1024 + few above. Said that this works for me till now:
# un-comment the next line to disallow exits # #ExitPolicy reject *:*
# abuse mails # ExitPolicy reject 217.112.0.0/16:* # AbuseID:11F39E:22 7th October 2014
# allowed exits # ExitPolicy accept *:43 # whois ExitPolicy accept *:53 # dns ExitPolicy accept *:80 # http ExitPolicy accept *:88 # kerberos ExitPolicy accept *:110 # pop3 ExitPolicy accept *:143 # imap ExitPolicy accept *:194 # irc ExitPolicy accept *:220 # imap3 ExitPolicy accept *:389 # ldap ExitPolicy accept *:443 # http ssl ExitPolicy accept *:464 # kpasswd ExitPolicy accept *:543-544 # kerberos ExitPolicy accept *:531 # irc/aim ExitPolicy accept *:563 # nntp ssl ExitPolicy accept *:636 # ldap ssl ExitPolicy accept *:749 # kerberos ExitPolicy accept *:873 # rsync ExitPolicy accept *:993 # imap ssl ExitPolicy accept *:994 # irc ssl ExitPolicy accept *:995 # pop3 ssl ExitPolicy accept *:6660-6669 # irc ExitPolicy accept *:6679 # irc ssl ExitPolicy accept *:6697 # irc ssl ExitPolicy accept *:11371 # OpenPGP hkp
# reject everyting else # ExitPolicy reject *:*