Actually on my ISPconfig webservers I use to block each user but root from sending email both to the local MTA and to the rest of the world: Code: iptables -A OUTPUT -p tcp --dport 25 -m owner ! --uid-owner root -j REJECT Guest web/apps should comply to sending email through an smtp account and use SSL/TLS, or I won't host it. Of course this is quite an hard restriction, but nowadays I think it became a not so crazy one. I've found over years that it saves sleep hours! By the way, it would be nice to have a flag in ISPConfig vhost that does pretty much the same, but per vhost: Code: iptables -A OUTPUT -p tcp --dport 25 -m owner --uid-owner web14 -j REJECT This would turn useful for temporary purposes, if you have a compromised site sending out spam. And permanently too if you want a website to have such restriction because you already know its code will not be updated and its logs not reviewed. Obviously, a second flag could include an expection to allow the local MTA, and could be useful for those trusting their own local MTA's ability to filter outbound spam, but still willing to block outbound unauth email connections to world:25. Code: iptables -A OUTPUT ! -d localhost -p tcp --dport 25 -m owner --uid-owner web14 -j REJECT I tried to open this on git, but the link to submission form in the pinned post is broken.