[BlueOnyx:05236] Re: Forcing Incoming Mail Through Anti-SPAM Firewall

Chuck Tetlow chuck at tetlow.net
Tue Aug 17 10:53:04 -05 2010 

We do exactly that with a Roaring Penguin filter for all our e-mail.  All MX records point to the filtering box, and it knows to send the mail to mail.domain.com to get the mail to each BX server.

We were still having a problem with the SPAMMERS using scripts to send their crud directly to IP addresses, instead of using the MX records.  So on the servers, we put in IPTables rules that only allowed TCP Port25 connections from the Roaring Penguin box. 

Go into your /etc/sysconfig/iptables file and add this before all the allows per IP address:

-A acctin -m state --state NEW -p tcp -s 10.0.0.0/8 --dport 25 -j ACCEPT
-A acctin -m state --state NEW -p tcp -s 172.16.32.0/16 --dport 25 -j ACCEPT
-A acctin -m state --state NEW -p tcp -s 192.168.0.0/16 --dport 25 -j ACCEPT
-A acctin -m state --state NEW -p tcp -s localnetwork.0/24 --dport 25 -j ACCEPT
-A acctin -m state --state NEW -p tcp --dport 25 -j LOG --log-prefix "E-Mail Connect "
-A acctin -m state --state NEW -p tcp --dport 25 -j DROP

The first four lines allow in connections from any internal private networks and your own local network.  That way, your users can still send on port 25 (they'll never notice a difference).  For outside users, we force them onto the submission port 587. 

And this assumes your filtering appliance is on one of these networks.  If not, add another line to specifically add its address to the ACCEPT lines.

The fifth line logs connections.  I have a script that greps out those entries daily so I can keep track of those scumbags trying really hard and report them.

The last line just drops any other TCP Port 25 connection.  Wa La!  No more connections to that server from anyone but your filtering appliance (assuming its in one of those above networks).  This cut down the amount of SPAM at our servers to almost nill, and cut total e-mail load by 60% - 90%.  Save this in the IPTables configuration file and restart IPTables with "service iptables restart".

But to prevent the system from overwriting those configurations (and it WILL) - use the command "chattr +i /etc/sysconfig/iptables".  It will make the file unchangable - even by root.  So if you want to modify it yourself, you first have to use "chattr -i /etc/sysconfig/iptables".  And you can see if that immutable bit is set with "lsattr /etc/sysconfig/".

Good luck.

Chuck

---------- Original Message -----------
From: Abdul Rashid Abdullah <webmaster at muntada.com> 
To: BlueOnyx <blueonyx at blueonyx.it> 
Sent: Tue, 17 Aug 2010 04:50:49 -0400 
Subject: [BlueOnyx:05231]  Forcing Incoming Mail Through Anti-SPAM Firewall

> What is the best way to insure I force all incoming mail through my 
> anti-spam firewall? 
> 
> I have already done the following: 
> 
> 1.  MX Record Points to Anti-SPAM Firewall 
> 2.  Anti-SPAM Firewall points directly to mail server hostname (skipping MX 
> Record). 
> 
> I want to make sure no one can send mail directly to the mail server 
> hostname.  Are there specific configurations I should be making on the 
> server in the email server settings page? 
> 
> Regards, 
> 
> Rashid 
> 
> _______________________________________________ 
> Blueonyx mailing list 
> Blueonyx at blueonyx.it 
> http://www.blueonyx.it/mailman/listinfo/blueonyx 
------- End of Original Message -------
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20100817/92012661/attachment.html>

More information about the Blueonyx mailing list