[BlueOnyx:05238] Re: Forcing Incoming Mail Through Anti-SPAM Firewall

Tue Aug 17 21:36:26 -05 2010

Chuck,

I really appreciate the detailed explanation and assistance.

Regards,

Rashid

On 8/17/10 11:53 AM, "Chuck Tetlow" <chuck at tetlow.net> wrote:

> We do exactly that with a Roaring Penguin filter for all our e-mail.  All MX
> records point to the filtering box, and it knows to send the mail to
> mail.domain.com to get the mail to each BX server.
> 
> We were still having a problem with the SPAMMERS using scripts to send their
> crud directly to IP addresses, instead of using the MX records.  So on the
> servers, we put in IPTables rules that only allowed TCP Port25 connections
> from the Roaring Penguin box. 
> 
> Go into your /etc/sysconfig/iptables file and add this before all the allows
> per IP address: 
> 
> -A acctin -m state --state NEW -p tcp -s 10.0.0.0/8 --dport 25 -j ACCEPT
> -A acctin -m state --state NEW -p tcp -s 172.16.32.0/16 --dport 25 -j ACCEPT
> -A acctin -m state --state NEW -p tcp -s 192.168.0.0/16 --dport 25 -j ACCEPT
> -A acctin -m state --state NEW -p tcp -s localnetwork.0/24 --dport 25 -j
> ACCEPT 
> -A acctin -m state --state NEW -p tcp --dport 25 -j LOG --log-prefix "E-Mail
> Connect " 
> -A acctin -m state --state NEW -p tcp --dport 25 -j DROP
> 
> The first four lines allow in connections from any internal private networks
> and your own local network.  That way, your users can still send on port 25
> (they'll never notice a difference).  For outside users, we force them onto
> the submission port 587. 
> 
> And this assumes your filtering appliance is on one of these networks.  If
> not, add another line to specifically add its address to the ACCEPT lines.
> 
> The fifth line logs connections.  I have a script that greps out those entries
> daily so I can keep track of those scumbags trying really hard and report
> them. 
> 
> The last line just drops any other TCP Port 25 connection.  Wa La!  No more
> connections to that server from anyone but your filtering appliance (assuming
> its in one of those above networks).  This cut down the amount of SPAM at our
> servers to almost nill, and cut total e-mail load by 60% - 90%.  Save this in
> the IPTables configuration file and restart IPTables with "service iptables
> restart". 
> 
> But to prevent the system from overwriting those configurations (and it WILL)
> - use the command "chattr +i /etc/sysconfig/iptables".  It will make the file
> unchangable - even by root.  So if you want to modify it yourself, you first
> have to use "chattr -i /etc/sysconfig/iptables".  And you can see if that
> immutable bit is set with "lsattr /etc/sysconfig/".
> 
> Good luck. 
> 
> 
> 
> Chuck 
> 
> 
> 
> 
> ---------- Original Message -----------
> From: Abdul Rashid Abdullah <webmaster at muntada.com>
> To: BlueOnyx <blueonyx at blueonyx.it>
> Sent: Tue, 17 Aug 2010 04:50:49 -0400
> Subject: [BlueOnyx:05231]  Forcing Incoming Mail Through Anti-SPAM Firewall
> 
>> > What is the best way to insure I force all incoming mail through my
>> > anti-spam firewall?
>> > 
>> > I have already done the following:
>> > 
>> > 1.  MX Record Points to Anti-SPAM Firewall
>> > 2.  Anti-SPAM Firewall points directly to mail server hostname (skipping MX
>> > Record). 
>> > 
>> > I want to make sure no one can send mail directly to the mail server
>> > hostname.  Are there specific configurations I should be making on the
>> > server in the email server settings page?
>> > 
>> > Regards, 
>> > 
>> > Rashid 
>> > 
>> > _______________________________________________
>> > Blueonyx mailing list
>> > Blueonyx at blueonyx.it
>> > http://www.blueonyx.it/mailman/listinfo/blueonyx
> ------- End of Original Message -------
> 
> 
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at blueonyx.it
> http://www.blueonyx.it/mailman/listinfo/blueonyx

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20100817/2301facb/attachment.html>