[BlueOnyx:04768] Re: /tec/mail/access

David Booth david at goulburn.net.au
Fri Jun 18 02:22:23 -05 2010 

From: Chuck Tetlow 
Sent: Thursday, June 17, 2010 1:10 PM
To: BlueOnyx General Mailing List 
Subject: [BlueOnyx:04765] Re: /tec/mail/access


We used a Linux based appliance from Roaring Penguin to filter all incoming e-mail for SPAM and virus.  I lock our BX servers down to only accept TCP Port25 connections from our internal networks and that appliance by using the IP Tables firewall. 

Put these rules in your IP Tables configuration file (/etc/sysconfig/iptables), right up at the top under the INPUT and OUTPUT rules: 

-A acctin -m state --state NEW -p tcp -s 216.x.x.x/24 --dport 25 -j ACCEPT 
-A acctin -m state --state NEW -p tcp -s 10.0.0.0/8 --dport 25 -j ACCEPT 
-A acctin -m state --state NEW -p tcp -s 172.16.32.0/16 --dport 25 -j ACCEPT 
-A acctin -m state --state NEW -p tcp -s 192.168.0.0/16 --dport 25 -j ACCEPT 
-A acctin -m state --state NEW -p tcp --dport 25 -j LOG --log-prefix "E-Mail Connect " 
-A acctin -m state --state NEW -p tcp --dport 25 -j DROP 

Obviously replace the first line with your own local network IPs or your filtering appliance IP.  The next three are for our internal network IPs, so client PCs can send through the server.  The second-to-last logs the connection (so I can get some stats on who's trying and how much).  And the last line prevents any SMTP connection from a IP not allowed above.  This stops all the scumbag SPAMMERS who use scripts to hit large numbers of IP addresses. 

Reload the firewall rules with "service iptables restart" to activate the new rules.  And stop any changes to that file by locking it with "chattr +i /etc/sysconfig/iptables" (this sets the immutable bit and not even root can modify the file after that).  To edit the file later - don't forget to unlock it with "chattr -i /etc/sysconfig/iptables". 

My only problem - the BX watchdog scripts keep screwing it up and changing the firewall rules.  So I've got to reload every once in a while - to keep these and other custom rules effective.  Wish I could stop that....  Any ideas Michael?? 

Chuck 


---------- Original Message ----------- 
From: "David Booth" <david at goulburn.net.au> 
To: <blueonyx at blueonyx.it> 
Sent: Thu, 17 Jun 2010 12:42:36 +1000 
Subject: [BlueOnyx:04764]  /tec/mail/access 

> I RELAY from specific ip addresses and OK mail for local users from a specific source. 
> How can I best REJECT or DISCARD mail from ALL other sources? 
> 
> ___________________________ 
> David Booth 
> Goulburn Internet 
>   
> 1300 918804 
------- End of Original Message ------- 


Thanks Chuck. Excellent. That's just what I need to do.

I found putting To: DISCARD in /etc/mail/access doesn't work. I guess nothing matches nothing, not everything.
So iptables is it. Best anyway, but for the possible interference of watchdog.
I have Compassnetworks firewall - ports on or off. I will have to watch and do my own barking if my additions get overwritten.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20100618/2efc46fd/attachment.html>

More information about the Blueonyx mailing list