[BlueOnyx:12457] Re: Allow Inbound Email From Only One IP or Host

Ken Marcus kenlists at precisionweb.net
Wed Mar 6 19:46:12 -05 2013 

On 3/6/2013 4:05 PM, David Hahn wrote:
> On 3/6/2013 3:05 PM, Chuck Tetlow wrote:
>> > Hi all,
>> > I have a blue quartz 5100 still running the old
>> > nuonce/solarspeed av/spam package. It no longer
>> > updates sa and clam ect... With the garbage being
>> > sent it no longer has much of a chance protecting
>> > mail as good as the current av/spam package does.
>> > BTW, the current package works GREAT!
>> >
>> > Using 2 servers one the MX points to with the av/spam
>> > package on it (server 1 BO5601). It then scans the mail and
>> > sends it to the BQ5100 server 2.
>> >
>> > My question is, how do I stop mail from by-passing
>> > the MX records and go around server 1 and directly
>> > to server 2?
>> >
>> > If i use iptables to block port 25 for all but
>> > one ip address local mail, users mail admin root ect..
>> > quits sending on server 1.
>> >
>> > # iptables -A INPUT -s ! 1.2.3.4 -p tcp --dport 25 -j REJECT
>> > or
>> > # iptables -A acctin -s ! 1.2.3.4 -p tcp --dport 25 -j REJECT
>> >
>> > What other rule would I use to keep the localhost and domains
>> > and the internals happy on server 2 and only allow mail from
>> > server 1 and no where else or a more permanent better way to
>> > do so.
>> >
>> > TIA
>> > David
>>
>>
>> Hi David,
>>
>> We have a similar situation, with a external mail filtering server 
>> running Roaring Penguin CanIt.  And we also had a problem with the 
>> script-kiddies sending crap directly to the end-servers, because they 
>> didn't use the MX records for the domains - they just send their crap 
>> to any machine that responds on TCP port 25.
>>
>> So I set up some IPTables filtering rules of my own.  I put these 
>> rules in the /etc/sysconfig/iptables file so they're loaded 
>> automatically.  While I know the file has a warning in it about 
>> manual changes being lost - I haven't had that happen to me.  And if 
>> it did start - I'd just lock the file with the immutable bit (chattr 
>> +i /etc/sysconfig/iptables).
>>
>> So the rules in each end-server to keep out everyone but my SPAM 
>> filtering server, and other local company servers.  These go up near 
>> the top of that /etc/sysconfig/iptables file, right under the line 
>> "-A OUTPUT - j acctout":
>>
>> #1 - Keep your server talking to itself:
>> -A acctin -d 127.0.0.1/32 -j ACCEPT
>> -A acctout -s 127.0.0.1/32 -j ACCEPT
>>
>> #2 - Allow in connections from any inside networks you have, or any 
>> Private Address Space you are using. Be sure your filtering server 
>> falls in here somewhere:
>> -A acctin -m state --state NEW -p tcp -s 1.2.3.4/24 --dport 25 -j ACCEPT
>> -A acctin -m state --state NEW -p tcp -s 4.3.2.1/24 --dport 25 -j ACCEPT
>> -A acctin -m state --state NEW -p tcp -s 10.0.0.0/8 --dport 25 -j ACCEPT
>> -A acctin -m state --state NEW -p tcp -s 172.16.0.0/14 --dport 25 -j 
>> ACCEPT
>> -A acctin -m state --state NEW -p tcp -s 192.168.0.0/16 --dport 25 -j 
>> ACCEPT
>>
>> #3 - Log the connection attempts (just so I can see who is tryinghard 
>> to get in and can be blocked at the main router):
>> -A acctin -m state --state NEW -p tcp --dport 25 -j LOG --log-prefix 
>> E-Mail-Connect
>>
>> #4 - Now, drop the connection attempt.  (P.S. - These comment lines 
>> numbered 1-4 don't go in that file.  They're just explanation):
>> -A acctin -m state --state NEW -p tcp --dport 25 -j DROP
>>
>>
>> After putting those firewall rules into that file, restart the 
>> firewall with "service iptables restart".  You can check to see if 
>> they're in the active rules with "iptables -L -n| more".  Look for 
>> those rules upat the top of the chain labeled "acctin".
>>
>> And if you want to seehow much they're blocking - use "iptables -L -n 
>> -v | more".  That will also give a packet count of what each line has 
>> allowed or blocked.  That way - you can see how many connection 
>> attempts the firewall rule has blocked.
>>
>> I've found that this completely locks out the script kiddies that 
>> connect via IP Address to send SPAM. And after a while - the attempts 
>> pretty much go away.  Once they find they can't connect toyour server 
>> on TCP Port 25 any more - they quit trying.
>>
>> Good luck and shoot back a message if I haven't explained something 
>> well enough.
>>
>>
>>
>> Chuck
>>
>>
>>
> Fantastic. Will try that.
> Thank you Gerald and Chuck
> David
>
>

If you use a blacklist like zen.spamhaus.com that will also get rid of 
most of the direct to MX spam that comes from dynamic IP addresses.


Ken Marcus



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20130306/6d4c1b0a/attachment.html>

More information about the Blueonyx mailing list