[BlueOnyx:12458] Re: Allow Inbound Email From Only One IP or Host

David Hahn ml at sb9.com
Wed Mar 6 20:21:26 -05 2013 

On 3/6/2013 4:46 PM, Ken Marcus wrote:
> On 3/6/2013 4:05 PM, David Hahn wrote:
>> On 3/6/2013 3:05 PM, Chuck Tetlow wrote:
>>> > Hi all,
>>> > I have a blue quartz 5100 still running the old
>>> > nuonce/solarspeed av/spam package. It no longer
>>> > updates sa and clam ect... With the garbage being
>>> > sent it no longer has much of a chance protecting
>>> > mail as good as the current av/spam package does.
>>> > BTW, the current package works GREAT!
>>> >
>>> > Using 2 servers one the MX points to with the av/spam
>>> > package on it (server 1 BO5601). It then scans the mail and
>>> > sends it to the BQ5100 server 2.
>>> >
>>> > My question is, how do I stop mail from by-passing
>>> > the MX records and go around server 1 and directly
>>> > to server 2?
>>> >
>>> > If i use iptables to block port 25 for all but
>>> > one ip address local mail, users mail admin root ect..
>>> > quits sending on server 1.
>>> >
>>> > # iptables -A INPUT -s ! 1.2.3.4 -p tcp --dport 25 -j REJECT
>>> > or
>>> > # iptables -A acctin -s ! 1.2.3.4 -p tcp --dport 25 -j REJECT
>>> >
>>> > What other rule would I use to keep the localhost and domains
>>> > and the internals happy on server 2 and only allow mail from
>>> > server 1 and no where else or a more permanent better way to
>>> > do so.
>>> >
>>> > TIA
>>> > David
>>>
>>>
>>> Hi David,
>>>
>>> We have a similar situation, with a external mail filtering server 
>>> running Roaring Penguin CanIt.  And we also had a problem with the 
>>> script-kiddies sending crap directly to the end-servers, because 
>>> they didn't use the MX records for the domains - they just send 
>>> their crap to any machine that responds on TCP port 25.
>>>
>>> So I set up some IPTables filtering rules of my own.  I put these 
>>> rules in the /etc/sysconfig/iptables file so they're loaded 
>>> automatically.  While I know the file has a warning in it about 
>>> manual changes being lost - I haven't had that happen to me.  And if 
>>> it did start - I'd just lock the file with the immutable bit (chattr 
>>> +i /etc/sysconfig/iptables).
>>>
>>> So the rules in each end-server to keep out everyone but my SPAM 
>>> filtering server, and other local company servers.  These go up near 
>>> the top of that /etc/sysconfig/iptables file, right under the line 
>>> "-A OUTPUT - j acctout":
>>>
>>> #1 - Keep your server talking to itself:
>>> -A acctin -d 127.0.0.1/32 -j ACCEPT
>>> -A acctout -s 127.0.0.1/32 -j ACCEPT
>>>
>>> #2 - Allow in connections from any inside networks you have, or any 
>>> Private Address Space you are using. Be sure your filtering server 
>>> falls in here somewhere:
>>> -A acctin -m state --state NEW -p tcp -s 1.2.3.4/24 --dport 25 -j 
>>> ACCEPT
>>> -A acctin -m state --state NEW -p tcp -s 4.3.2.1/24 --dport 25 -j 
>>> ACCEPT
>>> -A acctin -m state --state NEW -p tcp -s 10.0.0.0/8 --dport 25 -j 
>>> ACCEPT
>>> -A acctin -m state --state NEW -p tcp -s 172.16.0.0/14 --dport 25 -j 
>>> ACCEPT
>>> -A acctin -m state --state NEW -p tcp -s 192.168.0.0/16 --dport 25 
>>> -j ACCEPT
>>>
>>> #3 - Log the connection attempts (just so I can see who is 
>>> tryinghard to get in and can be blocked at the main router):
>>> -A acctin -m state --state NEW -p tcp --dport 25 -j LOG --log-prefix 
>>> E-Mail-Connect
>>>
>>> #4 - Now, drop the connection attempt.  (P.S. - These comment lines 
>>> numbered 1-4 don't go in that file.  They're just explanation):
>>> -A acctin -m state --state NEW -p tcp --dport 25 -j DROP
>>>
>>>
>>> After putting those firewall rules into that file, restart the 
>>> firewall with "service iptables restart". You can check to see if 
>>> they're in the active rules with "iptables -L -n| more".  Look for 
>>> those rules upat the top of the chain labeled "acctin".
>>>
>>> And if you want to seehow much they're blocking - use "iptables -L 
>>> -n -v | more".  That will also give a packet count of what each line 
>>> has allowed or blocked.  That way - you can see how many connection 
>>> attempts the firewall rule has blocked.
>>>
>>> I've found that this completely locks out the script kiddies that 
>>> connect via IP Address to send SPAM. And after a while - the 
>>> attempts pretty much go away.  Once they find they can't connect 
>>> toyour server on TCP Port 25 any more - they quit trying.
>>>
>>> Good luck and shoot back a message if I haven't explained something 
>>> well enough.
>>>
>>>
>>>
>>> Chuck
>>>
>>>
>>>
>> Fantastic. Will try that.
>> Thank you Gerald and Chuck
>> David
>>
>>
>
> If you use a blacklist like zen.spamhaus.com that will also get rid of 
> most of the direct to MX spam that comes from dynamic IP addresses.
>
>
> Ken Marcus
>
>
>
>
Ken,
I have a hand full configured in the blue onyx CP.
But I'm Not exactly sure what happens after the av/spam
package is added. It uses RBL's in the scoring but does
not reject directly as it did before the package.
The package does quite a nice job cutting the
garbage down to a trickle hands free.
The poor old 5100 don't have a chance without something
helping it. The firewall rules posted tighten up the mail like a champ
on server 2 so the filter server can do its job.
David

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20130306/0645665b/attachment.html>

More information about the Blueonyx mailing list