[BlueOnyx:12459] Re: Allow Inbound Email From Only One IP or Host

Ken Marcus kenlists at precisionweb.net
Wed Mar 6 20:55:47 -05 2013 

On 3/6/2013 5:21 PM, David Hahn wrote:
> On 3/6/2013 4:46 PM, Ken Marcus wrote:
>> On 3/6/2013 4:05 PM, David Hahn wrote:
>>> On 3/6/2013 3:05 PM, Chuck Tetlow wrote:
>>>> > Hi all,
>>>> > I have a blue quartz 5100 still running the old
>>>> > nuonce/solarspeed av/spam package. It no longer
>>>> > updates sa and clam ect... With the garbage being
>>>> > sent it no longer has much of a chance protecting
>>>> > mail as good as the current av/spam package does.
>>>> > BTW, the current package works GREAT!
>>>> >
>>>> > Using 2 servers one the MX points to with the av/spam
>>>> > package on it (server 1 BO5601). It then scans the mail and
>>>> > sends it to the BQ5100 server 2.
>>>> >
>>>> > My question is, how do I stop mail from by-passing
>>>> > the MX records and go around server 1 and directly
>>>> > to server 2?
>>>> >
>>>> > If i use iptables to block port 25 for all but
>>>> > one ip address local mail, users mail admin root ect..
>>>> > quits sending on server 1.
>>>> >
>>>> > # iptables -A INPUT -s ! 1.2.3.4 -p tcp --dport 25 -j REJECT
>>>> > or
>>>> > # iptables -A acctin -s ! 1.2.3.4 -p tcp --dport 25 -j REJECT
>>>> >
>>>> > What other rule would I use to keep the localhost and domains
>>>> > and the internals happy on server 2 and only allow mail from
>>>> > server 1 and no where else or a more permanent better way to
>>>> > do so.
>>>> >
>>>> > TIA
>>>> > David
>>>>
>>>>
>>>> Hi David,
>>>>
>>>> We have a similar situation, with a external mail filtering server 
>>>> running Roaring Penguin CanIt.  And we also had a problem with the 
>>>> script-kiddies sending crap directly to the end-servers, because 
>>>> they didn't use the MX records for the domains - they just send 
>>>> their crap to any machine that responds on TCP port 25.
>>>>
>>>> So I set up some IPTables filtering rules of my own.  I put these 
>>>> rules in the /etc/sysconfig/iptables file so they're loaded 
>>>> automatically.  While I know the file has a warning in it about 
>>>> manual changes being lost - I haven't had that happen to me.  And 
>>>> if it did start - I'd just lock the file with the immutable bit 
>>>> (chattr +i /etc/sysconfig/iptables).
>>>>
>>>> So the rules in each end-server to keep out everyone but my SPAM 
>>>> filtering server, and other local company servers. These go up near 
>>>> the top of that /etc/sysconfig/iptables file, right under the line 
>>>> "-A OUTPUT - j acctout":
>>>>
>>>> #1 - Keep your server talking to itself:
>>>> -A acctin -d 127.0.0.1/32 -j ACCEPT
>>>> -A acctout -s 127.0.0.1/32 -j ACCEPT
>>>>
>>>> #2 - Allow in connections from any inside networks you have, or any 
>>>> Private Address Space you are using.  Be sure your filtering server 
>>>> falls in here somewhere:
>>>> -A acctin -m state --state NEW -p tcp -s 1.2.3.4/24 --dport 25 -j 
>>>> ACCEPT
>>>> -A acctin -m state --state NEW -p tcp -s 4.3.2.1/24 --dport 25 -j 
>>>> ACCEPT
>>>> -A acctin -m state --state NEW -p tcp -s 10.0.0.0/8 --dport 25 -j 
>>>> ACCEPT
>>>> -A acctin -m state --state NEW -p tcp -s 172.16.0.0/14 --dport 25 
>>>> -j ACCEPT
>>>> -A acctin -m state --state NEW -p tcp -s 192.168.0.0/16 --dport 25 
>>>> -j ACCEPT
>>>>
>>>> #3 - Log the connection attempts (just so I can see who is 
>>>> tryinghard to get in and can be blocked at the main router):
>>>> -A acctin -m state --state NEW -p tcp --dport 25 -j LOG 
>>>> --log-prefix E-Mail-Connect
>>>>
>>>> #4 - Now, drop the connection attempt. (P.S. - These comment lines 
>>>> numbered 1-4 don't go in that file. They're just explanation):
>>>> -A acctin -m state --state NEW -p tcp --dport 25 -j DROP
>>>>
>>>>
>>>> After putting those firewall rules into that file, restart the 
>>>> firewall with "service iptables restart".  You can check to see if 
>>>> they're in the active rules with "iptables -L -n| more".  Look for 
>>>> those rules upat the top of the chain labeled "acctin".
>>>>
>>>> And if you want to seehow much they're blocking - use "iptables -L 
>>>> -n -v | more". That will also give a packet count of what each line 
>>>> has allowed or blocked.  That way - you can see how many connection 
>>>> attempts the firewall rule has blocked.
>>>>
>>>> I've found that this completely locks out the script kiddies that 
>>>> connect via IP Address to send SPAM. And after a while - the 
>>>> attempts pretty much go away.  Once they find they can't connect 
>>>> toyour server on TCP Port 25 any more - they quit trying.
>>>>
>>>> Good luck and shoot back a message if I haven't explained something 
>>>> well enough.
>>>>
>>>>
>>>>
>>>> Chuck
>>>>
>>>>
>>>>
>>> Fantastic. Will try that.
>>> Thank you Gerald and Chuck
>>> David
>>>
>>>
>>
>> If you use a blacklist like zen.spamhaus.com that will also get rid 
>> of most of the direct to MX spam that comes from dynamic IP addresses.
>>
>>
>> Ken Marcus
>>
>>
>>
>>
> Ken,
> I have a hand full configured in the blue onyx CP.
> But I'm Not exactly sure what happens after the av/spam
> package is added. It uses RBL's in the scoring but does
> not reject directly as it did before the package.
> The package does quite a nice job cutting the
> garbage down to a trickle hands free.
> The poor old 5100 don't have a chance without something
> helping it. The firewall rules posted tighten up the mail like a champ
> on server 2 so the filter server can do its job.
> David
>
>
>
> ___



I think the RBLs are checked before the spam assassin is called.  (I 
know spam assassin also has a separate RBL check that it uses for scoring. )



Ken





Ken

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20130306/53ef0be9/attachment.html>

More information about the Blueonyx mailing list