<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 3/6/2013 4:46 PM, Ken Marcus wrote:<br>
</div>
<blockquote cite="mid:5137E354.1070205@precisionweb.net" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">On 3/6/2013 4:05 PM, David Hahn
wrote:<br>
</div>
<blockquote cite="mid:5137D9AE.9050609@sb9.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">On 3/6/2013 3:05 PM, Chuck Tetlow
wrote:<br>
</div>
<blockquote cite="mid:20130306224100.M82612@tetlow.net"
type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<meta content="OPENWEBMAIL" name="GENERATOR">
<font size="2">> Hi all, <br>
> I have a blue quartz 5100 still running the old <br>
> nuonce/solarspeed av/spam package. It no longer <br>
> updates sa and clam ect... With the garbage being <br>
> sent it no longer has much of a chance protecting <br>
> mail as good as the current av/spam package does. <br>
> BTW, the current package works GREAT! <br>
> <br>
> Using 2 servers one the MX points to with the av/spam <br>
> package on it (server 1 BO5601). It then scans the mail
and <br>
> sends it to the BQ5100 server 2. <br>
> <br>
> My question is, how do I stop mail from by-passing <br>
> the MX records and go around server 1 and directly <br>
> to server 2? <br>
> <br>
> If i use iptables to block port 25 for all but <br>
> one ip address local mail, users mail admin root ect..
<br>
> quits sending on server 1. <br>
> <br>
> # iptables -A INPUT -s ! 1.2.3.4 -p tcp --dport 25 -j
REJECT <br>
> or <br>
> # iptables -A acctin -s ! 1.2.3.4 -p tcp --dport 25 -j
REJECT <br>
> <br>
> What other rule would I use to keep the localhost and
domains <br>
> and the internals happy on server 2 and only allow mail
from <br>
> server 1 and no where else or a more permanent better
way to <br>
> do so. <br>
> <br>
> TIA <br>
> David <br>
<br>
<br>
<font size="2">Hi David, <br>
<br>
<font size="2">We have a similar situation, with a
external mail filtering <font size="2">server running
Roaring Penguin CanIt. And we also had a problem with
the script-<font size="2">kiddies sending <font
size="2">crap</font> <font size="2">directly to
the end<font size="2">-</font>servers, because
they di<font size="2">dn't use the MX records for
the domain<font size="2">s - they just send
their crap to any machine that respon<font
size="2">ds on TCP por<font size="2">t 25. <br>
<br>
<font size="2">So I set up some IPTables
filtering rules of my own. I put these
r<font size="2">ules in the
/etc/sysconfig/iptables file so
they're loaded automatically. While I
know the file has a warning in it
about manual changes being lost - I h<font
size="2">aven't had that happen to
me. And if it did start - I<font
size="2">'d just lock the file
with the immutable bit (chattr <font
size="2">+i /etc/s<font size="2">ysconfig/iptables).
<br>
<br>
<font size="2">S<font size="2">o
the rules in each <font
size="2">end-<font
size="2">server </font></font>to
keep out ever<font
size="2">yone b<font
size="2">ut my SPAM
filtering server<font
size="2">, and other
local company
servers<font
size="2">. These
go up near <font
size="2">the top
of that
/etc/sysconfig/iptables
file, right
under the li<font
size="2">ne
"-A OUTPUT - j
acctout"<font
size="2">:</font></font></font></font></font></font></font></font></font>
<br>
</font></font></font></font></font>
<br>
<font size="2">#1 - Keep your server tal<font
size="2">king to itself<font
size="2">:</font> <br>
<font size="2">-A acctin -d
127.0.0.1/32 -j ACCEPT <br>
-A acctout -s 127.0.0.1/32 -j
ACCEPT <br>
<br>
#2 - Allo<font size="2">w in
connections from any inside
networks you have, or any
Private Address Space you are <font
size="2">using<font size="2">.
Be sure your filtering
server falls in <font
size="2">here somewhere:</font></font></font></font>
<br>
</font></font></font></font></font></font></font></font></font></font></font></font></font></font><font
size="2"><font size="2"><font size="2"><font size="2"><font
size="2"><font size="2"><font size="2"><font
size="2"><font size="2"><font size="2"><font
size="2"><font size="2"><font size="2"><font
size="2"><font size="2"><font
size="2"><font size="2"><font
size="2"><font size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2">-A
acctin -m
state --state
NEW -p tcp -s
1.2.3.4/24
--dport 25 -j
ACCEPT <br>
</font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font><font
size="2"><font size="2"><font size="2"><font size="2"><font
size="2"><font size="2"><font size="2"><font
size="2"><font size="2"><font size="2"><font
size="2"><font size="2"><font size="2"><font
size="2"><font size="2"><font
size="2"><font size="2"><font
size="2"><font size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2">-A
acctin -m
state --state
NEW -p tcp -s
4.3.2.1/24
--dport 25 -j
ACCEPT <br>
</font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font>-A
acctin -m state --state NEW -p tcp
-s 10.0.0.0/8 --dport 25 -j ACCEPT
<br>
-A acctin -m state --state NEW -p
tcp -s 172.16.0.0/14 --dport 25 -j
ACCEPT <br>
-A acctin -m state --state NEW -p
tcp -s 192.168.0.0/16 --dport 25
-j ACCEPT <br>
<br>
#3 <font size="2">- Log the co<font
size="2">nnection <font
size="2">attempts <font
size="2">(just so I can
see who is trying<font
size="2"> ha<font
size="2">rd to get in
and can be blocked at
the main ro<font
size="2">uter):</font></font></font></font></font></font></font>
<br>
-A acctin -m state --state NEW -p
tcp --dport 25 -j LOG --log-prefix
E-Mail-Connect <br>
<br>
<font size="2">#4 - <font
size="2">Now, d</font>rop the
connection attempt</font>. (P<font
size="2">.S. - These comment
lines number<font size="2">ed
1-4 <font size="2">d<font
size="2">on't go in that
file. They're just
explanatio<font size="2">n):</font></font></font></font></font>
<br>
-A acctin -m state --state NEW -p
tcp --dport 25 -j DROP <br>
</font> <br>
<br>
After putting those firewall rules
into that file, restart the firewall
with "service iptables restart".
You can c<font size="2">h<font
size="2">eck to see if they're
in the active rules with
"iptables -L -n<font size="2"> |
more". Look for those r<font
size="2">ules up<font
size="2"> at the top of
the chain labeled
"acctin". <br>
<br>
<font size="2">And if you
want to see<font
size="2"> <font
size="2">how much
they're blocking -
use "iptables -L -n
-v | more". That
will also give a <font
size="2">packet
count of what each
line has allowed
or blocked. That
way - you can see
<font size="2">how
many <font
size="2">connection
attempts the
firewall rule
has blocked. <br>
<br>
<font size="2">I've
found that
this
completely
locks out the
script kiddies
that connect
via IP Address
to send SPAM.
And after a
while - the
attempt<font
size="2">s
pretty much go
away. Once
they find they
can't connect
to<font
size="2"> your
server on TCP
Port 25 any
more - they
quit trying. <br>
<br>
<font size="2">Good
luck and shoot
back a messag<font
size="2">e if
I haven't exp<font
size="2">lained
something well
enough. <br>
<br>
<br>
<br>
<font size="2">Chuck
<br>
<br>
</font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font>
<br>
<br>
</font></font></font></font></font></font></font></font></font></font></font></font>
</font> </blockquote>
Fantastic. Will try that.<br>
Thank you Gerald and Chuck <br>
David<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
If you use a blacklist like zen.spamhaus.com that will also get
rid of most of the direct to MX spam that comes from dynamic IP
addresses.<br>
<br>
<br>
Ken Marcus<br>
<br>
<br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
</blockquote>
Ken,<br>
I have a hand full configured in the blue onyx CP.<br>
But I'm Not exactly sure what happens after the av/spam<br>
package is added. It uses RBL's in the scoring but does<br>
not reject directly as it did before the package.<br>
The package does quite a nice job cutting the<br>
garbage down to a trickle hands free. <br>
The poor old 5100 don't have a chance without something <br>
helping it. The firewall rules posted tighten up the mail like a
champ<br>
on server 2 so the filter server can do its job. <br>
David<br>
<br>
</body>
</html>