<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 3/6/2013 5:21 PM, David Hahn wrote:<br>
</div>
<blockquote cite="mid:5137EB96.9050404@sb9.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">On 3/6/2013 4:46 PM, Ken Marcus
wrote:<br>
</div>
<blockquote cite="mid:5137E354.1070205@precisionweb.net"
type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">On 3/6/2013 4:05 PM, David Hahn
wrote:<br>
</div>
<blockquote cite="mid:5137D9AE.9050609@sb9.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">On 3/6/2013 3:05 PM, Chuck Tetlow
wrote:<br>
</div>
<blockquote cite="mid:20130306224100.M82612@tetlow.net"
type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<meta content="OPENWEBMAIL" name="GENERATOR">
<font size="2">> Hi all, <br>
> I have a blue quartz 5100 still running the old <br>
> nuonce/solarspeed av/spam package. It no longer <br>
> updates sa and clam ect... With the garbage being <br>
> sent it no longer has much of a chance protecting <br>
> mail as good as the current av/spam package does. <br>
> BTW, the current package works GREAT! <br>
> <br>
> Using 2 servers one the MX points to with the av/spam
<br>
> package on it (server 1 BO5601). It then scans the
mail and <br>
> sends it to the BQ5100 server 2. <br>
> <br>
> My question is, how do I stop mail from by-passing <br>
> the MX records and go around server 1 and directly <br>
> to server 2? <br>
> <br>
> If i use iptables to block port 25 for all but <br>
> one ip address local mail, users mail admin root
ect.. <br>
> quits sending on server 1. <br>
> <br>
> # iptables -A INPUT -s ! 1.2.3.4 -p tcp --dport 25 -j
REJECT <br>
> or <br>
> # iptables -A acctin -s ! 1.2.3.4 -p tcp --dport 25
-j REJECT <br>
> <br>
> What other rule would I use to keep the localhost and
domains <br>
> and the internals happy on server 2 and only allow
mail from <br>
> server 1 and no where else or a more permanent better
way to <br>
> do so. <br>
> <br>
> TIA <br>
> David <br>
<br>
<br>
<font size="2">Hi David, <br>
<br>
<font size="2">We have a similar situation, with a
external mail filtering <font size="2">server running
Roaring Penguin CanIt. And we also had a problem
with the script-<font size="2">kiddies sending <font
size="2">crap</font> <font size="2">directly to
the end<font size="2">-</font>servers, because
they di<font size="2">dn't use the MX records
for the domain<font size="2">s - they just
send their crap to any machine that respon<font
size="2">ds on TCP por<font size="2">t 25.
<br>
<br>
<font size="2">So I set up some IPTables
filtering rules of my own. I put
these r<font size="2">ules in the
/etc/sysconfig/iptables file so
they're loaded automatically. While
I know the file has a warning in it
about manual changes being lost - I
h<font size="2">aven't had that
happen to me. And if it did start
- I<font size="2">'d just lock the
file with the immutable bit
(chattr <font size="2">+i
/etc/s<font size="2">ysconfig/iptables).
<br>
<br>
<font size="2">S<font
size="2">o the rules in
each <font size="2">end-<font
size="2">server </font></font>to
keep out ever<font
size="2">yone b<font
size="2">ut my SPAM
filtering server<font
size="2">, and
other local
company servers<font
size="2">.
These go up near
<font size="2">the
top of that
/etc/sysconfig/iptables
file, right
under the li<font
size="2">ne
"-A OUTPUT - j
acctout"<font
size="2">:</font></font></font></font></font></font></font></font></font>
<br>
</font></font></font></font></font>
<br>
<font size="2">#1 - Keep your server
tal<font size="2">king to itself<font
size="2">:</font> <br>
<font size="2">-A acctin -d
127.0.0.1/32 -j ACCEPT <br>
-A acctout -s 127.0.0.1/32 -j
ACCEPT <br>
<br>
#2 - Allo<font size="2">w in
connections from any inside
networks you have, or any
Private Address Space you are
<font size="2">using<font
size="2">. Be sure your
filtering server falls in
<font size="2">here
somewhere:</font></font></font></font>
<br>
</font></font></font></font></font></font></font></font></font></font></font></font></font></font><font
size="2"><font size="2"><font size="2"><font size="2"><font
size="2"><font size="2"><font size="2"><font
size="2"><font size="2"><font size="2"><font
size="2"><font size="2"><font size="2"><font
size="2"><font size="2"><font
size="2"><font size="2"><font
size="2"><font size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2">-A
acctin -m
state --state
NEW -p tcp -s
1.2.3.4/24
--dport 25 -j
ACCEPT <br>
</font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font><font
size="2"><font size="2"><font size="2"><font size="2"><font
size="2"><font size="2"><font size="2"><font
size="2"><font size="2"><font size="2"><font
size="2"><font size="2"><font size="2"><font
size="2"><font size="2"><font
size="2"><font size="2"><font
size="2"><font size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2">-A
acctin -m
state --state
NEW -p tcp -s
4.3.2.1/24
--dport 25 -j
ACCEPT <br>
</font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font>-A
acctin -m state --state NEW -p
tcp -s 10.0.0.0/8 --dport 25 -j
ACCEPT <br>
-A acctin -m state --state NEW
-p tcp -s 172.16.0.0/14 --dport
25 -j ACCEPT <br>
-A acctin -m state --state NEW
-p tcp -s 192.168.0.0/16 --dport
25 -j ACCEPT <br>
<br>
#3 <font size="2">- Log the co<font
size="2">nnection <font
size="2">attempts <font
size="2">(just so I can
see who is trying<font
size="2"> ha<font
size="2">rd to get
in and can be
blocked at the main
ro<font size="2">uter):</font></font></font></font></font></font></font>
<br>
-A acctin -m state --state NEW
-p tcp --dport 25 -j LOG
--log-prefix E-Mail-Connect <br>
<br>
<font size="2">#4 - <font
size="2">Now, d</font>rop
the connection attempt</font>.
(P<font size="2">.S. - These
comment lines number<font
size="2">ed 1-4 <font
size="2">d<font size="2">on't
go in that file.
They're just explanatio<font
size="2">n):</font></font></font></font></font>
<br>
-A acctin -m state --state NEW
-p tcp --dport 25 -j DROP <br>
</font> <br>
<br>
After putting those firewall rules
into that file, restart the
firewall with "service iptables
restart". You can c<font size="2">h<font
size="2">eck to see if they're
in the active rules with
"iptables -L -n<font size="2">
| more". Look for those r<font
size="2">ules up<font
size="2"> at the top of
the chain labeled
"acctin". <br>
<br>
<font size="2">And if
you want to see<font
size="2"> <font
size="2">how much
they're blocking -
use "iptables -L
-n -v | more".
That will also
give a <font
size="2">packet
count of what
each line has
allowed or
blocked. That
way - you can
see <font
size="2">how
many <font
size="2">connection
attempts the
firewall rule
has blocked. <br>
<br>
<font size="2">I've
found that
this
completely
locks out the
script kiddies
that connect
via IP Address
to send SPAM.
And after a
while - the
attempt<font
size="2">s
pretty much go
away. Once
they find they
can't connect
to<font
size="2"> your
server on TCP
Port 25 any
more - they
quit trying. <br>
<br>
<font size="2">Good
luck and shoot
back a messag<font
size="2">e if
I haven't exp<font
size="2">lained
something well
enough. <br>
<br>
<br>
<br>
<font size="2">Chuck
<br>
<br>
</font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font>
<br>
<br>
</font></font></font></font></font></font></font></font></font></font></font></font>
</font> </blockquote>
Fantastic. Will try that.<br>
Thank you Gerald and Chuck <br>
David<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
If you use a blacklist like zen.spamhaus.com that will also get
rid of most of the direct to MX spam that comes from dynamic IP
addresses.<br>
<br>
<br>
Ken Marcus<br>
<br>
<br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
</blockquote>
Ken,<br>
I have a hand full configured in the blue onyx CP.<br>
But I'm Not exactly sure what happens after the av/spam<br>
package is added. It uses RBL's in the scoring but does<br>
not reject directly as it did before the package.<br>
The package does quite a nice job cutting the<br>
garbage down to a trickle hands free. <br>
The poor old 5100 don't have a chance without something <br>
helping it. The firewall rules posted tighten up the mail like a
champ<br>
on server 2 so the filter server can do its job. <br>
David<br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">___
</pre>
</blockquote>
<br>
<br>
<br>
I think the RBLs are checked before the spam assassin is called. (I
know spam assassin also has a separate RBL check that it uses for
scoring. )<br>
<br>
<br>
<br>
Ken<br>
<br>
<br>
<br>
<br>
<br>
Ken <br>
<br>
</body>
</html>