<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 3/6/2013 4:05 PM, David Hahn wrote:<br>
</div>
<blockquote cite="mid:5137D9AE.9050609@sb9.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">On 3/6/2013 3:05 PM, Chuck Tetlow
wrote:<br>
</div>
<blockquote cite="mid:20130306224100.M82612@tetlow.net"
type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<meta content="OPENWEBMAIL" name="GENERATOR">
<font size="2">> Hi all, <br>
> I have a blue quartz 5100 still running the old <br>
> nuonce/solarspeed av/spam package. It no longer <br>
> updates sa and clam ect... With the garbage being <br>
> sent it no longer has much of a chance protecting <br>
> mail as good as the current av/spam package does. <br>
> BTW, the current package works GREAT! <br>
> <br>
> Using 2 servers one the MX points to with the av/spam <br>
> package on it (server 1 BO5601). It then scans the mail
and <br>
> sends it to the BQ5100 server 2. <br>
> <br>
> My question is, how do I stop mail from by-passing <br>
> the MX records and go around server 1 and directly <br>
> to server 2? <br>
> <br>
> If i use iptables to block port 25 for all but <br>
> one ip address local mail, users mail admin root ect.. <br>
> quits sending on server 1. <br>
> <br>
> # iptables -A INPUT -s ! 1.2.3.4 -p tcp --dport 25 -j
REJECT <br>
> or <br>
> # iptables -A acctin -s ! 1.2.3.4 -p tcp --dport 25 -j
REJECT <br>
> <br>
> What other rule would I use to keep the localhost and
domains <br>
> and the internals happy on server 2 and only allow mail
from <br>
> server 1 and no where else or a more permanent better way
to <br>
> do so. <br>
> <br>
> TIA <br>
> David <br>
<br>
<br>
<font size="2">Hi David, <br>
<br>
<font size="2">We have a similar situation, with a external
mail filtering <font size="2">server running Roaring
Penguin CanIt. And we also had a problem with the
script-<font size="2">kiddies sending <font size="2">crap</font>
<font size="2">directly to the end<font size="2">-</font>servers,
because they di<font size="2">dn't use the MX
records for the domain<font size="2">s - they just
send their crap to any machine that respon<font
size="2">ds on TCP por<font size="2">t 25. <br>
<br>
<font size="2">So I set up some IPTables
filtering rules of my own. I put these r<font
size="2">ules in the
/etc/sysconfig/iptables file so they're
loaded automatically. While I know the
file has a warning in it about manual
changes being lost - I h<font size="2">aven't
had that happen to me. And if it did
start - I<font size="2">'d just lock
the file with the immutable bit
(chattr <font size="2">+i /etc/s<font
size="2">ysconfig/iptables). <br>
<br>
<font size="2">S<font size="2">o
the rules in each <font
size="2">end-<font
size="2">server </font></font>to
keep out ever<font size="2">yone
b<font size="2">ut my SPAM
filtering server<font
size="2">, and other
local company servers<font
size="2">. These go
up near <font
size="2">the top
of that
/etc/sysconfig/iptables
file, right under
the li<font
size="2">ne "-A
OUTPUT - j
acctout"<font
size="2">:</font></font></font></font></font></font></font></font></font>
<br>
</font></font></font></font></font>
<br>
<font size="2">#1 - Keep your server tal<font
size="2">king to itself<font size="2">:</font>
<br>
<font size="2">-A acctin -d
127.0.0.1/32 -j ACCEPT <br>
-A acctout -s 127.0.0.1/32 -j ACCEPT
<br>
<br>
#2 - Allo<font size="2">w in
connections from any inside
networks you have, or any Private
Address Space you are <font
size="2">using<font size="2">.
Be sure your filtering server
falls in <font size="2">here
somewhere:</font></font></font></font>
<br>
</font></font></font></font></font></font></font></font></font></font></font></font></font></font><font
size="2"><font size="2"><font size="2"><font size="2"><font
size="2"><font size="2"><font size="2"><font size="2"><font
size="2"><font size="2"><font size="2"><font
size="2"><font size="2"><font size="2"><font
size="2"><font size="2"><font
size="2"><font size="2"><font
size="2"><font size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2">-A
acctin -m
state --state
NEW -p tcp -s
1.2.3.4/24
--dport 25 -j
ACCEPT <br>
</font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font><font
size="2"><font size="2"><font size="2"><font size="2"><font
size="2"><font size="2"><font size="2"><font size="2"><font
size="2"><font size="2"><font size="2"><font
size="2"><font size="2"><font size="2"><font
size="2"><font size="2"><font
size="2"><font size="2"><font
size="2"><font size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2">-A
acctin -m
state --state
NEW -p tcp -s
4.3.2.1/24
--dport 25 -j
ACCEPT <br>
</font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font>-A
acctin -m state --state NEW -p tcp
-s 10.0.0.0/8 --dport 25 -j ACCEPT <br>
-A acctin -m state --state NEW -p
tcp -s 172.16.0.0/14 --dport 25 -j
ACCEPT <br>
-A acctin -m state --state NEW -p
tcp -s 192.168.0.0/16 --dport 25 -j
ACCEPT <br>
<br>
#3 <font size="2">- Log the co<font
size="2">nnection <font
size="2">attempts <font
size="2">(just so I can see
who is trying<font size="2">
ha<font size="2">rd to get
in and can be blocked at
the main ro<font
size="2">uter):</font></font></font></font></font></font></font>
<br>
-A acctin -m state --state NEW -p
tcp --dport 25 -j LOG --log-prefix
E-Mail-Connect <br>
<br>
<font size="2">#4 - <font size="2">Now,
d</font>rop the connection
attempt</font>. (P<font size="2">.S.
- These comment lines number<font
size="2">ed 1-4 <font size="2">d<font
size="2">on't go in that
file. They're just
explanatio<font size="2">n):</font></font></font></font></font>
<br>
-A acctin -m state --state NEW -p
tcp --dport 25 -j DROP <br>
</font> <br>
<br>
After putting those firewall rules
into that file, restart the firewall
with "service iptables restart". You
can c<font size="2">h<font size="2">eck
to see if they're in the active
rules with "iptables -L -n<font
size="2"> | more". Look for
those r<font size="2">ules up<font
size="2"> at the top of the
chain labeled "acctin". <br>
<br>
<font size="2">And if you
want to see<font size="2">
<font size="2">how much
they're blocking - use
"iptables -L -n -v |
more". That will also
give a <font size="2">packet
count of what each
line has allowed or
blocked. That way -
you can see <font
size="2">how many
<font size="2">connection
attempts the
firewall rule
has blocked. <br>
<br>
<font size="2">I've
found that
this
completely
locks out the
script kiddies
that connect
via IP Address
to send SPAM.
And after a
while - the
attempt<font
size="2">s
pretty much go
away. Once
they find they
can't connect
to<font
size="2"> your
server on TCP
Port 25 any
more - they
quit trying. <br>
<br>
<font size="2">Good
luck and shoot
back a messag<font
size="2">e if
I haven't exp<font
size="2">lained
something well
enough. <br>
<br>
<br>
<br>
<font size="2">Chuck
<br>
<br>
</font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font>
<br>
<br>
</font></font></font></font></font></font></font></font></font></font></font></font>
</font> </blockquote>
Fantastic. Will try that.<br>
Thank you Gerald and Chuck <br>
David<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
If you use a blacklist like zen.spamhaus.com that will also get rid
of most of the direct to MX spam that comes from dynamic IP
addresses.<br>
<br>
<br>
Ken Marcus<br>
<br>
<br>
<br>
</body>
</html>