[BlueOnyx:01518] Re: Setting up sendmail to only accept mail from one external sendmail server
chuck at tetlow.net
Sat Jun 27 19:00:01 PET 2009
That's exactly what I do - only we use CanIt from Roaring Penguin. Works nice.
To get around the SPAMMERS connecting via IP address instead of using the MX records - use the IPTables firewall to block it. I've got all our BQ and BX servers set to only accept TCP port 25 connection initiations from our CanIt server. The lines go:
-A acctin -m state --state NEW -p tcp -s 127.0.0.1/32 --dport 25 -j ACCEPT
-A acctin -m state --state NEW -p tcp -s internal network/24 --dport 25 -j ACCEPT
-A acctin -m state --state NEW -p tcp -s network on server/24 --dport 25 -j ACCEPT
-A acctin -m state --state NEW -p tcp --dport 25 -j LOG --log-prefix "E-Mail Connect "
-A acctin -m state --state NEW -p tcp --dport 25 -j DROP
Put that in your /etc/sysconfig/iptables rules, right up at the top under the existing line for 127.0.0.1. It blocks new TCP port 25 connections from anything else besides your internal networks and your IPs on that server (if they're different). If your SPAM filtering machine isn't in that same range, add another line for it.
You do need to make sure your users are able to send e-mail first. If they're on the same network as your server, or you list the network in those firewall rules - they're OK. Otherwise, they have to use SMTP Auth and the submission port for relaying outgoing e-mail. And be sure that's working before you make those firewall rules - or they won't be able to send e-mail through your server.
Now - here's the rub. Both the BQ and BX servers will try to modify that firewall configurations file. So you have to protect it. Go to the /etc/sysconfig directory and use the "chattr +i iptables" command. That makes the file "immutable" - a fancy word for saying that NO ONE can change it, not even root! Try it with VI, you can't save - its protected. After that, the BQ or BX management scripts can't change that file to overwrite those lines and they'll always be there. Restart the firewall with "service iptables restart" and you're in business!
Oh yea - if you do need to modify that file again, use "chattr -i iptables" to unlock it. And you can see if the immtable bit is set with "lsattr" while in that directory.
Since I implimented that lockdown - its stopped litterally millions of SPAM connections. I know that because the second to last line logs anyone trying to connect on TCP 25. My logs have millions of connection attempts that have been blocked. Its NICE. Between that one little block to stop SPAM-by-IP and the CanIt server - its unusual when I get even one SPAM a day. Last week was the worse in a couple months -- I got two SPAM in five days!!
---------- Original Message -----------
From: Steve Davis <steve at zio.com>
To: blueonyx at blueonyx.it
Sent: Sat, 27 Jun 2009 12:44:17 -0500
Subject: [BlueOnyx:01514] Setting up sendmail to only accept mail from one external sendmail server
> I had a thought.
> I have a Barracuda Spam & Virus server and a problematic BO mail server.
> All of the domains that are on the BO server have a single MX record
> that points to the Barracuda. The Barracuda, scans, verifies good and
> forward mail to the BO server.
> Spammers are attacking the BO directly. I had 38,000 in the queue
> over a 6 hour period.
> Could I setup the BO server to only accept smtp or smtps mail from the
> I would need to keep the outgoing smtp connections open globally.
> Meaning the BO would need to establish its own connections to external
> mail server to deliver mail.
> Users on this box generally do not POP and then send mail. This would
> be another issue, that could be solved by requiring smtps or pop
> before relay.
> Any ideas?
> Blueonyx mailing list
> Blueonyx at blueonyx.it
------- End of Original Message -------
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Blueonyx