On 3/6/2013 4:46 PM, Ken Marcus wrote:
On 3/6/2013 4:05 PM, David Hahn wrote:
On 3/6/2013 3:05 PM, Chuck Tetlow wrote:
> Hi all,
> I have a blue quartz 5100 still running the old
> nuonce/solarspeed av/spam package. It no longer
> updates sa and clam ect... With the garbage being
> sent it no longer has much of a chance protecting
> mail as good as the current av/spam package does.
> BTW, the current package works GREAT!
>
> Using 2 servers one the MX points to with the av/spam
> package on it (server 1 BO5601). It then scans the mail and
> sends it to the BQ5100 server 2.
>
> My question is, how do I stop mail from by-passing
> the MX records and go around server 1 and directly
> to server 2?
>
> If i use iptables to block port 25 for all but
> one ip address local mail, users mail admin root ect..
> quits sending on server 1.
>
> # iptables -A INPUT -s ! 1.2.3.4 -p tcp --dport 25 -j REJECT
> or
> # iptables -A acctin -s ! 1.2.3.4 -p tcp --dport 25 -j REJECT
>
> What other rule would I use to keep the localhost and domains
> and the internals happy on server 2 and only allow mail from
> server 1 and no where else or a more permanent better way to
> do so.
>
> TIA
> David
Hi David,
We have a similar situation, with a external mail filtering server
running Roaring Penguin CanIt. And we also had a problem with the
script-kiddies sending crap directly to the end-servers, because
they didn't use the MX records for the domains - they just send
their crap to any machine that responds on TCP port 25.
So I set up some IPTables filtering rules of my own. I put these
rules in the /etc/sysconfig/iptables file so they're loaded
automatically. While I know the file has a warning in it about
manual changes being lost - I haven't had that happen to me. And if
it did start - I'd just lock the file with the immutable bit (chattr
+i /etc/sysconfig/iptables).
So the rules in each end-server to keep out everyone but my SPAM
filtering server, and other local company servers. These go up near
the top of that /etc/sysconfig/iptables file, right under the line
"-A OUTPUT - j acctout":
#1 - Keep your server talking to itself:
-A acctin -d 127.0.0.1/32 -j ACCEPT
-A acctout -s 127.0.0.1/32 -j ACCEPT
#2 - Allow in connections from any inside networks you have, or any
Private Address Space you are using. Be sure your filtering server
falls in here somewhere:
-A acctin -m state --state NEW -p tcp -s 1.2.3.4/24 --dport 25 -j
ACCEPT
-A acctin -m state --state NEW -p tcp -s 4.3.2.1/24 --dport 25 -j
ACCEPT
-A acctin -m state --state NEW -p tcp -s 10.0.0.0/8 --dport 25 -j
ACCEPT
-A acctin -m state --state NEW -p tcp -s 172.16.0.0/14 --dport 25 -j
ACCEPT
-A acctin -m state --state NEW -p tcp -s 192.168.0.0/16 --dport 25
-j ACCEPT
#3 - Log the connection attempts (just so I can see who is
tryinghard to get in and can be blocked at the main router):
-A acctin -m state --state NEW -p tcp --dport 25 -j LOG --log-prefix
E-Mail-Connect
#4 - Now, drop the connection attempt. (P.S. - These comment lines
numbered 1-4 don't go in that file. They're just explanation):
-A acctin -m state --state NEW -p tcp --dport 25 -j DROP
After putting those firewall rules into that file, restart the
firewall with "service iptables restart". You can check to see if
they're in the active rules with "iptables -L -n| more". Look for
those rules upat the top of the chain labeled "acctin".
And if you want to seehow much they're blocking - use "iptables -L
-n -v | more". That will also give a packet count of what each line
has allowed or blocked. That way - you can see how many connection
attempts the firewall rule has blocked.
I've found that this completely locks out the script kiddies that
connect via IP Address to send SPAM. And after a while - the
attempts pretty much go away. Once they find they can't connect
toyour server on TCP Port 25 any more - they quit trying.
Good luck and shoot back a message if I haven't explained something
well enough.
Chuck
Fantastic. Will try that.
Thank you Gerald and Chuck
David
If you use a blacklist like zen.spamhaus.com that will also get rid of
most of the direct to MX spam that comes from dynamic IP addresses.
Ken Marcus
Ken,
I have a hand full configured in the blue onyx CP.
But I'm Not exactly sure what happens after the av/spam
package is added. It uses RBL's in the scoring but does
not reject directly as it did before the package.
The package does quite a nice job cutting the
garbage down to a trickle hands free.
The poor old 5100 don't have a chance without something
helping it. The firewall rules posted tighten up the mail like a champ
on server 2 so the filter server can do its job.
David
_______________________________________________
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx
