Yes, that is correct Thomas.
Sam responded earlier stating that you can control access to the Courier mail
server using the smtpaccess file. However, that still doesn't prevent mail
coming from unwanted hosts "to" users on the mail server, right? I think that
smtpaccess only controls relaying? Or maybe I'm wrong - maybe it will reject a
host that is listed in the file from even connecting (but I don't think that is
correct).
Nevertheless, the desired effect is to ONLY allow traffic on port 25 to your
mail server from the filtering server. With FreeBSD and/or Linux you can run a
firewall within the kernel of the OS and tweak the ruleset to only allow
incoming traffic on port 25 from your mail filter. This way, if someone
attempts to circumvent your filter, they cannot (such that you're seeing the
virus do).
I have the same issue, which is why I understand this:
Courier Mail Router/Filter => Courier Mail Server
-------------------------------------------------------------------------------
domain1 MX points here (filtered) domain1 lives here, Internet doesn't know
domain2 MX points here (filtered) domain2 lives here, Internet doesn't know
domain3 MX points here
domain4 MX points here
What happens is spammers guess names for domain1 and domain2 - who knows how
they know, they do - they figure it out - spam doesn't get filtered 100%, which
is unacceptable.
Solution (using Courier as a filter, maybe your's is different)
Courier Mail Router/Filter => Courier Mail Server
-------------------------------------------------------------------------------
domain1 MX points here (filtered) domain1 lives here, Internet doesn't know
domain2 MX points here (filtered) domain2 lives here, Internet doesn't know
domain3 MX points here (just route) domain3 lives here
domain4 MX points here (just route) domain4 lives here
Now the mail server can be setup to ONLY allow connections on port 25 from the
router/filter machine and the Internet CANNOT get to the mail server.
(Obviously, the machine allows port 80, 110, popssl, imapssl, etc. to connect,
just not 25)
If your router or filter cannot "just route" mail without filtering, as in this
diagram, then you'll need another machine/server to host domain3 and 4 on. As
well, maybe you don't want to put the additional load on the mail filter, so
you need to move unfiltered domains to a separate machine.
Just remember this: If the Courier Mail Server has port 25 open to the world,
there's no "per domain" configuration of the SMTP daemon or of a firewall
solution. With a firewall you could block out access to specific IP addresses,
but face it - if I can get to any SMTP daemon on the mail server, I can send to
anyone on it - to any domain that lives on it.
Maybe this might be a configuration improvement for a future release of
Courier - it would surely be the only mail system to do it.
D
--
Derrick T. Woolworth, President
R&D Associates, Inc.
8500 W. 110th, Suite 210
Overland Park, KS 66210
Phone: (913) 491-1644
Fax: (913) 491-1645
Quoting Thomas von Hassel <[EMAIL PROTECTED]>:
|
| On 28/1-2004, at 9.43, Derrick T. Woolworth wrote:
|
| > Thomas,
| >
| > If I understand what you're saying, you want to prevent spammers from
| > circumventing your filtering server, correct?
| >
|
| bingo!
| > What's happening is spam is still getting by the filter because they
| > connect
| > directly to your mail server and not to the filter?
| >
|
| right, most recently the Mydoom worm ...
| >
| > It would be best if you configure a firewall in front of your mail
| > server to
| > allow incoming pop/imap traffic and deny traffic for incoming SMTP.
| > Route all
| > mail through your filter, but turn off the filter for those domains
| > that don't
| > want filtering. Your filter should allow that - if not, you don't
| > have much of
| > a choice. You will probably need to move those domains to another
| > machine.
| >
|
|
| Then the firewall would be responsible for only allowing SMTP
| connections from the filtering server to the "real" mailserver behind
| the firewall ?
|
|
|
|
| /thomas
|
|
| > Quoting Sam Varshavchik <[EMAIL PROTECTED]>:
| >
| > | Thomas von Hassel writes:
| > |
| > | > Ok, we have this setup now
| > | >
| > | > Internet ---> Filtering server (Running
| > | > postfix/spamassasin/uvscan/anomy) ---> Courier mailserver
| > | >
| > | > Is there a way to setup the courier server so it only accepts mail
| > | > coming from the filtering server, also this must be done on a
| > domain
| > | > level, not all domains have their mail filtered.
| > |
| > | You can control where mail goes for a given domain by setting up
| > your DNS MX
| > |
| > | records correctly.
| > |
| > |
| >
| >
| >
| >
| > -------------------------------------------------------
| > The SF.Net email is sponsored by EclipseCon 2004
| > Premiere Conference on Open Tools Development and Integration
| > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
| > http://www.eclipsecon.org/osdn
| > _______________________________________________
| > courier-users mailing list
| > [EMAIL PROTECTED]
| > Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
| >
| /thomas
|
| --
| Dignity and an empty sack is worth the sack.
| -Ferengi Rule of Acquisition No. 109
|
|
-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
courier-users mailing list
[EMAIL PROTECTED]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
