Well done Kiggs. -----Original Message----- From: Kiggundu Mukasa [mailto:[EMAIL PROTECTED] Sent: 18 July 2003 07:51 To: LUG Subject: lug_: tale of a linux admin (part2)
Day three ....... ssh to server to check on work of yesterday .................... 112,513 messges!!!!!!!!!!!!! AAAAAAAAAAAAAHHHHHHHHHHHHHHHHHHHHHH TO BE CONTINUED.... PANIC, I tied down the main.cf so why still the spam. First tried deleting messages, delete a few thousand then notice that they are comming in at a rate about 50% the delete rate! Network setup is thus. Internet --> Linux Firewall --> 100 MB/s switch --> Linux Mail Server, other servers, On the inside network there was a dhcpd server that was serving out IP addresses so I told postfix to only accept smtp relay requests from IP addresses in the class that the DHCP server was giving out. On the firewall I ran rinetd and redirected all INCOMMING smtp traffic on the internet interface to the mail server so that domain mail could be handled. So first I manually telneted from the Internet to port 25 of the firewall and issued SMTP commands and looked at /var/log/mail to my suprise the IP address I saw in the logs was not my Internet IP address, nor the Internet IP address of the firewall but the INSIDE IP address of the firewall (which was the gateway IP address of the internal network) This internal IP address was in the same class as that being given out by the DHCP server (and had to be so that the internal machines could access the net via the router/firewall). Thus to the mail server, the firewall was a legitimate host sending out alot of mail to the internet just like any other client!!!! First thing was shut down rinetd. Second, delete all mail Third configure postfix on the firewall with the following rules (in main.cf and virtual file in /etc/postfix) if you recieve an email that has no local user AND belongs to your domain, forward it to the mail server, then ALSO, by default forward all acknowledged mail received to the mail server (as the forwarding host). there were two ways to do this. I could have set up a split-level DNS where the firewall knows all the machines inside the network by their fully qualified domain names even though they are on a priviate IP address network and still acknowledge the IP address names on the internet, then just let the machine spool and relay mail to the mail server. For details on split-level DNS email "Oscar Sekyewa < <mailto:[EMAIL PROTECTED]> o <mailto:[EMAIL PROTECTED]> sekyewa @rafu.or.ug <mailto:[EMAIL PROTECTED]> >" OR I could do a quick and dirty but working solution Since postfix first tries to interpret the fully qualifed domain name then spools, it works well. The forwarding machine would be added using IP address (which can be private) and thus works. After this deleted spam mail on the mail server and restarted both servers! Stayed on for 1 hour looking at mail bouncing back to spammers and mail to the client, being delivered. Someone asked "Why did you not just rm -rRf /var/spool/postfix then reinstall and fix problem?". I like pain and torture :=) No actually, the client was still operating well (until I rebooted) and complete reinstall would have taken them down. Kiggs -- **************** ***************************** Kiggundu Mukasa # Computer Network Consultancy### KYM-NET LTD. # Intranets & Internet Solutions# House 73 # Data Communication Service #### Plot 80 kanjokya Street P.O. Box 173 Kampala, Uganda Tel: +256 77 972255 +256 71 221141 Fax: +256 31 262122 *************************************************************************
