Re: [WISPA] How do you control outgoing SMTP?
On Wed, Nov 18, 2009 at 15:29, Chuck Hogg ch...@shelbybb.com wrote: Ok, so we are passing back and forth negatives/positives of our current SMTP policy, and are looking for answers on what others are doing. I'm going to list what we have done, currently doing, and looking for feedback on what you do... We allow authenticated SMTP relay from anywhere, and unauthenticated SMTP relay from within our network. Unauthenticated traffic from our broadband customers is transparently routed to a different server (with a clever abuse of NAT rules), and that server does extra spam scanning on outgoing email. If I could rebuild the whole network from scratch, I'd love to make everything require authentication, but there's a bunch of pesky legacy customers out there. David Smith MVN.net WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] How do you control outgoing SMTP?
We turned it on and do: 550 This mail server requires authentication when attempting to send to a non-local e-mail address. Please see http://www.shelbybb.com/email.aspx for more info. Had a few calls, but not too bad. Most people get that error, go to the webpage, and follow instructions. Regards, Chuck Hogg Shelby Broadband 502-722-9292 ch...@shelbybb.com http://www.shelbybb.com -Original Message- From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of David E. Smith Sent: Wednesday, November 18, 2009 4:37 PM To: WISPA General List Subject: Re: [WISPA] How do you control outgoing SMTP? On Wed, Nov 18, 2009 at 15:29, Chuck Hogg ch...@shelbybb.com wrote: Ok, so we are passing back and forth negatives/positives of our current SMTP policy, and are looking for answers on what others are doing. I'm going to list what we have done, currently doing, and looking for feedback on what you do... We allow authenticated SMTP relay from anywhere, and unauthenticated SMTP relay from within our network. Unauthenticated traffic from our broadband customers is transparently routed to a different server (with a clever abuse of NAT rules), and that server does extra spam scanning on outgoing email. If I could rebuild the whole network from scratch, I'd love to make everything require authentication, but there's a bunch of pesky legacy customers out there. David Smith MVN.net WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] How do you control outgoing SMTP?
We have a blend of Option 2... All outgoing Port 25 is blocked except for our mail server, relaying is allowed by authenticated using the users primary account info (username/password) ON OUR NETWORK ONLY. Postini is used to filter outbound messages to spam server issues... All inbound to the network on 25 is blocked... Users can use webmail if they need access off our network. This is for residential customers only... Business customers we use firewall rules (at the premise) to route all mail traffic through our Postini servers... We being a cable provider with a bit under 400k users... On Wed, Nov 18, 2009 at 2:29 PM, Chuck Hogg ch...@shelbybb.com wrote: Ok, so we are passing back and forth negatives/positives of our current SMTP policy, and are looking for answers on what others are doing. I'm going to list what we have done, currently doing, and looking for feedback on what you do... Option 1. Block all outgoing port 25 with the exception of your own mail server. Allow for relaying of all email originating from your network. You are now open to viruses that spam on your network, getting you listed as a spam server. Option 2. Block all outgoing port 25 with the exception of your own mail server, require authentication to send email from your server, using the same authentication that is being done with POP3/IMAP. This works fine, users authenticate, however dictionary attacks leave you open to spammers taking control of a user account and using you to spam. Option 3. Block all outgoing port 25 with the exception of your own mail server, require authentication to send email from your server, using the same authentication that is being done with POP3/IMAP. Require all users who authenticate to only email using the authenticated email address. This works fine, users authenticate, prevents dictionary attacks because now the spammer has to identify themselves as the email address for the account they are using, and can't use a simple username as joe, meaning user joe has to send as j...@shelbybb.com and know the j...@shelbybb.com is the full email account. We host multiple domains, so j...@shelbywireless.com works but not j...@shelbybb.com for example. This however also effects people who have outside email accounts as they can no longer send email using that outside account. My response here is that a large amount of hosts use port 587 as the alternate mail server, and for us that is an acceptable work around that our users will have to do. This is what we currently do. Option 4. Leave Port 25 open setup a rule in the firewall to monitor amount of messages going through and add to address list when they breach the threshold. Regards, Chuck Hogg Shelby Broadband 502-722-9292 ch...@shelbybb.com mailto:ch...@shelbybb.com http://www.shelbybb.com http://www.shelbybb.com WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] How do you control outgoing SMTP?
Outbound is limited to 10 connections, once you hit that, NO outbound until I look at it. :) Mail servers that we know of we increase that a bit, but they have a public, and are responsible for spam etc and such. --- Dennis Burgess, CCNA, A+, Mikrotik Certified Trainer WISPA Board Member - wispa.org Link Technologies, Inc -- Mikrotik WISP Support Services WISPA Vendor Member Office: 314-735-0270 Website: http://www.linktechs.net LIVE On-Line Mikrotik Training Author of Learn RouterOS -Original Message- From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Chuck Hogg Sent: Wednesday, November 18, 2009 3:29 PM To: WISPA General List Subject: [WISPA] How do you control outgoing SMTP? Ok, so we are passing back and forth negatives/positives of our current SMTP policy, and are looking for answers on what others are doing. I'm going to list what we have done, currently doing, and looking for feedback on what you do... Option 1. Block all outgoing port 25 with the exception of your own mail server. Allow for relaying of all email originating from your network. You are now open to viruses that spam on your network, getting you listed as a spam server. Option 2. Block all outgoing port 25 with the exception of your own mail server, require authentication to send email from your server, using the same authentication that is being done with POP3/IMAP. This works fine, users authenticate, however dictionary attacks leave you open to spammers taking control of a user account and using you to spam. Option 3. Block all outgoing port 25 with the exception of your own mail server, require authentication to send email from your server, using the same authentication that is being done with POP3/IMAP. Require all users who authenticate to only email using the authenticated email address. This works fine, users authenticate, prevents dictionary attacks because now the spammer has to identify themselves as the email address for the account they are using, and can't use a simple username as joe, meaning user joe has to send as j...@shelbybb.com and know the j...@shelbybb.com is the full email account. We host multiple domains, so j...@shelbywireless.com works but not j...@shelbybb.com for example. This however also effects people who have outside email accounts as they can no longer send email using that outside account. My response here is that a large amount of hosts use port 587 as the alternate mail server, and for us that is an acceptable work around that our users will have to do. This is what we currently do. Option 4. Leave Port 25 open setup a rule in the firewall to monitor amount of messages going through and add to address list when they breach the threshold. Regards, Chuck Hogg Shelby Broadband 502-722-9292 ch...@shelbybb.com mailto:ch...@shelbybb.com http://www.shelbybb.com http://www.shelbybb.com WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] How do you control outgoing SMTP?
Ok, so we are passing back and forth negatives/positives of our current SMTP policy, and are looking for answers on what others are doing. I'm going to list what we have done, currently doing, and looking for feedback on what you do... If I could start over I would make everyone authenticate on port 587 for SMTP. But instead we have this in our Mikrotik firewall. /ip firewall filter add action=jump chain=forward comment= disabled=no jump-target=smtp add action=add-src-to-address-list address-list=spammer address-list-timeout=6h chain=smtp comment= connection-limit=\ 15,32 disabled=no dst-port=25 protocol=tcp tcp-flags=syn add action=tarpit chain=smtp comment= disabled=no dst-port=25 protocol=tcp src-address-list=spammer Any custommer trying to do 15 or more outgoing smtp connections gets there smtp port tarpited for 6 hours. Works pretty well. Matt WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] How do you control outgoing SMTP?
We outsource out email and do not run our own server. We also have way too many work from home users who all have their own business email addresses they need to access. So we do not block port 25 in any way. All customers get their own IP address (most are dynamic, but rarely change). All of our users connect to our outsourced email server with their own username and password for SMTP, and any other email addresses have to connect to their providers email server however their provider wants. There has never once been an issue. - Matt Chuck Hogg wrote: Ok, so we are passing back and forth negatives/positives of our current SMTP policy, and are looking for answers on what others are doing. I'm going to list what we have done, currently doing, and looking for feedback on what you do... Option 1. Block all outgoing port 25 with the exception of your own mail server. Allow for relaying of all email originating from your network. You are now open to viruses that spam on your network, getting you listed as a spam server. Option 2. Block all outgoing port 25 with the exception of your own mail server, require authentication to send email from your server, using the same authentication that is being done with POP3/IMAP. This works fine, users authenticate, however dictionary attacks leave you open to spammers taking control of a user account and using you to spam. Option 3. Block all outgoing port 25 with the exception of your own mail server, require authentication to send email from your server, using the same authentication that is being done with POP3/IMAP. Require all users who authenticate to only email using the authenticated email address. This works fine, users authenticate, prevents dictionary attacks because now the spammer has to identify themselves as the email address for the account they are using, and can't use a simple username as joe, meaning user joe has to send as j...@shelbybb.com and know the j...@shelbybb.com is the full email account. We host multiple domains, so j...@shelbywireless.com works but not j...@shelbybb.com for example. This however also effects people who have outside email accounts as they can no longer send email using that outside account. My response here is that a large amount of hosts use port 587 as the alternate mail server, and for us that is an acceptable work around that our users will have to do. This is what we currently do. Option 4. Leave Port 25 open setup a rule in the firewall to monitor amount of messages going through and add to address list when they breach the threshold. Regards, Chuck Hogg Shelby Broadband 502-722-9292 ch...@shelbybb.com mailto:ch...@shelbybb.com http://www.shelbybb.com http://www.shelbybb.com WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] How do you control outgoing SMTP?
We authenticate all outbound email too. It's not perfect, but it's worked pretty well. A better email log (and authenticating every message vs. every connection) would make it even better. marlon - Original Message - From: Chuck Hogg ch...@shelbybb.com To: WISPA General List wireless@wispa.org Sent: Wednesday, November 18, 2009 1:29 PM Subject: [WISPA] How do you control outgoing SMTP? Ok, so we are passing back and forth negatives/positives of our current SMTP policy, and are looking for answers on what others are doing. I'm going to list what we have done, currently doing, and looking for feedback on what you do... Option 1. Block all outgoing port 25 with the exception of your own mail server. Allow for relaying of all email originating from your network. You are now open to viruses that spam on your network, getting you listed as a spam server. Option 2. Block all outgoing port 25 with the exception of your own mail server, require authentication to send email from your server, using the same authentication that is being done with POP3/IMAP. This works fine, users authenticate, however dictionary attacks leave you open to spammers taking control of a user account and using you to spam. Option 3. Block all outgoing port 25 with the exception of your own mail server, require authentication to send email from your server, using the same authentication that is being done with POP3/IMAP. Require all users who authenticate to only email using the authenticated email address. This works fine, users authenticate, prevents dictionary attacks because now the spammer has to identify themselves as the email address for the account they are using, and can't use a simple username as joe, meaning user joe has to send as j...@shelbybb.com and know the j...@shelbybb.com is the full email account. We host multiple domains, so j...@shelbywireless.com works but not j...@shelbybb.com for example. This however also effects people who have outside email accounts as they can no longer send email using that outside account. My response here is that a large amount of hosts use port 587 as the alternate mail server, and for us that is an acceptable work around that our users will have to do. This is what we currently do. Option 4. Leave Port 25 open setup a rule in the firewall to monitor amount of messages going through and add to address list when they breach the threshold. Regards, Chuck Hogg Shelby Broadband 502-722-9292 ch...@shelbybb.com mailto:ch...@shelbybb.com http://www.shelbybb.com http://www.shelbybb.com WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] How do you control outgoing SMTP?
On Wed, 2009-11-18 at 16:29 -0500, Chuck Hogg wrote: Ok, so we are passing back and forth negatives/positives of our current SMTP policy, and are looking for answers on what others are doing. I'm going to list what we have done, currently doing, and looking for feedback on what you do... I don't use any of your approaches. I use: http://blog.butchevans.com/2008/12/spam-trojan-detection-with-mikrotik-routeros/ -- * Butch Evans * Professional Network Consultation* * http://www.butchevans.com/* Network Engineering * * http://www.wispa.org/ * Wired or Wireless Networks * * http://blog.butchevans.com/ * ImageStream, Mikrotik and MORE! * WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/