[xmail] Re: SMTP-Relaying only from Authorized Destinations?
Dale Qualls wrote: > > Tracy: > > You might want to upgrade to 1.22, IIRC there was some kind of obscure > security bug fix in 1.22 that was supposedly exploitable in 1.21. > As I recall, the security fix was in regard to sendmail, not the xmail server directly. Since I don't use sendmail, I didn't bother to update (although I probably will, at some point in the not too distant future - when I have an hour or so to port forward my custom mods...) - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
[xmail] Re: SMTP-Relaying only from Authorized Destinations?
Tracy: You might want to upgrade to 1.22, IIRC there was some kind of obscure security bug fix in 1.22 that was supposedly exploitable in 1.21. -- later, Dale mailto:[EMAIL PROTECTED] Wednesday, December 7, 2005, 8:44:39 PM, you wrote: > I ended up going in and custom coding a bunch of stuff in SMTPSvr.c and > SMTPUtils.c to make that happen back around 1.17 (and carried the mods > forward to the most recent version I've installed, which I think is > 1.21). Of course, there were some other mods, too (such as adding user > policy level checking, so that users with different policy levels > receive a temp fail at RCPT TO)... - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
[xmail] Re: SMTP-Relaying only from Authorized Destinations?
Am Mittwoch, den 07.12.2005, 15:13 -0800 schrieb Davide Libenzi: > > I'll put this in my to-do list. The ip-map check can be moved inside where > all other checks are, so that we can make it bypassable with AUTH. > Thanks - that's cool and exactly what we need! Achim - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
[xmail] Re: SMTP-Relaying only from Authorized Destinations?
Davide Libenzi wrote: > On Thu, 8 Dec 2005, Adrian Hicks wrote: > > >>If you're running GNU/Linux on your mail server you can use iptables to >>create a firewall to protect XMail. Works a dream here. > > > The problem he's having is that he wants an AUTH session to overrule the > IP blocking. > I ended up going in and custom coding a bunch of stuff in SMTPSvr.c and SMTPUtils.c to make that happen back around 1.17 (and carried the mods forward to the most recent version I've installed, which I think is 1.21). Of course, there were some other mods, too (such as adding user policy level checking, so that users with different policy levels receive a temp fail at RCPT TO)... If I recall, last time I ported the mods forward, I ended up deferring all checks until after RCPT TO, so that I could have required role accounts able to accept mail from anywhere while still being able to filter mail for other accounts (with most filtering being done in the filter.pre-data.tab and based on the user account policy level). I'd offer to share the mods, but my C skills are feeble at best and I'd be ashamed for anyone else to see them...:) But I seem to recall that it wasn't too hard to track down and modify the parts that needed changing. Maybe a couple hours worth of work (including adding one member to the SMTPSession structure for tracking the policy level data). - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
[xmail] Re: SMTP-Relaying only from Authorized Destinations?
On Thu, 8 Dec 2005, Adrian Hicks wrote: > > If you're running GNU/Linux on your mail server you can use iptables to > create a firewall to protect XMail. Works a dream here. The problem he's having is that he wants an AUTH session to overrule the IP blocking. - Davide - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
[xmail] Re: SMTP-Relaying only from Authorized Destinations?
If you're running GNU/Linux on your mail server you can use iptables to create a firewall to protect XMail. Works a dream here. Adrian Hicks On 08 December 2005 07:13, Davide Libenzi wrote: > On Tue, 6 Dec 2005, Achim Schmidt wrote: > > Hello List, > > > > because of the amount of Virus-Emails we are facing a major problem > > now. First let me explain our current MX-Constellation: > > > > - Mail for exmaple.com has MX-Entries to mx.waaf.net > > - mx.waaf.net are several machines running postfix/virusscanner > > - if the email passes all tests it is delivered to the final > > destination machine running xmail > > - [EMAIL PROTECTED] also sent email through this xmail-box. > > > > Now there are more and more viruses that don't care about MX-Records > > and drectly try to deliver mail for [EMAIL PROTECTED] to > > mail.exmaple.com. Mail.example.com resolves to the xmail-box. > > > > > > My solution to get rid of this non-filtered Virus-Emails is to only > > allow SMTP-connections to the xmail-box from our subnets, where the > > mx.waaf.net machines are located _AND_ from authorized IP-adresses > > (SMTP-AUTH, POP-before-SMTP). > > > > I just tried to use smtp.ipmap.tab - but with the result that only the > > mentioned subnets where allowed to relay and authoriezed IP-adresses > > where denied. > > > > Does anybody have a hint? > > I'll put this in my to-do list. The ip-map check can be moved inside > where all other checks are, so that we can make it bypassable with AUTH. > > > - Davide > > > - > To unsubscribe from this list: send the line "unsubscribe xmail" in > the body of a message to [EMAIL PROTECTED] > For general help: send the line "help" in the body of a message to > [EMAIL PROTECTED] > > --- > [This E-mail was scanned for viruses.] - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
[xmail] Re: SMTP-Relaying only from Authorized Destinations?
On Tue, 6 Dec 2005, Achim Schmidt wrote: > Hello List, > > because of the amount of Virus-Emails we are facing a major problem now. > First let me explain our current MX-Constellation: > > - Mail for exmaple.com has MX-Entries to mx.waaf.net > - mx.waaf.net are several machines running postfix/virusscanner > - if the email passes all tests it is delivered to the final destination > machine running xmail > - [EMAIL PROTECTED] also sent email through this xmail-box. > > Now there are more and more viruses that don't care about MX-Records and > drectly try to deliver mail for [EMAIL PROTECTED] to mail.exmaple.com. > Mail.example.com resolves to the xmail-box. > > > My solution to get rid of this non-filtered Virus-Emails is to only > allow SMTP-connections to the xmail-box from our subnets, where the > mx.waaf.net machines are located _AND_ from authorized IP-adresses > (SMTP-AUTH, POP-before-SMTP). > > I just tried to use smtp.ipmap.tab - but with the result that only the > mentioned subnets where allowed to relay and authoriezed IP-adresses > where denied. > > Does anybody have a hint? I'll put this in my to-do list. The ip-map check can be moved inside where all other checks are, so that we can make it bypassable with AUTH. - Davide - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
[xmail] Re: SMTP-Relaying only from Authorized Destinations?
The "mail-auth" setting in server.tab may be what you're after, but I don't know if it overrides smtprelay.tab or not. -John Achim Schmidt wrote: >Hello List, > >because of the amount of Virus-Emails we are facing a major problem now. >First let me explain our current MX-Constellation: > >- Mail for exmaple.com has MX-Entries to mx.waaf.net >- mx.waaf.net are several machines running postfix/virusscanner >- if the email passes all tests it is delivered to the final destination >machine running xmail >- [EMAIL PROTECTED] also sent email through this xmail-box. > >Now there are more and more viruses that don't care about MX-Records and >drectly try to deliver mail for [EMAIL PROTECTED] to mail.exmaple.com. >Mail.example.com resolves to the xmail-box. > > >My solution to get rid of this non-filtered Virus-Emails is to only >allow SMTP-connections to the xmail-box from our subnets, where the >mx.waaf.net machines are located _AND_ from authorized IP-adresses >(SMTP-AUTH, POP-before-SMTP). > >I just tried to use smtp.ipmap.tab - but with the result that only the >mentioned subnets where allowed to relay and authoriezed IP-adresses >where denied. > >Does anybody have a hint? > > >Thanks a lot, > >Achim > >- >To unsubscribe from this list: send the line "unsubscribe xmail" in >the body of a message to [EMAIL PROTECTED] >For general help: send the line "help" in the body of a message to >[EMAIL PROTECTED] > > > > - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
[xmail] Re: SMTP-Relaying only from Authorized Destinations?
Did you make sure to set the first line of your smtp.ipmap.tab files to: "0.0.0.0" [tab] "0.0.0.0" [tab] "DENY" [tab] "1" -Mike - Original Message - From: "Achim Schmidt" <[EMAIL PROTECTED]> To: Sent: Tuesday, December 06, 2005 6:54 AM Subject: [xmail] SMTP-Relaying only from Authorized Destinations? Hello List, because of the amount of Virus-Emails we are facing a major problem now. First let me explain our current MX-Constellation: - Mail for exmaple.com has MX-Entries to mx.waaf.net - mx.waaf.net are several machines running postfix/virusscanner - if the email passes all tests it is delivered to the final destination machine running xmail - [EMAIL PROTECTED] also sent email through this xmail-box. Now there are more and more viruses that don't care about MX-Records and drectly try to deliver mail for [EMAIL PROTECTED] to mail.exmaple.com. Mail.example.com resolves to the xmail-box. My solution to get rid of this non-filtered Virus-Emails is to only allow SMTP-connections to the xmail-box from our subnets, where the mx.waaf.net machines are located _AND_ from authorized IP-adresses (SMTP-AUTH, POP-before-SMTP). I just tried to use smtp.ipmap.tab - but with the result that only the mentioned subnets where allowed to relay and authoriezed IP-adresses where denied. Does anybody have a hint? Thanks a lot, Achim - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED] - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
[xmail] Re: SMTP-Relaying only from Authorized Destinations?
As smtp-imap.tab takes precedence, you can't use it First possible solution : Use server.tab "SmtpConfig" variable setting it to "mail-auth" and ask your mx servers to use authentication too to send to the xmail box Second possible solution : Create a filter.pre-data type filter that test (pseudo-language ...) : if "@@REMOTEADDR" IS OK (compare to a list of ips) Accept; else Reject; and in the filter.pre-data.tab file put a line like : "!eax"[TAB]"myfiltercommand"[TAB]"@@REMOTEADDR"[NEWLINE] (bypass filter if authenticated) The filter can be a simple shell script ... Francis > -Message d'origine- > De : Achim Schmidt [mailto:[EMAIL PROTECTED] > Envoyé : mardi 6 décembre 2005 15:55 > À : xmail@xmailserver.org > Objet : [xmail] SMTP-Relaying only from Authorized Destinations? > > > > > Hello List, > > because of the amount of Virus-Emails we are facing a major > problem now. > First let me explain our current MX-Constellation: > > - Mail for exmaple.com has MX-Entries to mx.waaf.net > - mx.waaf.net are several machines running postfix/virusscanner > - if the email passes all tests it is delivered to the final > destination > machine running xmail > - [EMAIL PROTECTED] also sent email through this xmail-box. > > Now there are more and more viruses that don't care about > MX-Records and > drectly try to deliver mail for [EMAIL PROTECTED] to mail.exmaple.com. > Mail.example.com resolves to the xmail-box. > > > My solution to get rid of this non-filtered Virus-Emails is to only > allow SMTP-connections to the xmail-box from our subnets, where the > mx.waaf.net machines are located _AND_ from authorized IP-adresses > (SMTP-AUTH, POP-before-SMTP). > > I just tried to use smtp.ipmap.tab - but with the result that only the > mentioned subnets where allowed to relay and authoriezed IP-adresses > where denied. > > Does anybody have a hint? > > > Thanks a lot, > > Achim > > - > To unsubscribe from this list: send the line "unsubscribe xmail" in > the body of a message to [EMAIL PROTECTED] > For general help: send the line "help" in the body of a message to > [EMAIL PROTECTED] > - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
[xmail] Re: SMTP-Relaying only from Authorized Destinations?
On Tuesday 06 December 2005 09:54, Achim Schmidt wrote: > Hello List, > > because of the amount of Virus-Emails we are facing a major problem now. > First let me explain our current MX-Constellation: > > - Mail for exmaple.com has MX-Entries to mx.waaf.net > - mx.waaf.net are several machines running postfix/virusscanner > - if the email passes all tests it is delivered to the final destination > machine running xmail > - [EMAIL PROTECTED] also sent email through this xmail-box. > > Now there are more and more viruses that don't care about MX-Records and > drectly try to deliver mail for [EMAIL PROTECTED] to mail.exmaple.com. > Mail.example.com resolves to the xmail-box. > > > My solution to get rid of this non-filtered Virus-Emails is to only > allow SMTP-connections to the xmail-box from our subnets, where the > mx.waaf.net machines are located _AND_ from authorized IP-adresses > (SMTP-AUTH, POP-before-SMTP). > > I just tried to use smtp.ipmap.tab - but with the result that only the > mentioned subnets where allowed to relay and authoriezed IP-adresses > where denied. I don't have an XMail solution to your problem, but if it were up to me I would prefer to handle this with DNS or firewall changes anyway. Idea 1 - Delete the "mail" CNAME (or change the host name and A record) for the example.com server. Assign a less obvious name like smtp42 and have the authorized clients use the smtp42 alias. Idea 2 - Adjust the firewall rules on mail.example.com to only allow port 25 connection from the authorized IPs and reject everything else. Idea 3 - If your server supports it, use DNAT on mail.example.com to forward port 25 traffic to mx.waaf.net. Jeff - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]