[IMGate] Re: Any PIX aces here?
to repeat more clearly, we want the (PIX) firewall to do: 1. Internet access to an Imail-IP port 25 will be redirected to that Imail-IP port 587. 2. Internet access to an Imail-IP port 587 will be allowed/pass-thru to that Imail-IP port 587. Net results: 1. Internet will have no access to any Imail-IP port 25. 2. All Internet access to Imail SMTP service will be choke-pointed to Imail port 587, where msg submission requires SMTP AUTH. === Cisco told our PIX guy over the weekend : it appears that the PIX does not allow more than one outside port (25, 587) to redirect to the same inside port (Imail 587). Either port 25 on the redirects to inside port 587, or outside port 587 goes to port 587, but not both. Do any of you PIX admins have a way around this? Thanks Len Yes, Define another address on the IMail box and direct your second port there. Had the exact same problem with my firewall. Gerry
[IMGate] Re: SAV good or bad idea?
I am in the process of testing a Barracuda Networks spamfilter for one of my clients. Their MTA is Postfix (but they wont tell you that) and their support says its a bad idea to do SAV SAV against domains whose MXs answer is fine. Legit @sender.domains that fail SAV almost always fail with MX for sender.domain not contactable. as well as force a FQDN in the helo command. depends on how [EMAIL PROTECTED] you wanna be, can afford to be. Has anyone run into problems with SAV rejecting good mail because the sending MTA is not the final mail server? SAV doesn't probe the sending MTA, but probes the MX for @sender.domain Len The big problem I have with SAV is when the sender uses a b0rked up domain (like [EMAIL PROTECTED] and Postfix can't resolve or SMTP to weblist.example.com) or the valid email is from a sender address that does not exist (like [EMAIL PROTECTED]). For my low volumes this is not a problem. I usually whitelist those addresses, and you could configure Postfix not to SAV to problem domains. Gerry
[IMGate] Re: Confused on howto Whitelist a server.
Ten Forward Customer Support wrote: Header and Body checks can't be whitelisted. It is a limitation of Postfix. -Jerry --- Thank You Ten Forward Customer Support Just to be clear on this... Is there is no way to Whitelist a server by IP to bypass Header Checks or Body Checks. If thats the case, will I need to remove all header and body checks to whitelist the IP of an MTA? -Kevin I think this would involve going beyond the basic IMGate configuration. I think this can be done with multiple Postfix instances. Direct the whitelisted sender to an instance without body fiters, and all the rest to the instance with filters. Or, what I try to do for Header checks is put a From: statement OK near the top. This should bypass header checks for that (possibly forged) sender. Perhaps something similar can be done for body checks?
[IMGate] Re: brute force login ssh attacks
I found a lot of the remote brute attacks involve the root account, On mine, I see mostly dictionary attacks and attempts like: Illegal user guest|admin|user|linux|unixtest and more. Don't allow remote root logins, login regular user and sudo to root. Early tip I've been using, I login as a user and su to root. (I take it that su is the FreeBSD equivalent to sudo?) I do see occaisional: Failed password for root - How do I remove root from sshd access?? /etc/ssh/sshd_config has the default: #PermitRootLogin no I guess I really don't need to remove root's access since the default config prevents root from logging in. Thanks! Gerry Also, you might consider firewalling your ssh to anything except isp's you think you might want to login from. It's cut the traffic down to 0 for me. -Darren Hope this helps and if I'm too far OT I apologize. Anything to help secure *nix boxes against these ssh attacks is welcome. thanks Len
[IMGate] Re: brute force login ssh attacks
Early tip I've been using, I login as a user and su to root. (I take it that su is the FreeBSD equivalent to sudo?) fbsd has sudo I first did: plankton# man sudo No manual entry for sudo plankton# But after googling I see that it's a way for a user to execute a command as root. Lots of control and logging possible. sudo: Command not found. Odd, maybe I just don't have it installed! I'll stick with doing su since I understand it! Thanks again!
[IMGate] Re: New User Question
Oh, and a more direct answer to your question- If they are HELOing with your server's public IP, my experience is that it's always crap. Put it on hold and review the messages as I've described- you'll probably switch it back to REJECT! -- Original Message -- Hi All, I am a new user with IMGate and am testing my IMGate box now and noticed that when a message fails a test (like it contains an IP address in the hostname) it deletes the message from the queue. Is there a way I can set it so that it will move the message to a folder? I am just a little cautious that I don't want to delete anything that some users may later need.=20 I really like this set-up so far! A BIG thanks to Len for sharing the config files in the first place!!! Jacques Brouwers Most restrictions are REJECT where we basicall 'hang up the phone' on the email session. A normal mailserver will generate a non-delivery reply and send that to the original sender. Malware or spamware will just continue on to the next victim. In comparison, this is not accepting the message, and then deciding we can't deliver it. (like some exchange servers for example) Then either bounce it back to the envelope sender which could be forged (bad to do) or discarding/deleting the message (also bad since sender does not know email was not delivered). You can change REJECT to HOLD, and the email will be accepted. The mailq command will show ! after the queue id for message(s) that are held. You can then: postcat -q qid|more to view the message. Replace qid with the appropriate queue id. Then use postsuper H|d qid use H to unhold and deliver the message, or d to delete it. Hope this helps, and welcome to Postfix/IMGate!
[IMGate] Re: anyone else getting hit by this jerk
This could be a virus- mytob or something like it. I've been getting stuff claiming to be: admin/administrator/info/mail/service/support/register/webmaster at mydomain, sending to bogus users at mydomain. I just added the above to my from_senders_bw.map, since IF they were valid senders, they would only come in through mynetworks. On Thursday 20 October 2005 01:37 pm, List_Mail wrote: Anyone else getting tons of crap from this ip. Neither the from or to is legit. I have emailed the admins 3 days ago and said they were looking into it. Guess either they are part of it or stupid and can't get it stopped. I have set up a filter that sends out the email to to them. But they still haven't done a thing about it. Out: 220 spiderman.wirelesscommunitynetworks.com - ESMTP - Postfix - Attn: UCE trespassers will be pursued. In: EHLO thedewars.net Out: 250-spiderman.wirelesscommunitynetworks.com Out: 250-PIPELINING Out: 250-SIZE 500 Out: 250-ETRN Out: 250 8BITMIME In: MAIL FROM:[EMAIL PROTECTED] Out: 250 Ok In: RCPT TO:[EMAIL PROTECTED] Out: 550 unknown[216.183.72.131]: Client host rejected: UCE Stop the spam Session aborted, reason: lost connection
[IMGate] Re: IMGate/Postfix under Ubuntu/Debian
From: William Van Hefner [EMAIL PROTECTED] What have you thought of IMGATE so far? How effective is it=20 compared to your previous solution? So far, I am only using IMGate as an anti-spam gateway for my secondary (Imail) mail server. I am slowly working on replacing that box = altogether, and will eventually put an IMGate/Postfix box in front of my main mail server as well, as soon as I am comfortable enough with knowing how to = run snip I'll probably also integrate my SortMonster/MessageSniffer filter into spamassassin eventually as well. That is by far my most effective filter = on the IMail machine. Long-term, I will eventually scrap IMail altogether, = and just run a pure Postfix box behind the IMgate box. I have a LONG way to = go before I will feel comfortable enough to do that though. Postfix behind IMGate? IMGate is Postfix. This is not Windo$, you don't need the redundancy. Now, many will run Spamassassin/virus filtering on a second box, and that would not need Postfix. Now, for replacing IMail, then the second box could be Courier/Cyrous per Keith's example, and Postfix would not be needed on that box either. I've been happily running IMGate(Postfix) in front of my IMail/Exchange boxes for several years now! :-) I'm getting ready to start setting up a replacement for IMail, probably based on Courier.
[IMGate] Re: AV scanning
From: NeoBlu [EMAIL PROTECTED] I haven't yet implemented AV scanning at the MX level and would like too. Any recommendations? I would assume that given the CPU cost, a dedicated box might be better long term. Depends on your mail volume and the load on your mail server(s). I run virus scanning on my two Postfix gateway servers Do any of you run more than one AV scanners? Which ones? I run uvscan (McAfee) and clamav (via its clamd daemon). On my test server, I run uvscan, clamd, AVG (daemon), BitDefender, Sophos (via SAVI), TrendMicro (via trophie), and F-Prot. All run very well on linux, and all are called by amavisd-new. Bill And if you have a policy to REJECT executable attachments outright, there's less to scan.
[IMGate] Re: OT: amavisd-new taking too much CPU
Reject executable attachemts outright. Then you just have to worry about scanning just the infected zip files! And 99% of the zip files I put on hold are trojans and then just deleted. (Havn't implemented virus scanning yet on my IMGate, but it's on the to-do list for someday!:-) I'm using amavisd-new + ClamAV to scan for viruses in my IMGate box, I'm = not using any of the anti-spam functions in amavis, I prefer to use IMGate = for that, so I'm just using it for virus scanning. In my amavis configuration I'm using 2 as max_servers I've noticed that there are two /usr/bin/uncompress processes running = all the time, each one taking around 45% of CPU (according to top) and my = usual load averages are always above 2. Is this normal? Is there any way to improve the performance in this = machine? Thank you, Adolfo Justiniano Santa Cruz BBS e-mail: [EMAIL PROTECTED] http://www.scbbs.net=20
[IMGate] Re: Problem with main.cf syntax
From: Richard Edge [EMAIL PROTECTED] I just encountered an issue with the main.cf file as provided by Len for the basic Imgate configuration and hope someone can clarify the situation for SNIP Is the /etc/postfix/to_recipients_bw.map the correct place to add email addresses for our users who don't want email blocked? The users in question receive email from Korea for potential students and since I set up IMGate here they are being contacted by people telling them that email from these potential Korean students is being rejected. Korean mail is probably being blocked by either header checks or body checks- since Len is very agressive in blocking asian sourced spam. IIRC body checks has several checks for foreign character sets. Header/Body checks apply to all mail and I don't think you can selectivly bypass them. I have asked for the specific bounce messages but to date non have been supplied making it more difficult to track down the problem. I also don't want to open it up to allow spam to the rest of our users. The purpose here is for two deparments who need to receive email from Korea, English as a Second Language Institute and our Korean Worldview Studies program. Any suggestions would be helpful. Your missing bounces were probably returned to the Korean students who cannot send a copy your user- I doubt they can send you a copy of the bounce! What Postfix book are you referencing? If the book was based on 1.x, there are many things added to 2.0 and even 2.2! Gerry