We do exactly that with a Roaring Penguin filter for all our e-mail.  All MX 
records point to the filtering box, and it knows to send the mail to 
mail.domain.com to get the mail to each BX server.

We were still having a problem with the SPAMMERS using scripts to send their 
crud directly to IP addresses, instead of using the MX records.  So on the 
servers, we put in IPTables rules that only allowed TCP Port25 connections from 
the Roaring Penguin box. 

Go into your /etc/sysconfig/iptables file and add this before all the allows 
per IP address:

-A acctin -m state --state NEW -p tcp -s 10.0.0.0/8 --dport 25 -j ACCEPT
-A acctin -m state --state NEW -p tcp -s 172.16.32.0/16 --dport 25 -j ACCEPT
-A acctin -m state --state NEW -p tcp -s 192.168.0.0/16 --dport 25 -j ACCEPT
-A acctin -m state --state NEW -p tcp -s localnetwork.0/24 --dport 25 -j ACCEPT
-A acctin -m state --state NEW -p tcp --dport 25 -j LOG --log-prefix "E-Mail 
Connect "
-A acctin -m state --state NEW -p tcp --dport 25 -j DROP

The first four lines allow in connections from any internal private networks 
and your own local network.  That way, your users can still send on port 25 
(they'll never notice a difference).  For outside users, we force them onto the 
submission port 587. 

And this assumes your filtering appliance is on one of these networks.  If not, 
add another line to specifically add its address to the ACCEPT lines.

The fifth line logs connections.  I have a script that greps out those entries 
daily so I can keep track of those scumbags trying really hard and report them.

The last line just drops any other TCP Port 25 connection.  Wa La!  No more 
connections to that server from anyone but your filtering appliance (assuming 
its in one of those above networks).  This cut down the amount of SPAM at our 
servers to almost nill, and cut total e-mail load by 60% - 90%.  Save this in 
the IPTables configuration file and restart IPTables with "service iptables 
restart".

But to prevent the system from overwriting those configurations (and it WILL) - 
use the command "chattr +i /etc/sysconfig/iptables".  It will make the file 
unchangable - even by root.  So if you want to modify it yourself, you first 
have to use "chattr -i /etc/sysconfig/iptables".  And you can see if that 
immutable bit is set with "lsattr /etc/sysconfig/".

Good luck.

Chuck

---------- Original Message -----------
From: Abdul Rashid Abdullah <[email protected]> 
To: BlueOnyx <[email protected]> 
Sent: Tue, 17 Aug 2010 04:50:49 -0400 
Subject: [BlueOnyx:05231]  Forcing Incoming Mail Through Anti-SPAM Firewall

> What is the best way to insure I force all incoming mail through my 
> anti-spam firewall? 
> 
> I have already done the following: 
> 
> 1.  MX Record Points to Anti-SPAM Firewall 
> 2.  Anti-SPAM Firewall points directly to mail server hostname (skipping MX 
> Record). 
> 
> I want to make sure no one can send mail directly to the mail server 
> hostname.  Are there specific configurations I should be making on the 
> server in the email server settings page? 
> 
> Regards, 
> 
> Rashid 
> 
> _______________________________________________ 
> Blueonyx mailing list 
> [email protected] 
> http://www.blueonyx.it/mailman/listinfo/blueonyx 
------- End of Original Message -------
 
_______________________________________________
Blueonyx mailing list
[email protected]
http://www.blueonyx.it/mailman/listinfo/blueonyx

Reply via email to