Chuck, I really appreciate the detailed explanation and assistance.
Regards, Rashid On 8/17/10 11:53 AM, "Chuck Tetlow" <[email protected]> wrote: > We do exactly that with a Roaring Penguin filter for all our e-mail. All MX > records point to the filtering box, and it knows to send the mail to > mail.domain.com to get the mail to each BX server. > > We were still having a problem with the SPAMMERS using scripts to send their > crud directly to IP addresses, instead of using the MX records. So on the > servers, we put in IPTables rules that only allowed TCP Port25 connections > from the Roaring Penguin box. > > Go into your /etc/sysconfig/iptables file and add this before all the allows > per IP address: > > -A acctin -m state --state NEW -p tcp -s 10.0.0.0/8 --dport 25 -j ACCEPT > -A acctin -m state --state NEW -p tcp -s 172.16.32.0/16 --dport 25 -j ACCEPT > -A acctin -m state --state NEW -p tcp -s 192.168.0.0/16 --dport 25 -j ACCEPT > -A acctin -m state --state NEW -p tcp -s localnetwork.0/24 --dport 25 -j > ACCEPT > -A acctin -m state --state NEW -p tcp --dport 25 -j LOG --log-prefix "E-Mail > Connect " > -A acctin -m state --state NEW -p tcp --dport 25 -j DROP > > The first four lines allow in connections from any internal private networks > and your own local network. That way, your users can still send on port 25 > (they'll never notice a difference). For outside users, we force them onto > the submission port 587. > > And this assumes your filtering appliance is on one of these networks. If > not, add another line to specifically add its address to the ACCEPT lines. > > The fifth line logs connections. I have a script that greps out those entries > daily so I can keep track of those scumbags trying really hard and report > them. > > The last line just drops any other TCP Port 25 connection. Wa La! No more > connections to that server from anyone but your filtering appliance (assuming > its in one of those above networks). This cut down the amount of SPAM at our > servers to almost nill, and cut total e-mail load by 60% - 90%. Save this in > the IPTables configuration file and restart IPTables with "service iptables > restart". > > But to prevent the system from overwriting those configurations (and it WILL) > - use the command "chattr +i /etc/sysconfig/iptables". It will make the file > unchangable - even by root. So if you want to modify it yourself, you first > have to use "chattr -i /etc/sysconfig/iptables". And you can see if that > immutable bit is set with "lsattr /etc/sysconfig/". > > Good luck. > > > > Chuck > > > > > ---------- Original Message ----------- > From: Abdul Rashid Abdullah <[email protected]> > To: BlueOnyx <[email protected]> > Sent: Tue, 17 Aug 2010 04:50:49 -0400 > Subject: [BlueOnyx:05231] Forcing Incoming Mail Through Anti-SPAM Firewall > >> > What is the best way to insure I force all incoming mail through my >> > anti-spam firewall? >> > >> > I have already done the following: >> > >> > 1. MX Record Points to Anti-SPAM Firewall >> > 2. Anti-SPAM Firewall points directly to mail server hostname (skipping MX >> > Record). >> > >> > I want to make sure no one can send mail directly to the mail server >> > hostname. Are there specific configurations I should be making on the >> > server in the email server settings page? >> > >> > Regards, >> > >> > Rashid >> > >> > _______________________________________________ >> > Blueonyx mailing list >> > [email protected] >> > http://www.blueonyx.it/mailman/listinfo/blueonyx > ------- End of Original Message ------- > > > _______________________________________________ > Blueonyx mailing list > [email protected] > http://www.blueonyx.it/mailman/listinfo/blueonyx
_______________________________________________ Blueonyx mailing list [email protected] http://www.blueonyx.it/mailman/listinfo/blueonyx
