A packet filter solution works with a separate box for MX traffic.
1. All MXs:
domain.tld. MX 10 mx1.whatever.tld.
.. all "legit" traffic comes through here. The MX gateway relays to
Imail port 25.
2. Imail preparation:
a. activate SMTP port 587 (see imail KB)
b. port 25 remains unchanged
3. packet filter pseudo-rules:
a. allow from any IP to Imail-IP port 587
... the standard submit port that requires SMTP AUTH for any
submission, even to Imail local domains.
b. redirect from any IP for Imail-IP 25 to Imail-IP port 587.
... this is what kills all illegit/abuse inbound to port 25/local
domains. The abusers can't do SMTP AUTH, so they get rejected.
We learned last week that (some older?) PIX can't do this:
allow Imail-IP-1 port 587 outside to Imail-IP-1 port 587 inside
redirect Imail-IP-1 port 25 to Imail-IP-1 port 587
So the work-arond was to have 2 IPs on the Imail (Imail listens for
all Imail domains on every IP.)
allow Imail-IP-1 port 587 outside to Imail-IP-1 port 587
redirect Imail-IP-1 port 25 to Imail-IP-2 port 587
With the above scheme, all inbound traffic is choke-pointed to
1. The MX
2. Imail port 587, requiring SMTP AUTH.
Roamers don't have to change anything in their email programs.
1. if their access provider permits outbound to port 25, the user
submits to Imail port 25, but really ends up on Imail port 587, and
must SMTP AUTH.
2. If the access provider blocks outbound to port 25, the roamer
submits to Imail port 587, must SMTP AUTH.
If you've not looked at how port 587 works, here's how "port 25"
behaves when re-directed to port 587 as above:
telnet imail.domain.tld 25
Trying <ip address>...
Connected to imail.domain.tld
Escape character is '^]'.
220 imail.domain.tld (IMail 8.21 5858-3) NT-ESMTP Server X1
exit
530 user must authenticate on this port
.... "exit" isn't an SMTP command, but Imail refuses all commands at
that point except:
EHLO label.domain.tld.
or the SMTP AUTH command
Here's a more common dialog:
220 imail.domain.tld (IMail 8.22 23-1) NT-ESMTP Server X1
ehlo this.is.me
250-imail.domain.tld says hello
250-SIZE 8388608
250-8BITMIME
250-DSN
250-ETRN
250-AUTH LOGIN CRAM-MD5
250-AUTH LOGIN
250-AUTH=LOGIN
250-EXPN
250 STARTTLS
mail from:<[EMAIL PROTECTED]>
530 user must authenticate on this port
==========================
Len
_____________________________________________________________________
http://IMGate.MEIway.com : free anti-spam gateway, runs on 1000's of sites
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
