A packet filter solution works with IMGate for MX traffic. 1. All MXs:
domain.tld. MX 10 mx1.whatever.tld. .. all "legit" traffic comes through here. The IMGate relays to Imail port 25. 2. Imail preparation: a. activate SMTP port 587 (see imail KB) b. port 25 remains unchanged 3. packet filter pseudo-rules: a. allow from any IP to Imail-IP port 587 ... the standard submit port that requires SMTP AUTH for any submission, even to Imail local domains. b. redirect from any IP for Imail-IP 25 to Imail-IP port 587. ... this is what kills all illegit/abuse inbound to port 25/local domains. The abusers can't do SMTP AUTH, so they get rejected. We learned last week that (some older?) PIX can't do this: allow Imail-IP-1 port 587 outside to Imail-IP-1 port 587 inside redirect Imail-IP-1 port 25 to Imail-IP-1 port 587 So the work-arond was to have 2 IPs on the Imail (Imail listens for all Imail domains on every IP.) allow Imail-IP-1 port 587 outside to Imail-IP-1 port 587 redirect Imail-IP-1 port 25 to Imail-IP-2 port 587 With the above scheme, all inbound traffic is choke-pointed to 1. The MX 2. Imail port 587, requiring SMTP AUTH. Roamers don't have to change anything in their email programs. 1. if their access provider permits outbound to port 25, the user submits to Imail port 25, but really ends up on Imail port 587, and must SMTP AUTH. 2. If the access provider blocks outbound to port 25, the roamer submits to Imail port 587, must SMTP AUTH. If you've not looked at how port 587 works, here's how "port 25" behaves when re-directed to port 587 as above: telnet imail.domain.tld 25 Trying <ip address>... Connected to imail.domain.tld Escape character is '^]'. 220 imail.domain.tld (IMail 8.21 5858-3) NT-ESMTP Server X1 exit 530 user must authenticate on this port .... "exit" isn't an SMTP command, but Imail refuses all commands, even bad commands, at that point except: EHLO label.domain.tld. or the SMTP AUTH command Here's a more common dialog: 220 imail.domain.tld (IMail 8.22 23-1) NT-ESMTP Server X1 ehlo this.is.me 250-imail.domain.tld says hello 250-SIZE 8388608 250-8BITMIME 250-DSN 250-ETRN 250-AUTH LOGIN CRAM-MD5 250-AUTH LOGIN 250-AUTH=LOGIN 250-EXPN 250 STARTTLS mail from:<[EMAIL PROTECTED]> 530 user must authenticate on this port ========================== Len _____________________________________________________________________ http://IMGate.MEIway.com : free anti-spam gateway, runs on 1000's of sites
