Not to re-invent the wheel here, but this falls into the same kind of
thing I've been rolling out to all of my mailservers:
- Port 25 is used to receive inbound mail ONLY. There is *no auth
*capability on port 25 (currently enforced by /*spamdyke*/), and there
is no relaying on port 25 (unless via /smtproutes/).
- Users who send via port 25 can ONLY be successful (by accident) if
they're sending to a locally hosted domain... and if that accidentally
works, it should be because SPF somehow allowed it to work.
- Port 587 is used by all users to send mail. Period. They MUST
authenticate, and the use of SSL is permitted (although, you could
choose to require it if you so desire).
- Port 465 is used exactly like port 587 except that SSL is definitely
required. Users are told to use 587, but some few have clients that
choose 465 automatically.
BTW: I also REQUIRE my hosted domains to use an "-all" at the end of
their SPF designation (clearly, that means I also REQUIRE SPF)... and I
enforce SPF with a 3 in spfbehavior (and in SpamAssassin).
Among other things, this allows me to monitor/scan log files for inbound
and outbound mail separately. While my users still get plenty of SPAM,
these steps help alleviate the "faked" SPAM. If more people used SPF
with a "-all" (correctly), then far LESS SPAM would be out there... but
if more people were smarter about these things, I wouldn't be making the
money I am helping them fix them! :-)
I'll write a Wiki article (the 2nd I'm trying to work through) to
explain this in detail.
Dan McAllister
QMT DNS/Mirror Admin
PS: Had fun the other day when a client got a QMAIL reject when sending
a message to one of their clients.... they assumed the reject came from
our server, but it turns out at least some of GoDaddy's mail servers are
QMAIL, as it was a QMAIL server at secureserver.net that issued the
REJECT :-)
Made my client feel good about my email service, knowing I was using the
same systems as GoDaddy! :-)
On 11/21/2013 9:11 PM, Angus McIntyre wrote:
Eric Shubert wrote:
I honestly don't understand fail2ban in any detail. I wonder though, if
perhaps it's set up such that if someone's authentication fails, then it
changes iptables such that nobody can attempt to authenticate any more
(like blocking port 587 for any address). That'd be pretty bad. :(
If you get a certain number of failed authentications from a particular IP
(usually 3 or 4), it will use iptables to ban that IP from connecting to
the port in question. So 'nobody' means 'nobody at that IP', not 'nobody
in the world'.
Incidentally, when I got tired of grinders trying to guess passwords on my
toaster, I banned a bunch of Chinese class C's (banning a surprisingly
small number took care of most of the attempts I was seeing) and added a
fail2ban filter that does an insta-kill (1 attempt is enough to invoke the
rule) on anything that tries to authenticate with a username that doesn't
include a domain name. That's been pretty effective.
Angus
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
--
PLEASE TAKE NOTE OF OUR NEW ADDRESS
===================================
IT4SOHO, LLC
33 - 4th Street N, Suite 211
St. Petersburg, FL 33701-3806
CALL TOLL FREE:
877-IT4SOHO
877-484-7646 Phone
727-647-7646 Local
727-490-4394 Fax
We have support plans for QMail!
