Re: [CentOS] How to handel smtp to public servers - done
For the last five years I have been running a captive portal gateway I developed at a number of airports to manage free wireless. There are more that 25K connection each day, and port 25 is blocked for every one of them. Yes we get complaints, but not often, one every two or three months or so. Before we blocked port 25 we had to go to spamhaus.org once a month, or so, to request removal of one of more of the gateway's IP addresses from their black lists. Emmett On 06/27/2012 09:04 PM, Emmanuel Noobadmin wrote: On 6/27/12, Götz Reinicke goetz.reini...@filmakademie.de wrote: Long story short: I advised the use of port 587 two hours ago. FYI since than I had 169 outgoing connections to port 20 and 1 to 587. :) Seriously, just force them. I got so tired of one particular app/mail server that keep getting blacklisted because of lazy client admin and users, I sent them a notice that for emergency security reasons, emails will only be accepted on port 587. Gave them one hour, then closed 25. Understandably people screamed for about another hour or so but all of them ended up on 587 by the end of the day ;) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] How to handel smtp to public servers
On 27/06/12 18:23, Götz Reinicke wrote: I like to know which private computer sends lot of mail. :) You could get your firewall ACCEPT but LOG the outgoing 25 from anything but your mailhub. Have often wondered whether a transparent mail-proxy could be set up, similar to a transparent web-proxy, with your firewall catching all port 80 and redirecting to 8080 on your squid server. Never got around to seeing whether this was possible ... ... then again I agree with the others, blocking outgoing port 25 is the better idea, but only if it is not going to get you fired. Cheers, Kal -- Kahlil (Kal) Hodgson GPG: C9A02289 Head of Technology (m) +61 (0) 4 2573 0382 DealMax Pty Ltd(w) +61 (0) 3 9008 5281 Suite 1415 401 Docklands Drive Docklands VIC 3008 Australia All parts should go together without forcing. You must remember that the parts you are reassembling were disassembled by you. Therefore, if you can't get them together again, there must be a reason. By all means, do not use a hammer. -- IBM maintenance manual, 1925 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] How to handel smtp to public servers
On Wed, Jun 27, 2012 at 4:23 PM, Götz Reinicke goetz.reini...@filmakademie.de wrote: Hi, we do have some subnetworks for private computers, which are allowed to use there public smtp servers like msn, web.de or whatever with the users private accounts. All our own computers have to send mail trough our mailserver with user authentication. From time to time we are faced with the fact, that a virus infected private notebook sends spam and we are told by our ISP to take care :) What might be a good choice to allow clients to send unrestricted transparent mails (= use smtp(s)) but we can monitor? E.g. like a redirect or proxy for smtp? I like to know which private computer sends lot of mail. :) Hi, 1. Many malware have their own smtp and can send spam directly. To overcome this, block port tcp 25 on your gateway, and only allow your mailserver. From the firewall log then you will know which client is infected. 2. In the case that the malware use your mailserver to send the spam, there are plugins to log how many email sent by which client. HTH -- http://linux3.arinet.org ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] How to handel smtp to public servers
Am 27.06.12 10:29, schrieb Fajar Priyanto: On Wed, Jun 27, 2012 at 4:23 PM, Götz Reinicke goetz.reini...@filmakademie.de wrote: Hi, we do have some subnetworks for private computers, which are allowed to use there public smtp servers like msn, web.de or whatever with the users private accounts. All our own computers have to send mail trough our mailserver with user authentication. From time to time we are faced with the fact, that a virus infected private notebook sends spam and we are told by our ISP to take care :) What might be a good choice to allow clients to send unrestricted transparent mails (= use smtp(s)) but we can monitor? E.g. like a redirect or proxy for smtp? I like to know which private computer sends lot of mail. :) Hi, 1. Many malware have their own smtp and can send spam directly. To overcome this, block port tcp 25 on your gateway, and only allow your mailserver. From the firewall log then you will know which client is infected. 2. In the case that the malware use your mailserver to send the spam, there are plugins to log how many email sent by which client. HTH Hi, thanks for your suggestion. But for the mentioned clients thats not possible. :/ (For our own we do exactly as you suggest :) ) We do have about 100th of freelancers 'flying in and out' of our academy which we cant 'restrict' by forcing tham to change there clients settings. But may be we have to think about that if thats the only chance we have -- Götz Reinicke IT-Koordinator Tel. +49 7141 969 82 420 Fax +49 7141 969 55 420 E-Mail goetz.reini...@filmakademie.de Filmakademie Baden-Württemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzender des Aufsichtsrats: Jürgen Walter MdL Staatssekretär im Ministerium für Wissenschaft, Forschung und Kunst Baden-Württemberg Geschäftsführer: Prof. Thomas Schadt ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] How to handel smtp to public servers
On Wed, Jun 27, 2012 at 5:15 PM, Götz Reinicke goetz.reini...@filmakademie.de wrote: Am 27.06.12 10:29, schrieb Fajar Priyanto: On Wed, Jun 27, 2012 at 4:23 PM, Götz Reinicke goetz.reini...@filmakademie.de wrote: Hi, we do have some subnetworks for private computers, which are allowed to use there public smtp servers like msn, web.de or whatever with the users private accounts. All our own computers have to send mail trough our mailserver with user authentication. From time to time we are faced with the fact, that a virus infected private notebook sends spam and we are told by our ISP to take care :) What might be a good choice to allow clients to send unrestricted transparent mails (= use smtp(s)) but we can monitor? E.g. like a redirect or proxy for smtp? I like to know which private computer sends lot of mail. :) Hi, 1. Many malware have their own smtp and can send spam directly. To overcome this, block port tcp 25 on your gateway, and only allow your mailserver. From the firewall log then you will know which client is infected. 2. In the case that the malware use your mailserver to send the spam, there are plugins to log how many email sent by which client. HTH Hi, thanks for your suggestion. But for the mentioned clients thats not possible. :/ (For our own we do exactly as you suggest :) ) We do have about 100th of freelancers 'flying in and out' of our academy which we cant 'restrict' by forcing tham to change there clients settings. But may be we have to think about that if thats the only chance we have Hi Gotz, I don't understand. Those clients are connected to your network, aren't they? Then the proposed solution 1 and 2 would work. Unless what you mean is when they are working from home, but at least solution 2 would give you a clue who send the spam. -- http://linux3.arinet.org ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] How to handel smtp to public servers
Am 27.06.2012 11:15, schrieb Götz Reinicke: Am 27.06.12 10:29, schrieb Fajar Priyanto: 1. Many malware have their own smtp and can send spam directly. To overcome this, block port tcp 25 on your gateway, and only allow your mailserver. Hi, thanks for your suggestion. But for the mentioned clients thats not possible. :/ [...] We do have about 100th of freelancers 'flying in and out' of our academy which we cant 'restrict' by forcing tham to change there clients settings. Nobody *needs* port 25 from their client to a public server. Port 25 is intended for forwarding mail from one server to the next, not for submitting mail from a client to its server. The standard port for sending mail from a client is 587, the mail submission port. Using port 25 for that is arguably a configuration error which should be corrected. What's more, blocking outbound port 25 is generally recommended practice and standard for many ISPs, so your freelancers will often face the same restriction on their home LAN, Internet cafe or wherever else they may want to write e-mails, adding to their motivation to fix their configuration instead of arguing with you. HTH T. -- Tilman Schmidt Phoenix Software GmbH Bonn, Germany ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] How to handel smtp to public servers - done
Am 27.06.12 16:08, schrieb Tilman Schmidt: Am 27.06.2012 11:15, schrieb Götz Reinicke: Am 27.06.12 10:29, schrieb Fajar Priyanto: 1. Many malware have their own smtp and can send spam directly. To overcome this, block port tcp 25 on your gateway, and only allow your mailserver. Hi, thanks for your suggestion. But for the mentioned clients thats not possible. :/ [...] We do have about 100th of freelancers 'flying in and out' of our academy which we cant 'restrict' by forcing tham to change there clients settings. Nobody *needs* port 25 from their client to a public server. Port 25 is intended for forwarding mail from one server to the next, not for submitting mail from a client to its server. The standard port for sending mail from a client is 587, the mail submission port. Using port 25 for that is arguably a configuration error which should be corrected. What's more, blocking outbound port 25 is generally recommended practice and standard for many ISPs, so your freelancers will often face the same restriction on their home LAN, Internet cafe or wherever else they may want to write e-mails, adding to their motivation to fix their configuration instead of arguing with you. Hi, you dont know the resistant to advice of our users ;) Any kind of plea fails most time, and as long as a lot of ISP and Mail-Hosters still allow and offer port 25 in the docs it is hard to tell why our users should change because we'r faced with problems. Long story short: I advised the use of port 587 two hours ago. FYI since than I had 169 outgoing connections to port 20 and 1 to 587. :) cheers . Götz fighting spam and resistant to advice -- Götz Reinicke IT-Koordinator Tel. +49 7141 969 82 420 Fax +49 7141 969 55 420 E-Mail goetz.reini...@filmakademie.de Filmakademie Baden-Württemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzender des Aufsichtsrats: Jürgen Walter MdL Staatssekretär im Ministerium für Wissenschaft, Forschung und Kunst Baden-Württemberg Geschäftsführer: Prof. Thomas Schadt ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] How to handel smtp to public servers - done
Am 27.06.12 16:08, schrieb Tilman Schmidt: Am 27.06.2012 11:15, schrieb Götz Reinicke: Am 27.06.12 10:29, schrieb Fajar Priyanto: 1. Many malware have their own smtp and can send spam directly. To overcome this, block port tcp 25 on your gateway, and only allow your mailserver. Hi, thanks for your suggestion. But for the mentioned clients thats not possible. :/ [...] We do have about 100th of freelancers 'flying in and out' of our academy which we cant 'restrict' by forcing tham to change there clients settings. Nobody *needs* port 25 from their client to a public server. Port 25 is intended for forwarding mail from one server to the next, not for submitting mail from a client to its server. The standard port for sending mail from a client is 587, the mail submission port. Using port 25 for that is arguably a configuration error which should be corrected. What's more, blocking outbound port 25 is generally recommended practice and standard for many ISPs, so your freelancers will often face the same restriction on their home LAN, Internet cafe or wherever else they may want to write e-mails, adding to their motivation to fix their configuration instead of arguing with you. Hi, you dont know the resistant to advice of our users ;) Any kind of plea fails most time, and as long as a lot of ISP and Mail-Hosters still allow and offer port 25 in the docs it is hard to tell why our users should change because we'r faced with problems. Long story short: I advised the use of port 587 two hours ago. FYI since than I had 169 outgoing connections to port 25 and 1 to 587. :) cheers . Götz fighting spam and resistant to advice -- Götz Reinicke IT-Koordinator Tel. +49 7141 969 82 420 Fax +49 7141 969 55 420 E-Mail goetz.reini...@filmakademie.de Filmakademie Baden-Württemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzender des Aufsichtsrats: Jürgen Walter MdL Staatssekretär im Ministerium für Wissenschaft, Forschung und Kunst Baden-Württemberg Geschäftsführer: Prof. Thomas Schadt ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] How to handel smtp to public servers - done
Götz Reinicke wrote: Am 27.06.12 16:08, schrieb Tilman Schmidt: Am 27.06.2012 11:15, schrieb Götz Reinicke: Am 27.06.12 10:29, schrieb Fajar Priyanto: 1. Many malware have their own smtp and can send spam directly. To overcome this, block port tcp 25 on your gateway, and only allow your mailserver. Hi, thanks for your suggestion. But for the mentioned clients thats not possible. :/ [...] snip you dont know the resistant to advice of our users ;) snip Long story short: I advised the use of port 587 two hours ago. FYI since than I had 169 outgoing connections to port 25 and 1 to 587. :) cheers . Götz fighting spam and resistant to advice Hey, give 'em a chance. See what it's like after 24 hours. I suppose then you could tell them it's a lottery, and you'll select random users to kick off port 25 mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] How to handel smtp to public servers - done
on 6/27/2012 7:26 AM Götz Reinicke spake the following: Am 27.06.12 16:08, schrieb Tilman Schmidt: Am 27.06.2012 11:15, schrieb Götz Reinicke: Am 27.06.12 10:29, schrieb Fajar Priyanto: 1. Many malware have their own smtp and can send spam directly. To overcome this, block port tcp 25 on your gateway, and only allow your mailserver. Hi, thanks for your suggestion. But for the mentioned clients thats not possible. :/ [...] We do have about 100th of freelancers 'flying in and out' of our academy which we cant 'restrict' by forcing tham to change there clients settings. Nobody *needs* port 25 from their client to a public server. Port 25 is intended for forwarding mail from one server to the next, not for submitting mail from a client to its server. The standard port for sending mail from a client is 587, the mail submission port. Using port 25 for that is arguably a configuration error which should be corrected. What's more, blocking outbound port 25 is generally recommended practice and standard for many ISPs, so your freelancers will often face the same restriction on their home LAN, Internet cafe or wherever else they may want to write e-mails, adding to their motivation to fix their configuration instead of arguing with you. Hi, you dont know the resistant to advice of our users ;) Any kind of plea fails most time, and as long as a lot of ISP and Mail-Hosters still allow and offer port 25 in the docs it is hard to tell why our users should change because we'r faced with problems. Long story short: I advised the use of port 587 two hours ago. FYI since than I had 169 outgoing connections to port 20 and 1 to 587. :) cheers . Götz fighting spam and resistant to advice Block port 25, and they will comply, or not send mail... People are resistant to change, until they NEED to change... ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] How to handel smtp to public servers - done
On 6/27/12, Götz Reinicke goetz.reini...@filmakademie.de wrote: Long story short: I advised the use of port 587 two hours ago. FYI since than I had 169 outgoing connections to port 20 and 1 to 587. :) Seriously, just force them. I got so tired of one particular app/mail server that keep getting blacklisted because of lazy client admin and users, I sent them a notice that for emergency security reasons, emails will only be accepted on port 587. Gave them one hour, then closed 25. Understandably people screamed for about another hour or so but all of them ended up on 587 by the end of the day ;) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos