Re: [clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)
On 02/23/2015 02:27 PM, Ian Eiloart wrote: If your goal is to separate authenticated from unauthenticated mail, the place to do it is not at the port, but at the IP address. Use a different server, and publish new MX records. Here, we don’t use a different physical server, we have two IP addresses on one physical interface, and separate Exim processes listening on the different IP addresses: It's not exactly why I wrote to the list, but this would certainly make things a bit easier. Thanks, I'll definitively take that into consideration. The process configured to use mx.example.com would listen only on port 25 The process configured to use msa.example.com (or more likely smtp.example.com to satisfy some autoconfiguration algorithms) would listen on ports 587, 25, and 465 (unfortunately, there are still clients that like to use this port for ssl-on-connect) I disabled port 465 a while ago. However, I still have clients authenticating on port 25, which I learned is the default port for some applications when setting up STARTSSL (e.g. the Android AOSP mail client). This configuration would make things easier... Of course, our documentation and autoconfiguration servers all recommend port 587, but there’s no harm in (for example) local clients using port 25. I don’t use Postfix, so I don’t know whether you can configure it to listen only on one virtual interface. If not, you may need two physical hosts, or you might be able to do this on one host by virtualising your servers. Postfix natively supports multi instance setups. Daniel ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)
On 02/23/2015 03:35 PM, Matus UHLAR - fantomas wrote: just a week or two ago I read discussion where the 465 was preferred, because SSL is mandatory there, so there's no chance for clients to authenticate without SSL encryption. ...just FYI. Encryption in my setup is mandatory, too. I just don't allow connections to the deprecated port 465 (see [1] for an explanation). Clients are only allowed to authenticate after STARTTLS on port 587 or (unfortunately) port 25. [1] http://stackoverflow.com/a/19942206 ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)
On 02/22/2015 10:08 AM, Simon Hobson wrote: Recipients may not trust the tags, but it *should* stop outbound spam/infected mail should your machine (or one of the clients) get compromised. IMO spam and malware is not just something to stop coming in, it's something to porevent going out - if more networks prevented it going out then there'd be less of a problem. It's not always black and white. I assume you're responsible for the clients you're talking about, i.e. they are your customers or colleagues. While spoon-feeding colleagues or customers may be okay for the sake of security, my clients would certainly raise hell if they would receive errors due to false positives. Most people expect their system to just work -- no matter what. By the way: I don't even reject virus/spam mail, I just tag them. If a client is dumb enough to open the attachment of a tagged e-mail, so be it. On my systems I scan *everything*, and I firewall off everything I can - including preventing outbound connections to port 25. I am not in the situation where all my clients sit in a firewalled private network; it's more the free-mail kind of situation. What and when my clients send e-mail is non of my concern, as long as they do it in common dimensions, i.e. in a way that matches a real person. At work I run mail servers that are used by customers - including as smart relays. It's not all that uncommon to find one of the customer compromised and sending out thousands (or millions) of spam emails - so my latest server also does rate limiting to limit the damage done before it gets spotted and blocked. Rate limiting is certainly a good idea to mitigate the damage that's being done by a compromised client. Manual intervention might still be necessary, possibly after automated sanctions (e.g. consistently lowering the rate limit for a misbehaving client). However, rejecting outgoing e-mail right away is not an option, which ultimately makes the scanning of these messages redundant. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)
On 02/22/2015 07:13 PM, Matus UHLAR - fantomas wrote: sure it makes sense to scan outgoing mail. Maybe in a company network, yes. But I don't care for the computers of my clients -- these are their computers. *If* they get infected somehow, I have measures to stop them from doing harm through my servers. the tags never make sense. Turn them off by setting AddHeader no to clamav-milter.conf, but not by not scanning the mail. But if I *don't* reject e-mail, the incoming tag makes sense to inform a client about the virus/phishing/spam status. The outgoing scan and tag both make no sense, given the fact that I don't want to reject outgoing mail. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)
On 02/22/2015 10:43 PM, Simon Hobson wrote: OK, this is getting well off-topic for this list, this will be my final say on the matter Agreed. Which is one reason it's very important to make sure you are not part of the problem. Allowing a customer to sent nasties through your mail server is a good way of getting it blacklisted - and then it certainly doesn't just work. I can assure you that when your server gets on a blacklist, your customers do complain - and they complain a lot louder than if you block one or two spammy messages. The best way to stay off blacklists is to block spam and nasties at source - not just rely on the recipient to catch it later ... It may be *one* way but it's certainly not the *best* way. In order to get blacklisted, your sever would have to send at least a decent amount of nasties. To prevent that, you could either take the easy road and just reject your customers' mail or you could sanction those specific customers who are the actual cause. In the former case I'd accuse you of being lazy, just as you accuse me of being part of some problem. Don't get me wrong: I don't say it's impossible to get blacklisted -- I say there are more sophisticated approaches to prevent being blacklisted. By the way: I don't even reject virus/spam mail, I just tag them. If a client is dumb enough to open the attachment of a tagged e-mail, so be it. So you are part of the problem. It's already been said that tagging is meaningless - yet you assume it's reasonable to expect others to act on your tags. It seems you got something wrong: Tagging of outgoing e-mails is meaningless because the recipient will not pay any attention to the tags. Tagging of incoming e-mail, however, is a way of telling your client There is something wrong with that e-mail. Therefore, I put it into your Junk folder; better don't open it. If you still do, it's all your fault.. I don't get how you find it more appropriate to silently reject someone's e-mail, be it infected or not. I also don't get how you can be so disrespectful and declare me part of some problem for the second time. It appears to me as if this is more of a personal problem for you. Most of the customers are also not on managed networks. But on my own systems I block outbound connections to port 25 other than what's needed (actually, I mostly have a block everything and allow what's needed policy). It's all part of a layered approach - you protect your systems, but you also add a layer that limits the damage if they do get compromised. Again: this scenario does not apply to me. But, for what it's worth, let's assume one of your clients gets infected by a false negative (all because you failed to raise your clients' awareness and gave them a false sense of security by silently rejecting mail). This infected client does two things: It tries to send spam through port 25 and gathers information (keylogger/passwords, emails, internal information, etc.) to upload it via https. The only way you would notice the latter, is by analyzing logs and thereby discovering the former. But you just silently dropped all those packets... Or is your answer to simply block port 443 as well? However, rejecting outgoing e-mail right away is not an option, which ultimately makes the scanning of these messages redundant. Which makes you part of the problem. Maybe you should rather start educating people than to infantilize them. Ask them to take over responsibility for their computers, to think twice before opening attachments, especially if the mail is *not* stored in the Junk folder. Let them send whatever they want, and check your logs to find those clients who don't play along. Most of all though: Stop insulting strangers on the internet by calling them part of a problem that you and a few others made up. Or, at least define what that supposedly problem is. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)
On 02/22/2015 02:47 AM, Noel Jones wrote: Anyway, if your goal is to disable scanning on submission, it's probably best to edit the master.cf submission service to not call clamav-milter at all. (I would strongly recommend scanning all mail, but that's a local policy decision) As already suspected below, I still have a few clients who are sending e-mail to port 25. I would like to disable authentication for port 25 but it's no option at the moment. If you need to do this in clamav-milter, such as if you need to do this for port 25 as well as submission, you should probably look at the SkipAuthenticated option. SkipAuthenticated ^.*$ does what I want, thank you! Well, actually it would be perfect if incoming local mail would be scanned too, i.e. sending auth mail from any port - DO NOT SCAN receiving mail (port 25) - SCAN In my opinion, it doesn't make any sense to scan e-mail leaving the server. The recipient will never trust these tags anyway. So why scan at all? It's important to scan incoming mail, be it from a local or an external client. Daniel ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)
Hello, what is the correct way to prevent clamav-milter (0.98.5 in Debian Wheezy) from scanning and tagging _outgoing_ e-mail? I assumed it was the LocalNet option; however, I did not manage to get it to work. Here is the man entry: LocalNet STRING Messages originating from these hosts/networks will not be scanned. This option takes a host(name)/mask pair in CIRD notation and can be repeated several times. If /mask is omitted, a host is assumed. To specify a locally orignated, non-smtp, email use the keyword local Default: unset (scan everything regardless of the origin) Here is what I tried: LocalNet 127.0.0.1/32 ::1/128 local clamav-milterERROR: Can't resolve LocalNet hostname 127.0.0.1/32 ::1 LocalNet 127.0.0.1/32 ::1/128 clamav-milterERROR: Can't resolve LocalNet hostname 127.0.0.1/32 ::1 LocalNet 127.0.0.1/32 OK, BUT scan/tag happens LocalNet ::1/128 OK, BUT scan/tag happens LocalNet local OK, BUT scan/tag happens LocalNet 127.0.0.1 OK, BUT scan/tag happens LocalNet local OK, BUT scan/tag happens LocalNet local 127.0.0.1 ::1 clamav-milterERROR: Can't resolve LocalNet hostname local 127.0.0.1 ::1 LocalNet 127.0.0.1 ::1 local OK, BUT scan/tag happens Any help is greatly appreciated. Daniel ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)
On 02/22/2015 01:54 AM, Benny Pedersen wrote: LocalNet localdomain This gives no error, but clamav-milter is still scanning/tagging outgoing e-mail. I'm sending e-mail from port 587 (smtp/submission, postfix). PS: why does 127.0.0.1 not resolve ? It does though: LocalNet 127.0.0.1 -- OK, BUT scan/tag happens Or do you mean something else? post /etc/hosts for more help :=) # IPv4 127.0.0.1 localhost.localdomain localhost 175.8.41.129 sub.example.com sub # # IPv6 ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts 2b01:4c7:250:41ad::2 sub.example.com sub is the client ip in clamav-milter really in local domain ip listed ? Maybe LocalNet is the wrong option (?) but how else would I stop clamav-milter from scanning outgoing e-mail then? check whitelist sender in clamav milter conf if its just to have system users not scanned, if its users that have @ in username use smtp auth There is no whitelist so far. Thanks for your quick reply! ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
