Re: Transparent email proxy
On 7/16/07, Olivier Nicole [EMAIL PROTECTED] wrote: Hi, With the firewall, it is easy to make the use of the outgoing mail hub compulsory. Is there some reason beyond that that you want to do things transparently? Yes, I should have been a bit more specific. As university department, we receive a number of visitors, when they have been in the plane for 24 hours, they usually want to check their email: each time we have to inform them that they can only send through our mail gateway, and they have to temporarily change their setting for the duration fo their visit, and remember to change back when they left: that is annoying (and I am not always around to tell them why they cannot send their email). That is why I am thinking about transparent redirection. Best regards, We've setup transparent outgoing mail proxying using ASSP, PF and Postfix. Basically any traffic that has a destination port of 25 on the Internet is sent through our mail proxy, and onwards to the destination mail servers. Main reason for this is simplicity. I've never come across anyone using TLS+SMTP, in most cases I've found that SMTP is accepted as insecure (esp. over the Internet). If we were talking intra-company SMTP over the Internet, different story altogether due to the company needing privacy. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Transparent email proxy
On Monday 16 July 2007 09:05:56 Daniel Marsh wrote: I've never come across anyone using TLS+SMTP, in most cases I've found that SMTP is accepted as insecure (esp. over the Internet). If we were talking intra-company SMTP over the Internet, different story altogether due to the company needing privacy. Ahemm... That depends largely on the audience you're administering for... I personally have seen that many large (german) (free-)email providers are trying to force SMTP through TLS for sending out email through their servers at the moment, simply because they don't want passwords for logging in to their service transferred as plaintext (and thereby sniffable by the provider/network you're using). It's not so much about the mail (content) itself, it's more about the authentication that's required to relay. -- Heiko Wundram Product Application Development - Office Germany - EXPO PARK HANNOVER Beenic Networks GmbH Mailänder Straße 2 30539 Hannover Fon+49 511 / 590 935 - 15 Fax+49 511 / 590 935 - 29 Mail [EMAIL PROTECTED] Beenic Networks GmbH - Sitz der Gesellschaft: Hannover Geschäftsführer: Jorge Delgado Registernummer: HRB 61869 Registergericht: Amtsgericht Hannover ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Transparent email proxy
On Jul 16, 2007, at 12:49 AM, Olivier Nicole wrote: With the firewall, it is easy to make the use of the outgoing mail hub compulsory. Is there some reason beyond that that you want to do things transparently? Yes, I should have been a bit more specific. As university department, we receive a number of visitors, when they have been in the plane for 24 hours, they usually want to check their email: each time we have to inform them that they can only send through our mail gateway, and they have to temporarily change their setting for the duration fo their visit, and remember to change back when they left: that is annoying (and I am not always around to tell them why they cannot send their email). That is why I am thinking about transparent redirection. Thanks for elaborating on that. As others have suggested use redirection on your firewall to point them to your outgoing hub. I've never yet played with such redirection, so I'll leave it to others to comment, but the details will depend on what kind of firewall you are currently running. I am wondering what will happen if these visitors' mail clients try to authenticate against your mail server. If your server does allow SMTP-AUTH than the clients, if configured to authenticate will attempt to as far as I understand. It might be worth doing some experiments to see how this works. The proper solution to this would be for people to use the (new) SMTP submission mechanism on the submission port, but it appears that ISPs aren't doing enough to get their users to do things that way. Good luck with this. -j -- Jeffrey Goldberghttp://www.goldmark.org/jeff/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Transparent email proxy
Hi, With the firewall, it is easy to make the use of the outgoing mail hub compulsory. Is there some reason beyond that that you want to do things transparently? Yes, I should have been a bit more specific. As university department, we receive a number of visitors, when they have been in the plane for 24 hours, they usually want to check their email: each time we have to inform them that they can only send through our mail gateway, and they have to temporarily change their setting for the duration fo their visit, and remember to change back when they left: that is annoying (and I am not always around to tell them why they cannot send their email). That is why I am thinking about transparent redirection. Best regards, Olivier ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Transparent email proxy
On Friday 13 July 2007 09:30:06 Olivier Nicole wrote: As an ISP, or the person in charge of a large organisation, have you ever set-up a transparent email redirection: all outgoing email would be proceeded to an outgoing server in order to check for virus, spam, whatever. Don't do this transparently. Only leads to pain and suffering (and sufficiently high client disappointment), especially if you want to support TLS over SMTP (which either means a failed certificate for the sending host in case you proxy fully), or not check-/controllable by you (in case you pass encrypted SMTP on directly). Easiest solution that worked for me: block all outgoing traffic to ports 25 and 465, and tell your clients to use yoursmtphost as their smarthost, which then accepts the mail, scans it, and sends it on properly. This works fine for a university of 8000 computers. ;-) -- Heiko Wundram Product Application Development - Office Germany - EXPO PARK HANNOVER Beenic Networks GmbH Mailänder Straße 2 30539 Hannover Fon+49 511 / 590 935 - 15 Fax+49 511 / 590 935 - 29 Mail [EMAIL PROTECTED] Beenic Networks GmbH - Sitz der Gesellschaft: Hannover Geschäftsführer: Jorge Delgado Registernummer: HRB 61869 Registergericht: Amtsgericht Hannover ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Transparent email proxy
Paul procacci wrote: Olivier Nicole wrote: Hi, As an ISP, or the person in charge of a large organisation, have you ever set-up a transparent email redirection: all outgoing email would be proceeded to an outgoing server in order to check for virus, spam, whatever. Best regards, Olivier ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] The answer to your question is yes. To elaborate a bit more however here is a personal document I wrote (i.e. wasn't intended for anyone else), hopefully it provides you with good enough information and/or the information you were looking for. Mind you, this is BSD and qmail (yes, I'm a fanboy) specific. This assumes you are familiar with the software I decided to use under the components heading. Certainly feel free to ask any questions. I realize the document isn't production quality due to the reasons given about, but rest assured I can vouche for this method. Additionally note, this is obviously not the only method.just that it's my method.;P Cheers! ~Paul -- I have 5 machines behind a load balancer, one of which is FBSD 4.11, and the other 4 are FBSD 6.2. The component list I used is as follows: Components tcpserver daemontools qmail w/ QMAILQUEUE patch qmail-qfilter spamassassin *custom c scripts (These are optional; one is provided) Flow This is the current flow of any emails that reach the cluster. Note the items listed within *'s are custom programs and explained later in this document: tcpserver-qmail-smtpd-qmail-qfilter-spamc-*reject_spam*-qmail-queue-qmail-remote **Note :: reject_spam is included because that is needed for denying emails. (You could rewrite it in perl or sh if you needed to) Installation The installation for any new and existing proxy boxes is extremely straightforward. For all but qmail listed above, use the ports tree. Setup spamd to create the /tmp/.spamd.sock socket. That's what I call mine, yours can/will vary. Once all this is installed, create /etc/tcp.smtp with the following entry and build the cdb file: :+RELAYCLIENT=+QMAILQUEUE=/var/qmail/bin/qmail-queue-spam Ensure tcpserver uses that file(i.e. -x) While in /usr/ports/qmail. a) upload the attached files (patch-qmail.c and patch-Makefile) into ./files/ b) edit patch-qmail.c to reflect a message you would like to give. '+case 20: return DAnti-SPAM Threshold Reached see http://domain.com/legal_information.aspx;;' c) type: make extract d) type: make patch e) copy the attached file (reject-spam.c) to ./work/qmail*/ f) Now, I haven't included some of my patches here do to sensative information. Therefore, you'll need to edit the Makefile (work/qmail-*/Makefile) to removed any and all references to check_block and reject-record-spam. g) type: make install h) copy reject-spam to /var/qmail/bin i) Copy the attached shell script (qmail-queue-spam) to /var/qmail/bin/; that is going to tie this together. Please note that it's NECESSARY to use the local software FW to allow relaying. IPFW is a good choice (my preference anyways). Deny everything to port 25, and only allow the hosts you want. I found this to be the easiest. Then on those hosts, smarthost the hidden (not really) machine. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] My attached c file got stripped. Here is it. reject-spam.c --- #include stralloc.h #include substdio.h #include readwrite.h #include getln.h #include str.h stralloc s = {0}; substdio i = {0}; substdio o = {0}; char ibuf[1024]; char obuf[1024]; int main(void){ int match; substdio_fdbuf(i,read,0,ibuf,sizeof(ibuf)); substdio_fdbuf(o,write,1,obuf,sizeof(obuf)); for(;;){ if(getln(i,s,match,'\n') == -1) _exit(81); if(!match || s.len == 1) break; if(!str_diffn(X-Spam-Flag: YES\n, s.s, s.len)) _exit(20); substdio_put(o,s.s,s.len); } substdio_put(o,s.s,s.len); substdio_copy(o,i); substdio_flush(o); _exit(0); } ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Transparent email proxy
Olivier Nicole wrote: Hi, As an ISP, or the person in charge of a large organisation, have you ever set-up a transparent email redirection: all outgoing email would be proceeded to an outgoing server in order to check for virus, spam, whatever. Best regards, Olivier ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] The answer to your question is yes. To elaborate a bit more however here is a personal document I wrote (i.e. wasn't intended for anyone else), hopefully it provides you with good enough information and/or the information you were looking for. Mind you, this is BSD and qmail (yes, I'm a fanboy) specific. This assumes you are familiar with the software I decided to use under the components heading. Certainly feel free to ask any questions. I realize the document isn't production quality due to the reasons given about, but rest assured I can vouche for this method. Additionally note, this is obviously not the only method.just that it's my method.;P Cheers! ~Paul -- I have 5 machines behind a load balancer, one of which is FBSD 4.11, and the other 4 are FBSD 6.2. The component list I used is as follows: Components tcpserver daemontools qmail w/ QMAILQUEUE patch qmail-qfilter spamassassin *custom c scripts (These are optional; one is provided) Flow This is the current flow of any emails that reach the cluster. Note the items listed within *'s are custom programs and explained later in this document: tcpserver-qmail-smtpd-qmail-qfilter-spamc-*reject_spam*-qmail-queue-qmail-remote **Note :: reject_spam is included because that is needed for denying emails. (You could rewrite it in perl or sh if you needed to) Installation The installation for any new and existing proxy boxes is extremely straightforward. For all but qmail listed above, use the ports tree. Setup spamd to create the /tmp/.spamd.sock socket. That's what I call mine, yours can/will vary. Once all this is installed, create /etc/tcp.smtp with the following entry and build the cdb file: :+RELAYCLIENT=+QMAILQUEUE=/var/qmail/bin/qmail-queue-spam Ensure tcpserver uses that file(i.e. -x) While in /usr/ports/qmail. a) upload the attached files (patch-qmail.c and patch-Makefile) into ./files/ b) edit patch-qmail.c to reflect a message you would like to give. '+case 20: return DAnti-SPAM Threshold Reached see http://domain.com/legal_information.aspx;;' c) type: make extract d) type: make patch e) copy the attached file (reject-spam.c) to ./work/qmail*/ f) Now, I haven't included some of my patches here do to sensative information. Therefore, you'll need to edit the Makefile (work/qmail-*/Makefile) to removed any and all references to check_block and reject-record-spam. g) type: make install h) copy reject-spam to /var/qmail/bin i) Copy the attached shell script (qmail-queue-spam) to /var/qmail/bin/; that is going to tie this together. Please note that it's NECESSARY to use the local software FW to allow relaying. IPFW is a good choice (my preference anyways). Deny everything to port 25, and only allow the hosts you want. I found this to be the easiest. Then on those hosts, smarthost the hidden (not really) machine. --- Makefile.orig Thu Dec 14 16:23:19 2006 +++ MakefileThu Dec 14 16:25:12 2006 @@ -157,6 +157,37 @@ binm2 chmod 755 binm2 +check_block: \ +load check_block.o alloc.a error.a stralloc.a substdio.a control.o env.a open.a \ +getln.a fs.a str.a + ./load check_block control.o stralloc.a substdio.a alloc.a \ + error.a env.a str.a open.a getln.a fs.a str.a -L/usr/local/lib/mysql -lmysqlclient + +check_block.o: \ +compile check_block.c stralloc.h substdio.h readwrite.h str.h + ./compile check_block.c -I/usr/local/include + +reject-record-spam: \ +load reject-record-spam.o slurpclose.o alloc.a str.a error.a stralloc.a getln.a \ +substdio.a control.o env.a fs.a + ./load reject-record-spam control.o slurpclose.o getln.a stralloc.a substdio.a alloc.a \ + error.a env.a str.a fs.a open.a -L/usr/local/lib/mysql -lmysqlclient + + +reject-record-spam.o: \ +compile reject-record-spam.c stralloc.h substdio.h readwrite.h getln.h str.h scan.h fmt.h + ./compile reject-record-spam.c -I/usr/local/include + +reject-spam: \ +load reject-spam.o alloc.a str.a error.a stralloc.a getln.a \ +substdio.a + ./load reject-spam getln.a stralloc.a substdio.a str.a alloc.a \ + error.a + +reject-spam.o: \ +compile reject-spam.c stralloc.h substdio.h readwrite.h getln.h str.h + ./compile reject-spam.c + binm2+df: \ binm2+df.sh conf-qmail cat binm2+df.sh \ @@ -808,7 +839,7 @@ forward preline condredirect bouncesaying except maildirmake \ maildir2mbox maildirwatch
Re: Transparent email proxy
Olivier Nicole wrote: Hi, As an ISP, or the person in charge of a large organisation, have you ever set-up a transparent email redirection: all outgoing email would be proceeded to an outgoing server in order to check for virus, spam, whatever. Incoming mail, yes. Outgoing, no, I haven't. But I thought only a few kinds of bots are using your user's email server settings...aren't most still direct sending from the user's system (turning zombies into the mail relay, not having the zombies flood the provider's mail server?) The only way to stop the former that I know of is to have your routers only allow port 25 traffic outbound from your legit mail server only and all others are blocked. You might also want to set up a way to have it report attempts to send mail out from your clients so you can see how many of your users may be infected with something. You'd then need to probably set up your UNIX system to accept email and scan it before forwarding it on. It should be relatively easy using Postfix and Amavisd-new (Amavis can be tied to clamav and Spamassassin). I am trying to figure out a new incoming bastion mail server scheme now...but our original does something like this for incoming mail now. -Bart ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]