Re: Transparent email proxy

[Daniel Marsh]

On 7/16/07, Olivier Nicole [EMAIL PROTECTED] wrote:


Hi,

 With the firewall, it is easy to make the use of the outgoing mail
 hub compulsory.  Is there some reason beyond that that you want to do
 things transparently?

Yes, I should have been a bit more specific. As university department,
we receive a number of visitors, when they have been in the plane for
24 hours, they usually want to check their email: each time we have to
inform them that they can only send through our mail gateway, and they
have to temporarily change their setting for the duration fo their
visit, and remember to change back when they left: that is annoying
(and I am not always around to tell them why they cannot send their
email).

That is why I am thinking about transparent redirection.

Best regards,



We've setup transparent outgoing mail proxying using ASSP, PF and Postfix.

Basically any traffic that has a destination port of 25 on the Internet is
sent through our mail proxy, and onwards to the destination mail servers.

Main reason for this is simplicity.

I've never come across anyone using TLS+SMTP, in most cases I've found that
SMTP is accepted as insecure (esp. over the Internet). If we were talking
intra-company SMTP over the Internet, different story altogether due to the
company needing privacy.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Transparent email proxy

[Heiko Wundram (Beenic)]

On Monday 16 July 2007 09:05:56 Daniel Marsh wrote:
 I've never come across anyone using TLS+SMTP, in most cases I've found that
 SMTP is accepted as insecure (esp. over the Internet). If we were talking
 intra-company SMTP over the Internet, different story altogether due to the
 company needing privacy.

Ahemm... That depends largely on the audience you're administering for...

I personally have seen that many large (german) (free-)email providers are 
trying to force SMTP through TLS for sending out email through their servers 
at the moment, simply because they don't want passwords for logging in to 
their service transferred as plaintext (and thereby sniffable by the 
provider/network you're using). It's not so much about the mail (content) 
itself, it's more about the authentication that's required to relay.

-- 
Heiko Wundram
Product  Application Development
-
Office Germany - EXPO PARK HANNOVER
 
Beenic Networks GmbH
Mailänder Straße 2
30539 Hannover
 
Fon+49 511 / 590 935 - 15
Fax+49 511 / 590 935 - 29
Mail   [EMAIL PROTECTED]


Beenic Networks GmbH
-
Sitz der Gesellschaft: Hannover
Geschäftsführer: Jorge Delgado
Registernummer: HRB 61869
Registergericht: Amtsgericht Hannover
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Transparent email proxy

[Jeffrey Goldberg]

On Jul 16, 2007, at 12:49 AM, Olivier Nicole wrote:


With the firewall, it is easy to make the use of the outgoing mail
hub compulsory.  Is there some reason beyond that that you want to do
things transparently?


Yes, I should have been a bit more specific. As university department,
we receive a number of visitors, when they have been in the plane for
24 hours, they usually want to check their email: each time we have to
inform them that they can only send through our mail gateway, and they
have to temporarily change their setting for the duration fo their
visit, and remember to change back when they left: that is annoying
(and I am not always around to tell them why they cannot send their
email).

That is why I am thinking about transparent redirection.


Thanks for elaborating on that.  As others have suggested use  
redirection on your firewall to point them to your outgoing hub.   
I've never yet played with such redirection, so I'll leave it to  
others to comment, but the details will depend on what kind of  
firewall you are currently running.


I am wondering what will happen if these visitors' mail clients try  
to authenticate against your mail server.  If your server does allow  
SMTP-AUTH than the clients, if configured to authenticate will  
attempt to as far as I understand.  It might be worth doing some  
experiments to see how this works.


The proper solution to this would be for people to use the (new)  
SMTP submission mechanism on the submission port, but it appears that  
ISPs aren't doing enough to get their users to do things that way.


Good luck with this.

-j




--
Jeffrey Goldberghttp://www.goldmark.org/jeff/

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Transparent email proxy

[Olivier Nicole]

Hi,

 With the firewall, it is easy to make the use of the outgoing mail  
 hub compulsory.  Is there some reason beyond that that you want to do  
 things transparently?

Yes, I should have been a bit more specific. As university department,
we receive a number of visitors, when they have been in the plane for
24 hours, they usually want to check their email: each time we have to
inform them that they can only send through our mail gateway, and they
have to temporarily change their setting for the duration fo their
visit, and remember to change back when they left: that is annoying
(and I am not always around to tell them why they cannot send their
email).

That is why I am thinking about transparent redirection.

Best regards,

Olivier
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Transparent email proxy

[Heiko Wundram (Beenic)]

On Friday 13 July 2007 09:30:06 Olivier Nicole wrote:
 As an ISP, or the person in charge of a large organisation, have you
 ever set-up a transparent email redirection: all outgoing email would
 be proceeded to an outgoing server in order to check for virus, spam,
 whatever.

Don't do this transparently. Only leads to pain and suffering (and 
sufficiently high client disappointment), especially if you want to support 
TLS over SMTP (which either means a failed certificate for the sending host 
in case you proxy fully), or not check-/controllable by you (in case you pass 
encrypted SMTP on directly).

Easiest solution that worked for me: block all outgoing traffic to ports 25 
and 465, and tell your clients to use yoursmtphost as their smarthost, 
which then accepts the mail, scans it, and sends it on properly. This works 
fine for a university of 8000 computers. ;-)

-- 
Heiko Wundram
Product  Application Development
-
Office Germany - EXPO PARK HANNOVER
 
Beenic Networks GmbH
Mailänder Straße 2
30539 Hannover
 
Fon+49 511 / 590 935 - 15
Fax+49 511 / 590 935 - 29
Mail   [EMAIL PROTECTED]


Beenic Networks GmbH
-
Sitz der Gesellschaft: Hannover
Geschäftsführer: Jorge Delgado
Registernummer: HRB 61869
Registergericht: Amtsgericht Hannover
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Transparent email proxy

[Paul procacci]

Paul procacci wrote:

Olivier Nicole wrote:

Hi,

As an ISP, or the person in charge of a large organisation, have you
ever set-up a transparent email redirection: all outgoing email would
be proceeded to an outgoing server in order to check for virus, spam,
whatever.

Best regards,

Olivier
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to 
[EMAIL PROTECTED]


  
The answer to your question is yes.  To elaborate a bit more however 
here is a personal document I wrote (i.e. wasn't intended for anyone 
else), hopefully it provides you with good enough information and/or 
the information you were looking for.  Mind you, this is BSD and qmail 
(yes, I'm a fanboy) specific.  This assumes you are familiar with the 
software I decided to use under the components heading.  Certainly 
feel free to ask any questions.  I realize the document isn't 
production quality due to the reasons given about, but rest assured 
I can vouche for this method.


Additionally note, this is obviously not the only method.just that 
it's my method.;P  Cheers!


~Paul

--

I have 5 machines behind a load balancer, one of which is FBSD 4.11, 
and the other 4 are FBSD 6.2.  The component list I used is as follows:


Components

tcpserver
daemontools
qmail w/ QMAILQUEUE patch
qmail-qfilter
spamassassin
*custom c scripts  (These are optional; one is provided)


Flow

This is the current flow of any emails that reach the cluster. Note 
the items listed within *'s are custom programs and explained later in 
this document:


tcpserver-qmail-smtpd-qmail-qfilter-spamc-*reject_spam*-qmail-queue-qmail-remote 



**Note :: reject_spam is included because that is needed for denying 
emails.  (You could rewrite it in perl or sh if you needed to)


Installation

The installation for any new and existing proxy boxes is extremely 
straightforward.


For all but qmail listed above, use the ports tree.

Setup spamd to create the /tmp/.spamd.sock socket.  That's what I call 
mine, yours can/will vary.


Once all this is installed, create /etc/tcp.smtp with the following 
entry and build the cdb file:

:+RELAYCLIENT=+QMAILQUEUE=/var/qmail/bin/qmail-queue-spam

Ensure tcpserver uses that file(i.e. -x)

While in /usr/ports/qmail.

 a) upload the attached files (patch-qmail.c and patch-Makefile) into 
./files/


 b) edit patch-qmail.c to reflect a message you would like to give.
   '+case 20: return DAnti-SPAM Threshold Reached see 
http://domain.com/legal_information.aspx;;'


 c) type: make extract

 d) type: make patch

 e)  copy the attached file (reject-spam.c) to ./work/qmail*/

 f) Now, I haven't included some of my patches here do to sensative 
information.  Therefore, you'll need to edit the Makefile 
(work/qmail-*/Makefile) to removed any and all references to 
check_block and reject-record-spam.


 g) type: make install

 h) copy reject-spam to /var/qmail/bin

  i) Copy the  attached shell script (qmail-queue-spam) to 
/var/qmail/bin/; that is going to tie this together.


Please note that it's NECESSARY to use the local software FW to allow 
relaying.  IPFW is a good choice (my preference anyways).  Deny 
everything to port 25, and  only allow the hosts you want.  I found 
this to be the easiest.

 Then on those hosts, smarthost the hidden (not really) machine.


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]



My attached c file got stripped.  Here is it.

reject-spam.c
---
#include stralloc.h
#include substdio.h
#include readwrite.h
#include getln.h
#include str.h

stralloc s = {0};
substdio i = {0};
substdio o = {0};

char ibuf[1024];
char obuf[1024];

int main(void){

   int match;

   substdio_fdbuf(i,read,0,ibuf,sizeof(ibuf));
   substdio_fdbuf(o,write,1,obuf,sizeof(obuf));

   for(;;){
   if(getln(i,s,match,'\n') == -1) _exit(81);
   if(!match || s.len == 1) break;
   if(!str_diffn(X-Spam-Flag: YES\n, s.s, s.len)) _exit(20);
   substdio_put(o,s.s,s.len);
   }

   substdio_put(o,s.s,s.len);
   substdio_copy(o,i);
   substdio_flush(o);
   _exit(0);
}


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Transparent email proxy

[Paul procacci]

Olivier Nicole wrote:

Hi,

As an ISP, or the person in charge of a large organisation, have you
ever set-up a transparent email redirection: all outgoing email would
be proceeded to an outgoing server in order to check for virus, spam,
whatever.

Best regards,

Olivier
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

  
The answer to your question is yes.  To elaborate a bit more however 
here is a personal document I wrote (i.e. wasn't intended for anyone 
else), hopefully it provides you with good enough information and/or the 
information you were looking for.  Mind you, this is BSD and qmail (yes, 
I'm a fanboy) specific.  This assumes you are familiar with the software 
I decided to use under the components heading.  Certainly feel free to 
ask any questions.  I realize the document isn't production quality 
due to the reasons given about, but rest assured I can vouche for this 
method.


Additionally note, this is obviously not the only method.just that 
it's my method.;P  Cheers!


~Paul

--

I have 5 machines behind a load balancer, one of which is FBSD 4.11, and 
the other 4 are FBSD 6.2.  The component list I used is as follows:


Components

tcpserver
daemontools
qmail w/ QMAILQUEUE patch
qmail-qfilter
spamassassin
*custom c scripts  (These are optional; one is provided)


Flow

This is the current flow of any emails that reach the cluster. Note the 
items listed within *'s are custom programs and explained later in this 
document:


tcpserver-qmail-smtpd-qmail-qfilter-spamc-*reject_spam*-qmail-queue-qmail-remote 



**Note :: reject_spam is included because that is needed for denying 
emails.  (You could rewrite it in perl or sh if you needed to)


Installation

The installation for any new and existing proxy boxes is extremely 
straightforward.


For all but qmail listed above, use the ports tree.

Setup spamd to create the /tmp/.spamd.sock socket.  That's what I call 
mine, yours can/will vary.


Once all this is installed, create /etc/tcp.smtp with the following 
entry and build the cdb file:

:+RELAYCLIENT=+QMAILQUEUE=/var/qmail/bin/qmail-queue-spam

Ensure tcpserver uses that file(i.e. -x)

While in /usr/ports/qmail.

 a) upload the attached files (patch-qmail.c and patch-Makefile) into 
./files/


 b) edit patch-qmail.c to reflect a message you would like to give.
   '+case 20: return DAnti-SPAM Threshold Reached see 
http://domain.com/legal_information.aspx;;'


 c) type: make extract

 d) type: make patch

 e)  copy the attached file (reject-spam.c) to ./work/qmail*/

 f) Now, I haven't included some of my patches here do to sensative 
information.  Therefore, you'll need to edit the Makefile 
(work/qmail-*/Makefile) to removed any and all references to check_block 
and reject-record-spam.


 g) type: make install

 h) copy reject-spam to /var/qmail/bin

  i) Copy the  attached shell script (qmail-queue-spam) to 
/var/qmail/bin/; that is going to tie this together.


Please note that it's NECESSARY to use the local software FW to allow 
relaying.  IPFW is a good choice (my preference anyways).  Deny 
everything to port 25, and  only allow the hosts you want.  I found this 
to be the easiest.

 Then on those hosts, smarthost the hidden (not really) machine.
--- Makefile.orig   Thu Dec 14 16:23:19 2006
+++ MakefileThu Dec 14 16:25:12 2006
@@ -157,6 +157,37 @@
 binm2
chmod 755 binm2
 
+check_block: \
+load check_block.o alloc.a error.a stralloc.a substdio.a control.o env.a 
open.a \
+getln.a fs.a str.a
+   ./load check_block control.o stralloc.a substdio.a alloc.a \
+   error.a env.a str.a open.a getln.a fs.a str.a -L/usr/local/lib/mysql 
-lmysqlclient
+
+check_block.o: \
+compile check_block.c stralloc.h substdio.h readwrite.h str.h
+   ./compile check_block.c -I/usr/local/include
+
+reject-record-spam: \
+load reject-record-spam.o slurpclose.o alloc.a str.a error.a stralloc.a 
getln.a \
+substdio.a control.o env.a fs.a
+   ./load reject-record-spam control.o slurpclose.o getln.a stralloc.a 
substdio.a alloc.a \
+   error.a env.a str.a fs.a open.a -L/usr/local/lib/mysql -lmysqlclient
+
+
+reject-record-spam.o: \
+compile reject-record-spam.c stralloc.h substdio.h readwrite.h getln.h str.h 
scan.h fmt.h
+   ./compile reject-record-spam.c -I/usr/local/include
+
+reject-spam: \
+load reject-spam.o alloc.a str.a error.a stralloc.a getln.a \
+substdio.a
+   ./load reject-spam getln.a stralloc.a substdio.a str.a alloc.a \
+   error.a
+
+reject-spam.o: \
+compile reject-spam.c stralloc.h substdio.h readwrite.h getln.h str.h
+   ./compile reject-spam.c
+
 binm2+df: \
 binm2+df.sh conf-qmail
cat binm2+df.sh \
@@ -808,7 +839,7 @@
 forward preline condredirect bouncesaying except maildirmake \
 maildir2mbox maildirwatch 

Re: Transparent email proxy

[Bart Silverstrim]

Olivier Nicole wrote:

Hi,

As an ISP, or the person in charge of a large organisation, have you
ever set-up a transparent email redirection: all outgoing email would
be proceeded to an outgoing server in order to check for virus, spam,
whatever.


Incoming mail, yes.  Outgoing, no, I haven't.

But I thought only a few kinds of bots are using your user's email 
server settings...aren't most still direct sending from the user's 
system (turning zombies into the mail relay, not having the zombies 
flood the provider's mail server?)


The only way to stop the former that I know of is to have your routers 
only allow port 25 traffic outbound from your legit mail server only and 
all others are blocked.  You might also want to set up a way to have it 
report attempts to send mail out from your clients so you can see how 
many of your users may be infected with something.


You'd then need to probably set up your UNIX system to accept email and 
scan it before forwarding it on.  It should be relatively easy using 
Postfix and Amavisd-new (Amavis can be tied to clamav and Spamassassin). 
 I am trying to figure out a new incoming bastion mail server scheme 
now...but our original does something like this for incoming mail now.


-Bart
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]