LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 07-25-2011, 01:13 PM   #1
cnelson
LQ Newbie
 
Registered: Aug 2010
Posts: 14

Rep: Reputation: 0
Please Stop me from setting up an open relay spam server


Because our visitors/customers are short term, and may be configured incorrectly with their own mail servers we automagically redirect all port 25 traffic going to internal IP's to our own mail servers while on our network.(postfix on centos 5.6)

While I have taken some measures to prevent it from spamming, I would greatly appreciate some assistance.

I will be putting in clamav, but I haven't configured it yet with the mail.

I am using postfix, but can also put on procmail or even spam assassin.

So please, help me lock these servers down so as to prevent spam! Your inbox as well as your kids inbox depends on this mission!
 
Old 07-25-2011, 03:12 PM   #2
TB0ne
Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 14,137

Rep: Reputation: 2457Reputation: 2457Reputation: 2457Reputation: 2457Reputation: 2457Reputation: 2457Reputation: 2457Reputation: 2457Reputation: 2457Reputation: 2457Reputation: 2457
Quote:
Originally Posted by cnelson View Post
Because our visitors/customers are short term, and may be configured incorrectly with their own mail servers we automagically redirect all port 25 traffic going to internal IP's to our own mail servers while on our network.(postfix on centos 5.6)

While I have taken some measures to prevent it from spamming, I would greatly appreciate some assistance. I will be putting in clamav, but I haven't configured it yet with the mail.

I am using postfix, but can also put on procmail or even spam assassin.
So please, help me lock these servers down so as to prevent spam! Your inbox as well as your kids inbox depends on this mission!
First, a very quick Google search turns up lots on how to configure and secure postfix, did you try to look this up?
http://www.postfix.org/SMTPD_ACCESS_README.html
http://www.postfix.org/BASIC_CONFIGURATION_README.html
http://www.howtoforge.com/virtual_postfix_antispam

And you don't provide details about your environment. You say "vistors/customers are short term"...what do you mean? If you want to keep a handle on what's going on, then you need to be monitoring the logs on your users email usage. Spam assassin, clamav, etc., are for INCOMING messages that are going IN to your server. As long as your users have a valid ID/password, and you've set up your server to shovel mail along for them, they can send ANYTHING. It's up to YOU to monitor what they're doing, and shut them down if they're doing something suspicious.

Mailgraph can help you:
http://www.howtoforge.com/mail_stati...raph_pflogsumm
 
Old 07-25-2011, 05:12 PM   #3
cnelson
LQ Newbie
 
Registered: Aug 2010
Posts: 14

Original Poster
Rep: Reputation: 0
Thanks for the reply. I would like to start that beyond the very basics, email is my weak point. (always used things liek barracuda solutions for this)

Think of users as people visiting for a hotel for few days, never to be inconvenienced w/ changing any settings on their laptops/hand held devices. So there are no usernames or passwords and no way to interface with users.

The server is basically an open relay from anyone inside the network of 10'000 to 100,000 of thousands of users. I am trying to lock them down so they can't be used to spam.

I am wanting to do spam checking and scanning emails going out. Also putting in rate limiters on how many emails they can send out at once, and in a given time frame.

If anyone can help me configure a relay server to not be as spam friendly yet still function as an open relay for the guests, I would greatly appreciate that. (and so would everyone's inbox . . )

Settings like default_destination_recipient_limit, which look good, but I think only splits up the email. If there was really a way to block email because it has to large a list sending too.

Or smtpd_client_connection_rate_limit, which unfortunately I think is bypassed by adding addresses to my_network, which is needed for relaying say 192 and 10 .

thanks!
 
Old 07-26-2011, 05:21 AM   #4
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
You are in a really tough situation. First off, by redirecting through your SMTP server YOU have accepted responsibility for the user's actions. I think you are beginning to realize the difficulties that this imposes. Personally, I wouldn't operate an open relay for clients or customers, it is just too much liability.

As the mail enters your Postfix server, you should be able to pass it through a spam check, using a tool such as Amavis. As has been pointed out, normally this works on the inbound side, but my experience is that does scan on the outbound too as I have had tried to send virus tests and applications and it won't go out. I am certain that the answer involves configuring master.cf to receive the messages and pass them through the filter before relaying them onward, but I couldn't say off the top of my head how to implement it.

As far as rate limiting, perhaps using the stateful filtering in iptables with rate limiting may work. It would limit the number of connections from a particular client IP. You would need to find a set of limits that works for you and it still wouldn't be fool proof.
 
1 members found this post helpful.
Old 07-26-2011, 09:41 AM   #5
TB0ne
Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 14,137

Rep: Reputation: 2457Reputation: 2457Reputation: 2457Reputation: 2457Reputation: 2457Reputation: 2457Reputation: 2457Reputation: 2457Reputation: 2457Reputation: 2457Reputation: 2457
Got to agree with noway2 here. Locking down a mail server from being an EXTERNAL open relay is easy. From INTERNALLY, when they're allow access..not so much. But I'd look at the problem differently...if you've only got people staying a few days, the chances of them being spammers (and of them running their spam-relay from their laptop), is pretty slim.

So, either accept responsibility for what they do...or let them use their own mail servers, and don't redirect them. That way, you're not on the hook for what someone else does.
 
Old 07-26-2011, 11:09 AM   #6
cnelson
LQ Newbie
 
Registered: Aug 2010
Posts: 14

Original Poster
Rep: Reputation: 0
Calling them my users is a bit strong.

What we do is look for anything on port 25 that is going to an internal address, and redirect it to these servers. These clients would not work otherwise so there is nothing to pass through.

These servers have always existed as open relay servers using Win 2000 and proprietary software. This isn't something new, just rebuilding and trying to make better, and safer. I have fought to get rid of those relay servers and have customers call their ISP since I started working here. That is not an option. Hotels and their customers demand we keep this solution.

So does anyone have some configuration help? I had hoped for some grey-beards would chime in with some config examples and or discussion to help prevent a relay server which as very valid reason for being a relay server from becoming a spam server.
 
Old 07-26-2011, 03:31 PM   #7
TB0ne
Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 14,137

Rep: Reputation: 2457Reputation: 2457Reputation: 2457Reputation: 2457Reputation: 2457Reputation: 2457Reputation: 2457Reputation: 2457Reputation: 2457Reputation: 2457Reputation: 2457
Quote:
Originally Posted by cnelson View Post
Calling them my users is a bit strong.
What we do is look for anything on port 25 that is going to an internal address, and redirect it to these servers. These clients would not work otherwise so there is nothing to pass through.

These servers have always existed as open relay servers using Win 2000 and proprietary software. This isn't something new, just rebuilding and trying to make better, and safer. I have fought to get rid of those relay servers and have customers call their ISP since I started working here. That is not an option. Hotels and their customers demand we keep this solution.

So does anyone have some configuration help? I had hoped for some grey-beards would chime in with some config examples and or discussion to help prevent a relay server which as very valid reason for being a relay server from becoming a spam server.
Well, I gave you links to configuration docs with examples/help...noway2 gave suggestions for state filtering via IP tables to limit connections. What more do you need?

Again, securing a mail server from being an OPEN, EXTERNAL relay is trivial. Preventing your users (whether you call them that or not is immaterial) from sending mass emails is MUCH more difficult. Even if you set up access lists of IP addresses for your internal network(s)..anyone ON those networks is then allowed to relay mail. If all these users are on the same domain, and you just want to shovel around mail internally within your organization (which is what it sounds like), then only allow mail from a specific domain to be sent/relayed. Anything else would be discarded.
 
  


Reply

Tags
email, postfix, spam


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Left Exim4 as open relay, got reported as spam... kinther Linux - Server 1 04-19-2011 12:00 PM
postfix spam. someone is using my server to send spam and it's not open relay bob808 Linux - Server 6 03-23-2010 09:44 AM
Server being used to relay spam (Pesk + Qmail), how do I stop it? nepcw Linux - Security 26 11-19-2008 02:50 PM
Open Mail Relay without spam. dlublink Linux - Software 2 04-25-2006 11:46 AM
Spam, PostFix, OPen Relay question linchat Linux - Software 1 09-15-2005 03:22 PM


All times are GMT -5. The time now is 06:10 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration