Article 6332 at 06/08/12 06:27:11 From: jeff (at mark) skislave.com Subject: [coba-e:06332] Re: Mail Relaying

Index: [Article Count Order] [Thread]
Date:  Fri, 11 Aug 2006 15:24:46 -0600
From:  "Jeff" <jeff (at mark) skislave.com>
Subject:  [coba-e:06332] Re: Mail Relaying
To:  <coba-e (at mark) bluequartz.org>
Message-Id:  <00ba01c6bd8c$96258430$3201a8c0@wjs>
In-Reply-To:  <200608112230.41474.bq (at mark) solarspeed.net>
X-Mail-Count: 06332

You hit the nail on the head with the FW issue, that's what I'm trying to
avoid.  I was also thinking maybe hacking pop-before-relay to do iptables
rules on the BQ server for port 25, but don't know what the issues would be.

I had a similar thought with the milters, but I've never developed my own
milters before.  I'll have to look into it.  

It's strange, I would think this would be a very common issue, and there
would be well known solution.  In the last few weeks I've seen a rise in
directed (non-mx lookup) email spamming, so I really need a solution.

Thanks!
Jeff

-----Original Message-----
From: Michael Stauber [mailto:bq (at mark) solarspeed.net] 
Sent: Friday, August 11, 2006 2:31 PM
To: coba-e (at mark) bluequartz.org
Subject: [coba-e:06330] Re: Mail Relaying

Hi Jeff,

> Ok, I have a question, that is not really BQ specific.but, perhaps the
> users on this list have the same issue.  I have a pair of dedicated MX
> relays, that do my spam/virus checking, as well as a few other things. 
> They forward the email to my BQ box using the mailertable.  I wrote a
> script that keeps the mailertable up to date, based on information created
> on the BQ server. This all works fine.  However, its rather easy to bypass
> the MX servers, and deliver email directly to the BQ server.  Is there a
> way to configure BQ to only allow email FROM the MX servers, and at the
> same time still allow email to be sent from the users, using the BQ as the
> outbound mail server?

I don't know of a way to make it work by just hacking sendmail.cf / 
sendmail.mc. I don't say it can't be done, but I wouldn't know how to. 
Firewalling port 25 off and only allow traffic from the MX mailservers is of

course not an option, as long as you provide SMTP services from the same box

as well.

However, one could write a Milter (or adapt one) for that purpose.
MimeDefang 
for instance. With MimeDefang it should be easy to extend the existing
Milter 
rules with one that looks like this:

On inbound emails the milter then checks if the sender authenticated using 
SMTP-AUTH. If he did: continue normally. 

If the sender did not use SMTP-AUTH, the mail is for a local recipient and
the 
mail did not relay through one of your MX, then bouce it.

-- 

With best regards,

Michael Stauber