1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Qmail configuration with external antispam appliance

Discussion in 'Plesk for Linux - 8.x and Older' started by bgrampa, Oct 9, 2006.

  1. bgrampa

    bgrampa Guest

    0
     
    Hello,
    i'm testing an external antispam appliance. I'll use this only for some domains (but not all) hosted on a Plesk 8 server. I've modified the MX record and everything is working but... i still receive spam directly delivered on the ip of the mailserver.
    Is there a way to configure qmail to receive mail for a domain from a single ip only?
    Or do you have a better idea on how i can solve this problem?

    Thanks,
    Bruno
     
  2. wmchurch

    wmchurch Guest

    0
     
    I'm having a similar issue. I need to keep port 25 open on the Plesk box for other domains so I can't close it as I would like.

    I think the new tactic is spammers sending directly to the A record of your domain. for example:

    Normal use would be look up the mx record for example.com, then look up the a record for say, mail.example.com then send an e-mail to to mail.example.com

    This probably takes too long and might tip off IDS/IPS so they've shortened it down to not doing an mx lookup at all and just going for the A record of the root (example.com). They might even try mail.example.com as well.

    Ideally, what I'd like to do is only allow authorized users (poplock) access to SMTP and my mail gateway. I can't for the life of me figure out how to do this with Qmail. Every time I start to dig in it's so frustrating. Postfix is light years ahead, and has a great community, I don't see the attraction to Qmail by SWSOFT.

    If anyone has any tips, or if I'm off base. Short of recompiling Qmail (which isn't an option since it will most likely break Plesk at one point) I don't know how to accomplish this.
     
  3. knocx

    knocx Guest

    0
     
    SMTP works same for both inbound and outbound SMTP , hence i believe you can not discriminate a remote server delivering message inbound to your SMTP or a an authentic user sending an out bound message,


    Most spam appliances suggests to block port 25 and only grant access to the antispam gateway to make sure that mx lookup is being used

    which is not fitting into hosting bussiness.

    If someone has the knowledge for how to discriminate inbound and outbound SMTP connections on any MTA it will be great to hear about it
     
  4. wmchurch

    wmchurch Guest

    0
     
    It is possible with other MTAs, I did it for Postfix before Plesk. In fact, just this week I setup a postfix listener for users only on the Plesk server. It uses the psa database in mysql to read the entries in the smtp_poplock table to grant access to users.

    I cheated, for now, and set it so that it knows nothing about the domains it's hosting, it just forwards them on to the anti-spam gateway. Eventually I'll have it look up the domains table in mysql to forward local mail to qmail instead of going out to the appliance and back in.

    qmail is listening on an Internal interface/ip that only the spam appliance can get to.

    So far it's been running for a week solid and I've had no complaints with over 100 domains and several hundred active users. Oddly enough, the spam leakage I was getting is now gone.

    It would be nice to know how to do this in qmail, but I can't find anything on it.
     
  5. breun

    breun Golden Pleskian

    29
     
    Joined:
    Jun 28, 2005
    Messages:
    1,647
    Likes Received:
    0
  6. wmchurch

    wmchurch Guest

    0
     
    I think ART has a good thing going, but its a bit to heavy for what I need. If I didn't have a spam appliance, I'd go for it.

    My main issue with this is that you should be able to set ACLs in qmail, maybe I'm just not looking for the right thing.

    It honestly took me 10 minutes to setup Postfix + MySQL in front of qmail, and that including building it from SRPM.

    I may end up replacing qmail altogether if I can figure out a way to join the mail, mail_aliases, mail_redir, and mail_resp tables with the domains table in a query that will actually work. Just not in the right frame of mind right now.
     
  7. knocx

    knocx Guest

    0
     
    hello wmchurch,

    i do actually wonder what you did, since i couldn come up with a solution for 5000 domains

    as far as i see you have seperated inbound and outbound SMTP. right?

    the problem is to discriminate SMTP requests on the same server listening on port 25.

    how could you bind port 25 to postfix and qmail on the same server?

    it will be really great if you can post a tutorial about your implementation
     
  8. pdreissen

    pdreissen Guest

    0
     
    You can do that with iptables. We use apf (www.rfxnetworks.net) to generate the rules, which works perfect!

    You can do very simple configuration to let just 1 ip through on port 25!
     
  9. knocx

    knocx Guest

    0
     
    pascal you misunderstood.

    The problem is not the FireWall blocking we already have gigabit Netscreen firewall

    the problem is we have 10000 clients from different regions with 10000 different IPs using our SMTP servers for outbound delivery.

    So we can not put a restriction on port 25...

    The problem is discriminating inbound and outbound SMTP , if it is an inbound request and not coming from the antispam appliance then SMTP should reject,

    if it is an outbound SMTP and SMTP Auth is OK clients should be able to relay to remote hosts.

    i am asking a way to solve this issue
     
  10. knocx

    knocx Guest

    0
     
    hehehe sorry pascal

    i misunderstood your reply, i get your point however this is not still fixing my problem
     
  11. wmchurch

    wmchurch Guest

    0
     
    knocx:

    They are listening on the same port, but not the same IPs.

    In short, I added the line:

    Code:
    bind = 10.0.0.100
    to /etc/xinetd.d/smtp_psa, where 10.0.0.100 is my DMZ NIC/IP on that server. The IronPort anti-spam appliance has an interface on that network to send mail to/from the Internet. This is also where qmail forwards mail destined to the outside world via an entry in /var/qmail/control/smtproutes.

    I also created an additional xinetd config called smtp_psa_localhost, this simply has "bind = 127.0.0.1". This is in case something local is connecting to SMTP on localhost. It doesn't look like you can have multiple bind statements in an xinetd.d file (that I could find, I also tried adding a comma as well but not a major issue).

    Then I told Postfix to listen only on 192.168.0.1 - 192.168.0.10, where these would be my mail server public ips of the plesk server (for normal users to connect to).

    /etc/Postfix/main.cf:
    Code:
    inet_interfaces = 192.168.0.1, 192.168.0.2, 192...
    Now, the only caveat I've thought of is plesk killing my /etc/xinetd.d/smtp_psa file, but I'll just be sure to monitor that when I do updates. Other than that, it's about it. I will post a more formal tutorial when I've tested it enough to put my stamp on it. :)

    There's more to it, like compiling and configuring Postfix to use MySQL, and for pop-before-smtp auth. It's nice that Plesk puts poplock information in mysql, easier than reading from a file IMO. I could move my Postfix install off onto another server if I wanted and just let qmail have the run of the plesk server. For now though I want to leave everything on the single server, but I may bring up a dedicated Postfix server.

    I did a dirty hack to the smtp_poplock table to save time, so I want to fix that so the tutorial doesn't have that embarrassment on it. Nothing security related, just being lazy. :)

    Let me know if you have any other questions. I might work on the tutorial over the weekend if I'm bored. :)

    -Bill
     
  12. DaveNET@

    DaveNET@ Guest

    0
     
    Bill, I know this is an old thread, but this topic is quite interesting to me. I do hope that SWSoft integrates PostFix soon, but your solution might be something in the meantime.
     
  13. wmchurch

    wmchurch Guest

    0
     
    I forgot to come back and post my writeup. I didn't get to format it but it's here:

    http://illc0mmunication.org/illc0mm/centos-plesk-postfix-mysql-qmail-something-good/

    Let me know what you find, it's been working flawlessly for quite a while now.

    -Bill
     
  14. andreas.schempp

    andreas.schempp Guest

    0
     
    I did have the same problem, but found an easy sollution: tell spamassassin to flag mails sent by the antispam-appliance with a minus-rating. this way you can sort out all messages with a spam-rating above score 0.1, and only enable this setting on the domain you've enabled the antispam-appliance.

    custom rule:
    header MXSPAM ALL=~ /filter.spamguard.ch/i
    score MXSPAM -100.0
     
  15. Alexander Bechtold

    Alexander Bechtold New Pleskian

    19
    85%
    Joined:
    May 6, 2009
    Messages:
    16
    Likes Received:
    0
    So we are on the same problem, so that we have plesk 9.2.1 with qmail and want to ad an external antispam appliance and not for all domains on the server, they must go to the appliance, only some and the rest localy on port 25.

    Thanks for an answer
     
  16. Alexander Bechtold

    Alexander Bechtold New Pleskian

    19
    85%
    Joined:
    May 6, 2009
    Messages:
    16
    Likes Received:
    0
    Hello,

    we have the same problem, that we want to use an external appliance to filter spam and so we have some users and domains on the server on port 25 and other domains must be filtered outside and then come back.

    Did you have an example or can write what to do or what is the point go go for this.

    Thanks

    Alex
     
Loading...