• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Qmail configuration with external antispam appliance

B

bgrampa

Guest
Hello,
i'm testing an external antispam appliance. I'll use this only for some domains (but not all) hosted on a Plesk 8 server. I've modified the MX record and everything is working but... i still receive spam directly delivered on the ip of the mailserver.
Is there a way to configure qmail to receive mail for a domain from a single ip only?
Or do you have a better idea on how i can solve this problem?

Thanks,
Bruno
 
I'm having a similar issue. I need to keep port 25 open on the Plesk box for other domains so I can't close it as I would like.

I think the new tactic is spammers sending directly to the A record of your domain. for example:

Normal use would be look up the mx record for example.com, then look up the a record for say, mail.example.com then send an e-mail to to mail.example.com

This probably takes too long and might tip off IDS/IPS so they've shortened it down to not doing an mx lookup at all and just going for the A record of the root (example.com). They might even try mail.example.com as well.

Ideally, what I'd like to do is only allow authorized users (poplock) access to SMTP and my mail gateway. I can't for the life of me figure out how to do this with Qmail. Every time I start to dig in it's so frustrating. Postfix is light years ahead, and has a great community, I don't see the attraction to Qmail by SWSOFT.

If anyone has any tips, or if I'm off base. Short of recompiling Qmail (which isn't an option since it will most likely break Plesk at one point) I don't know how to accomplish this.
 
SMTP works same for both inbound and outbound SMTP , hence i believe you can not discriminate a remote server delivering message inbound to your SMTP or a an authentic user sending an out bound message,


Most spam appliances suggests to block port 25 and only grant access to the antispam gateway to make sure that mx lookup is being used

which is not fitting into hosting bussiness.

If someone has the knowledge for how to discriminate inbound and outbound SMTP connections on any MTA it will be great to hear about it
 
It is possible with other MTAs, I did it for Postfix before Plesk. In fact, just this week I setup a postfix listener for users only on the Plesk server. It uses the psa database in mysql to read the entries in the smtp_poplock table to grant access to users.

I cheated, for now, and set it so that it knows nothing about the domains it's hosting, it just forwards them on to the anti-spam gateway. Eventually I'll have it look up the domains table in mysql to forward local mail to qmail instead of going out to the appliance and back in.

qmail is listening on an Internal interface/ip that only the spam appliance can get to.

So far it's been running for a week solid and I've had no complaints with over 100 domains and several hundred active users. Oddly enough, the spam leakage I was getting is now gone.

It would be nice to know how to do this in qmail, but I can't find anything on it.
 
I think ART has a good thing going, but its a bit to heavy for what I need. If I didn't have a spam appliance, I'd go for it.

My main issue with this is that you should be able to set ACLs in qmail, maybe I'm just not looking for the right thing.

It honestly took me 10 minutes to setup Postfix + MySQL in front of qmail, and that including building it from SRPM.

I may end up replacing qmail altogether if I can figure out a way to join the mail, mail_aliases, mail_redir, and mail_resp tables with the domains table in a query that will actually work. Just not in the right frame of mind right now.
 
hello wmchurch,

i do actually wonder what you did, since i couldn come up with a solution for 5000 domains

as far as i see you have seperated inbound and outbound SMTP. right?

the problem is to discriminate SMTP requests on the same server listening on port 25.

how could you bind port 25 to postfix and qmail on the same server?

it will be really great if you can post a tutorial about your implementation
 
You can do that with iptables. We use apf (www.rfxnetworks.net) to generate the rules, which works perfect!

You can do very simple configuration to let just 1 ip through on port 25!
 
pascal you misunderstood.

The problem is not the FireWall blocking we already have gigabit Netscreen firewall

the problem is we have 10000 clients from different regions with 10000 different IPs using our SMTP servers for outbound delivery.

So we can not put a restriction on port 25...

The problem is discriminating inbound and outbound SMTP , if it is an inbound request and not coming from the antispam appliance then SMTP should reject,

if it is an outbound SMTP and SMTP Auth is OK clients should be able to relay to remote hosts.

i am asking a way to solve this issue
 
hehehe sorry pascal

i misunderstood your reply, i get your point however this is not still fixing my problem
 
knocx:

how could you bind port 25 to Postfix and qmail on the same server?
Click to expand...

They are listening on the same port, but not the same IPs.

In short, I added the line:

Code: 
bind = 10.0.0.100

to /etc/xinetd.d/smtp_psa, where 10.0.0.100 is my DMZ NIC/IP on that server. The IronPort anti-spam appliance has an interface on that network to send mail to/from the Internet. This is also where qmail forwards mail destined to the outside world via an entry in /var/qmail/control/smtproutes.

I also created an additional xinetd config called smtp_psa_localhost, this simply has "bind = 127.0.0.1". This is in case something local is connecting to SMTP on localhost. It doesn't look like you can have multiple bind statements in an xinetd.d file (that I could find, I also tried adding a comma as well but not a major issue).

Then I told Postfix to listen only on 192.168.0.1 - 192.168.0.10, where these would be my mail server public ips of the plesk server (for normal users to connect to).

/etc/Postfix/main.cf:
Code: 
inet_interfaces = 192.168.0.1, 192.168.0.2, 192...

Now, the only caveat I've thought of is plesk killing my /etc/xinetd.d/smtp_psa file, but I'll just be sure to monitor that when I do updates. Other than that, it's about it. I will post a more formal tutorial when I've tested it enough to put my stamp on it. :)

it will be really great if you can post a tutorial about your implementation
Click to expand...

There's more to it, like compiling and configuring Postfix to use MySQL, and for pop-before-smtp auth. It's nice that Plesk puts poplock information in mysql, easier than reading from a file IMO. I could move my Postfix install off onto another server if I wanted and just let qmail have the run of the plesk server. For now though I want to leave everything on the single server, but I may bring up a dedicated Postfix server.

I did a dirty hack to the smtp_poplock table to save time, so I want to fix that so the tutorial doesn't have that embarrassment on it. Nothing security related, just being lazy. :)

Let me know if you have any other questions. I might work on the tutorial over the weekend if I'm bored. :)

-Bill
 
Bill, I know this is an old thread, but this topic is quite interesting to me. I do hope that SWSoft integrates PostFix soon, but your solution might be something in the meantime.
 
I did have the same problem, but found an easy sollution: tell spamassassin to flag mails sent by the antispam-appliance with a minus-rating. this way you can sort out all messages with a spam-rating above score 0.1, and only enable this setting on the domain you've enabled the antispam-appliance.

custom rule:
header MXSPAM ALL=~ /filter.spamguard.ch/i
score MXSPAM -100.0
 
So we are on the same problem, so that we have plesk 9.2.1 with qmail and want to ad an external antispam appliance and not for all domains on the server, they must go to the appliance, only some and the rest localy on port 25.

Thanks for an answer
 
Hello,

we have the same problem, that we want to use an external appliance to filter spam and so we have some users and domains on the server on port 25 and other domains must be filtered outside and then come back.

Did you have an example or can write what to do or what is the point go go for this.

Thanks

Alex
 
You must log in or register to reply here.

Similar threads

S
Resolved Problem receiving email after server restart
Replies
3
Views
635
smilan
S
L
Issue Spam-/Mailproblems
Replies
1
Views
418
Peter Debik
P
Ehud
Question Is Plesk Email SRS fully configured, or it requires an extension?
Replies
0
Views
1K
Ehud
Ehud
Alex Presland
Issue Emails forwarded by Plesk fail DKIM checks with certain attachments
2
Replies
21
Views
2K
Alex Presland
Alex Presland
T
Question Problems with RDNS_NONE
Replies
0
Views
692
thwolf
T
Back
Top