Rules For MailServer

Rules For MailServer

[Tarak Ranjan]

Hi List,
I'm running a mailserver on qmail, it has
eth0(192.168.1.100) & eth1(x.x.x.x), issue is that
lots of unwanted SMTP connection has been established
on that due to this reason socket has timeout
frequently.

any kind of limit on connection, or any kind of
solutions of securing SMTP will be appreciable. 


/\
Tarak


      Add more friends to your messenger and enjoy! Go to http://in.messenger.yahoo.com/invite/

RE: Rules For MailServer

[Rob Sterenborg]

> Hi List,
> I'm running a mailserver on qmail, it has
> eth0(192.168.1.100) & eth1(x.x.x.x), issue is that
> lots of unwanted SMTP connection has been established
> on that due to this reason socket has timeout
> frequently.
> 
> any kind of limit on connection, or any kind of
> solutions of securing SMTP will be appreciable.

I'm don't think netfilter rules will really help you here because you'll never know *from where* a connection will be made: you won't be able to block it before it's already there and you don't want to limit legitimate email. Are you already using DNSBL's like ZEN from Spamhaus or something like that?


Grts.
Rob

RE: Rules For MailServer

[Tarak Ranjan]

--- Rob Sterenborg <rob@sterenborg.info> wrote:

> > Hi List,
> > I'm running a mailserver on qmail, it has
> > eth0(192.168.1.100) & eth1(x.x.x.x), issue is that
> > lots of unwanted SMTP connection has been
> established
> > on that due to this reason socket has timeout
> > frequently.
> > 
> > any kind of limit on connection, or any kind of
> > solutions of securing SMTP will be appreciable.
> 
> I'm don't think netfilter rules will really help you
> here because you'll never know *from where* a
> connection will be made: you won't be able to block
> it before it's already there and you don't want to
> limit legitimate email. Are you already using
> DNSBL's like ZEN from Spamhaus or something like
> that?
> 
> 
> Grts.
> Rob
Hi Rob,
Yes, using RBLSMTPD there are zen,spamcop & another 2
RBL sites i have been configured. even though the lots
of unwanted connection is established...

/\
Tarak


      Unlimited freedom, unlimited storage. Get it now, on http://help.yahoo.com/l/in/yahoo/mail/yahoomail/tools/tools-08.html/

RE: Rules For MailServer

[Rob Sterenborg]

> Yes, using RBLSMTPD there are zen,spamcop & another 2
> RBL sites i have been configured. even though the lots
> of unwanted connection is established...

Yes, well, you can rate-limit smtp connections, but since you probably can't
know where legitimate email comes from, you'll also be limiting legitimate
connections. However, maybe Qmail can rate-limit smtp connections too in a
nicer way (I don't know Qmail, but I know that Postfix has a "stress" config
these days).

You can try using the limit match:
$ipt -A INPUT -i eth1 -m state --state NEW -p tcp --dport 25 \
  -m limit --limit 1/second -j ACCEPT
$ipt -A INPUT -i eth1 -m state --state NEW -p tcp --dport 25 \
  -j REJECT

Or using the connlimit match:
$ipt -A INPUT -i eth1 -m state --state NEW -p tcp --dport 25 \
  -m connlimit --connlimit-above 2 -j REJECT

They do different things, but one of them may be useful for you.
See "man iptables".


Grts,
Rob

-- 
Disclaimer:
Any errors in spelling, tact or fact are transmission errors.