SMTP Routing Based On Recipient

SMTP Routing Based On Recipient

[Adam Ellis]

[-- Attachment #1: Type: text/plain, Size: 835 bytes --]

I am running a MS Exchange 5.5 server and am getting hit with the NDR
(non-delivery report) Reverse Spam Attack as described here:
 
http://www.tek-tips.com/gviewthread.cfm/lev2/3/lev3/15/pid/10/qid/725829

As the thread describes, there is no way to just turn off NDRs in
Exchange 5.5 - Microsoft is recommending third party utilities.  What I
am wondering is this - would it be possible to redirect SMTP to my Linux
server, use iptables to check that the recipient matches a valid user
from a list I'd supply, and, if so, route the message to the Exchange
server?  And, if no valid recipient is found, the message is simply
dropped.  Is this even a logical way to handle this situation?  Should I
be looking at something like snort instead?  I'm all ears!

Thanks,
-- 
Adam Ellis <aellis@saberlogic.com>
SaberLogic

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: SMTP Routing Based On Recipient

[Antony Stone]

On Monday 22 December 2003 7:28 pm, Adam Ellis wrote:

> I am running a MS Exchange 5.5 server and am getting hit with the NDR
> (non-delivery report) Reverse Spam Attack as described here:
>
> http://www.tek-tips.com/gviewthread.cfm/lev2/3/lev3/15/pid/10/qid/725829
>
> As the thread describes, there is no way to just turn off NDRs in
> Exchange 5.5 - Microsoft is recommending third party utilities.  What I
> am wondering is this - would it be possible to redirect SMTP to my Linux
> server,

Yes

> use iptables to check that the recipient matches a valid user
> from a list I'd supply,

No

> and, if so, route the message to the Exchange
> server?  And, if no valid recipient is found, the message is simply
> dropped.  Is this even a logical way to handle this situation?  Should I
> be looking at something like snort instead?  I'm all ears!

You need something which can understand SMTP - eg sendmail, exim, qmail.

Netfilter operates at OSI layers 3 & 4 - you need somethign operating at layer 
7 to deal with this requirement.

Antony.

-- 
What makes you think I know what I'm talking about?
I just have more O'Reilly books than most people.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: SMTP Routing Based On Recipient

[Chris Brenton]

On Mon, 2003-12-22 at 14:28, Adam Ellis wrote:
>
> What I
> am wondering is this - would it be possible to redirect SMTP to my Linux
> server, use iptables to check that the recipient matches a valid user
> from a list I'd supply, and, if so, route the message to the Exchange
> server? 

As others have mentioned, this is not an optimal choice. You *might* be
able to hack things together using strings and tarpit, but it would be a
kluge at best.

A couple of other options:
I use a combination of Sendmail, ClamAV, MimeDefang and Spamassassin to
clean up all inbound e-mail before passing it off to my mail server. You
can find a great tutorial on setting this up here:
http://www.rudolphtire.com/mimedefang-howto/

If you would rather get something that gives you a support contract, You
might want to check out the CanIT Appliance:
http://www.canit.ca/products.php

Its pretty much the same setup I mention above with a few extra bells
and whistles to make it easier to use. Of course you also have to pay
for it, but it does come with support.

HTH,
C


 

Re: SMTP Routing Based On Recipient

[Adam Ellis]

[-- Attachment #1: Type: text/plain, Size: 970 bytes --]

On Tue, 2003-12-23 at 06:37, Chris Brenton wrote:
> On Mon, 2003-12-22 at 14:28, Adam Ellis wrote:
> >
> > What I
> > am wondering is this - would it be possible to redirect SMTP to my Linux
> > server, use iptables to check that the recipient matches a valid user
> > from a list I'd supply, and, if so, route the message to the Exchange
> > server? 
> 
> As others have mentioned, this is not an optimal choice. You *might* be
> able to hack things together using strings and tarpit, but it would be a
> kluge at best.
> 
> A couple of other options:
> I use a combination of Sendmail, ClamAV, MimeDefang and Spamassassin to
> clean up all inbound e-mail before passing it off to my mail server. You
> can find a great tutorial on setting this up here:
> http://www.rudolphtire.com/mimedefang-howto/

Chris and everyone else in this thread,

Thanks for the information.  I think you all have me going in the right
direction now!

Regards,
AE

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: SMTP Routing Based On Recipient

[Antony Stone]

On Tuesday 23 December 2003 1:00 pm, Adam Ellis wrote:

> On Tue, 2003-12-23 at 06:37, Chris Brenton wrote:
> >
> > A couple of other options:
> > I use a combination of Sendmail, ClamAV, MimeDefang and Spamassassin to
> > clean up all inbound e-mail before passing it off to my mail server. You
> > can find a great tutorial on setting this up here:
> > http://www.rudolphtire.com/mimedefang-howto/
>
> Chris and everyone else in this thread,
>
> Thanks for the information.  I think you all have me going in the right
> direction now!

I recommend http://www.mailscanner.info for a similar setup - it uses sendmail 
or exim, and provides a wonderfully configurable wrapper around any of 15 
different antivirus engines (including the free ClamAV), and SpamAssassin.

Antony.

-- 
RTFM may be the appropriate reply, but please specify exactly which FM to R.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: SMTP Routing Based On Recipient

[Michael Gale]

Hello,

	Do not use sendmail ... look into Postfix. It is MUCH easier to configure and more secure. It was designed with security and easy of use. You can setup a simple host to accept mail for your domain and then forward it to your exchange server.

It is also easier to use any of the spam tools with Postfix as compared to using them with sendmail.

I am using Postfix and it verifies all the recipients via a LDAP connection to our Exchange 2000 server. So we only accept mail for people who have mail boxes.

I have Razor, DCC and DSPAM for spam filtering.

Michael.



On Tue, 23 Dec 2003 13:14:06 +0000
Antony Stone <Antony@Soft-Solutions.co.uk> wrote:

> On Tuesday 23 December 2003 1:00 pm, Adam Ellis wrote:
> 
> > On Tue, 2003-12-23 at 06:37, Chris Brenton wrote:
> > >
> > > A couple of other options:
> > > I use a combination of Sendmail, ClamAV, MimeDefang and Spamassassin to
> > > clean up all inbound e-mail before passing it off to my mail server. You
> > > can find a great tutorial on setting this up here:
> > > http://www.rudolphtire.com/mimedefang-howto/
> >
> > Chris and everyone else in this thread,
> >
> > Thanks for the information.  I think you all have me going in the right
> > direction now!
> 
> I recommend http://www.mailscanner.info for a similar setup - it uses sendmail 
> or exim, and provides a wonderfully configurable wrapper around any of 15 
> different antivirus engines (including the free ClamAV), and SpamAssassin.
> 
> Antony.
> 
> -- 
> RTFM may be the appropriate reply, but please specify exactly which FM to R.
> 
>                                                      Please reply to the list;
>                                                            please don't CC me.
> 
> 


-- 
Michael Gale
Network Administrator
Utilitran Corporation

Re: SMTP Routing Based On Recipient

[Antony Stone]

On Tuesday 23 December 2003 3:36 pm, Michael Gale wrote:

> Hello,
>
> 	Do not use sendmail ... look into Postfix. It is MUCH easier to configure
> and more secure. It was designed with security and easy of use. You can
> setup a simple host to accept mail for your domain and then forward it to
> your exchange server.

I know this is getting a bit off-topic for this list, however I specifically 
left postfix out of the message I posted previously because it uses a highly 
strange mail queue-file naming mechanism which is tied to the on-disk inode 
numbers, and does not guarantee to generate unique queue IDs for different 
emails, even on the same machine at the same time if they are on different 
partitions.   This can cause problems with external programs such as 
MailScanner which move mail queue files from a processing queue to a delivery 
queue as part of their scanning job.

In my opinion sendmail's poor security reputation is now largely historical, 
and if you don't want to use that you should consider exim, which is 
generally regarded as higher performance anyway.

> It is also easier to use any of the spam tools with Postfix as compared to
> using them with sendmail.

This becomes irrelevant when you use something like MailScanner to handle all 
the anti-virus/anti-spam processing, and leave the MTA to do what it's good 
at - delivering email.

Regards,

Antony.

-- 
Christmas is just an opportunity to upgrade to kernel 2.6 while no-one's 
around to notice the downtime.

                                                     Please reply to the list;
                                                           please don't CC me.

RE: SMTP Routing Based On Recipient

[Mark E. Donaldson]

One more vote for MailScanner.  To put it simply, it is an "amazing" piece
of software.  It's easy to install, it requires very little maintenance, it
is highly effective, and the price is fits my budget perfectly ($0.00).  I
find it to be the perfect complement to iptables.

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Antony Stone
Sent: Tuesday, December 23, 2003 5:14 AM
To: netfilter@lists.netfilter.org
Subject: Re: SMTP Routing Based On Recipient

On Tuesday 23 December 2003 1:00 pm, Adam Ellis wrote:

> On Tue, 2003-12-23 at 06:37, Chris Brenton wrote:
> >
> > A couple of other options:
> > I use a combination of Sendmail, ClamAV, MimeDefang and Spamassassin 
> > to clean up all inbound e-mail before passing it off to my mail 
> > server. You can find a great tutorial on setting this up here:
> > http://www.rudolphtire.com/mimedefang-howto/
>
> Chris and everyone else in this thread,
>
> Thanks for the information.  I think you all have me going in the 
> right direction now!

I recommend http://www.mailscanner.info for a similar setup - it uses
sendmail or exim, and provides a wonderfully configurable wrapper around any
of 15 different antivirus engines (including the free ClamAV), and
SpamAssassin.

Antony.

--
RTFM may be the appropriate reply, but please specify exactly which FM to R.

                                                     Please reply to the
list;
                                                           please don't CC
me.

Re: SMTP Routing Based On Recipient

[gustav gundacker]

a solution is smtpd/smtpfwdd from juniper see
http://www.obtuse.com/smtpd.html

gunnar

> I am running a MS Exchange 5.5 server and am getting hit with the NDR
> (non-delivery report) Reverse Spam Attack as described here:
>  
> http://www.tek-tips.com/gviewthread.cfm/lev2/3/lev3/15/pid/10/qid/725829
> 
> As the thread describes, there is no way to just turn off NDRs in
> Exchange 5.5 - Microsoft is recommending third party utilities.  What I
> am wondering is this - would it be possible to redirect SMTP to my Linux
> server, use iptables to check that the recipient matches a valid user
> >from a list I'd supply, and, if so, route the message to the Exchange
> server?  And, if no valid recipient is found, the message is simply
> dropped.  Is this even a logical way to handle this situation?  Should I
> be looking at something like snort instead?  I'm all ears!
> 
> Thanks,
> -- 
> Adam Ellis <aellis@saberlogic.com>
> SaberLogic
> 

-- 
+++ GMX - die erste Adresse für Mail, Message, More +++
Neu: Preissenkung für MMS und FreeMMS! http://www.gmx.net