You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Peter Smith <pe...@linuxbox.co.uk> on 2008/01/08 12:04:48 UTC

Bypassing MX

Here's my situation:

server1: mail gateway, runs Spamassassin
server2: multi-purpose server. hosts http, mail boxes, pop/imap, runs
sendmail and Spamassassin.
example.org: my domain. The MX record points to server1, A record points to
server2

The problem with this setup of course, is that spammers tend to send
directly to server2, bypassing server1 (the mail scanner/filter).

My original idea was to either configure server2 to reject mail not arriving
directly from server1 (either via iptables or sendmail.cf). The problem is
that I have a dozen or so users who use SMTP AUTH to relay mail out through
server2. Sometimes this mail will be relayed to 3rd party domains, other
times it will be sent to fellow users on example.org.

My thoughts at the moment are to write some Spamasssin rules for server2
which will penalize mail which doesn't arrive from server2 (or localhost)
and wasn't sent by an authenticated user. Does this sound like a good way to
proceed? Perhaps I'm missing a simpler way to do things?

Thanks,
Peter Smith

Re: Bypassing MX

Posted by David B Funk <db...@engineering.uiowa.edu>.

On Tue, 8 Jan 2008, Peter Smith wrote:

> Here's my situation:
>
> server1: mail gateway, runs Spamassassin
> server2: multi-purpose server. hosts http, mail boxes, pop/imap, runs
> sendmail and Spamassassin.
> example.org: my domain. The MX record points to server1, A record points to
> server2
>
> The problem with this setup of course, is that spammers tend to send
> directly to server2, bypassing server1 (the mail scanner/filter).
>
> My original idea was to either configure server2 to reject mail not arriving
> directly from server1 (either via iptables or sendmail.cf). The problem is
> that I have a dozen or so users who use SMTP AUTH to relay mail out through
> server2. Sometimes this mail will be relayed to 3rd party domains, other
> times it will be sent to fellow users on example.org.

Here's what I've done in a very similar situation;

mx1 & mx2 mail gateways, runs RBLs, custom rules & Spamassassin
  (SMTP-REJECT on high scoring spam).
mailserver: multi-purpose server. hosts http, mail boxes, pop/imap, runs
  sendmail & ClamAV

mx1 & mx2 do all incoming processing & filtering, then forwrd to
mailserver on a non-standard port.

mailserver: listens on ports 25, 465, 587 for customer submissions,
-requires- SMTP-AUTH. Also listens on non-standard port for messages
processed by MXs, does not require SMTP-AUTH but will -only- accept
messages from MXs.

Important note; MXs have valid recipient lists, SMTP reject bogus
addresses.


-- 
Dave Funk                                  University of Iowa
<dbfunk (at) engineering.uiowa.edu>        College of Engineering
319/335-5751   FAX: 319/384-0549           1256 Seamans Center
Sys_admin/Postmaster/cell_admin            Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

Re: Bypassing MX

Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.

On 08.01.08 11:04, Peter Smith wrote:
> server1: mail gateway, runs Spamassassin
> server2: multi-purpose server. hosts http, mail boxes, pop/imap, runs
> sendmail and Spamassassin.
> example.org: my domain. The MX record points to server1, A record points to
> server2
> 
> The problem with this setup of course, is that spammers tend to send
> directly to server2, bypassing server1 (the mail scanner/filter).

yes, old trick. Probably good for spammer detection...

> My original idea was to either configure server2 to reject mail not arriving
> directly from server1 (either via iptables or sendmail.cf). The problem is
> that I have a dozen or so users who use SMTP AUTH to relay mail out through
> server2. Sometimes this mail will be relayed to 3rd party domains, other
> times it will be sent to fellow users on example.org.

Could you run smtp server on port 587, requiring SMTP AUTH? (or on 465, the
same, forced SSL). And then refuse everything coming to port 25.

> My thoughts at the moment are to write some Spamasssin rules for server2
> which will penalize mail which doesn't arrive from server2 (or localhost)
> and wasn't sent by an authenticated user. Does this sound like a good way to
> proceed? Perhaps I'm missing a simpler way to do things?

I don't think SA should handle this. It can of course use informations about
such hosts for blacklisting...
-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Remember half the people you know are below average.

Re: Bypassing MX

Posted by Marc Perkel <ma...@perkel.com>.


Peter Smith wrote:
> Here's my situation:
>
> server1: mail gateway, runs Spamassassin
> server2: multi-purpose server. hosts http, mail boxes, pop/imap, runs
> sendmail and Spamassassin.
> example.org: my domain. The MX record points to server1, A record points to
> server2
>
> The problem with this setup of course, is that spammers tend to send
> directly to server2, bypassing server1 (the mail scanner/filter).
>
> My original idea was to either configure server2 to reject mail not arriving
> directly from server1 (either via iptables or sendmail.cf). The problem is
> that I have a dozen or so users who use SMTP AUTH to relay mail out through
> server2. Sometimes this mail will be relayed to 3rd party domains, other
> times it will be sent to fellow users on example.org.
>
> My thoughts at the moment are to write some Spamasssin rules for server2
> which will penalize mail which doesn't arrive from server2 (or localhost)
> and wasn't sent by an authenticated user. Does this sound like a good way to
> proceed? Perhaps I'm missing a simpler way to do things?
>
> Thanks,
> Peter Smith
>
>
>   

I run into that a lot myself Peter and the problem is that you can't 
have the A record accept email for your domain. What you can do is add 
another IP to server 2 for email that is not the same IP as the A record 
for the domain and close port 25 on the domain's A record.

Re: Bypassing MX

Posted by mouss <mo...@netoyen.net>.

Peter Smith wrote:
> Here's my situation:
>
> server1: mail gateway, runs Spamassassin
> server2: multi-purpose server. hosts http, mail boxes, pop/imap, runs
> sendmail and Spamassassin.
> example.org: my domain. The MX record points to server1, A record points to
> server2
>
> The problem with this setup of course, is that spammers tend to send
> directly to server2, bypassing server1 (the mail scanner/filter).
>
> My original idea was to either configure server2 to reject mail not arriving
> directly from server1 (either via iptables or sendmail.cf). The problem is
> that I have a dozen or so users who use SMTP AUTH to relay mail out through
> server2. Sometimes this mail will be relayed to 3rd party domains, other
> times it will be sent to fellow users on example.org.
>
> My thoughts at the moment are to write some Spamasssin rules for server2
> which will penalize mail which doesn't arrive from server2 (or localhost)
> and wasn't sent by an authenticated user. Does this sound like a good way to
> proceed? Perhaps I'm missing a simpler way to do things?
>   

This is really the job of the MTA: on server2, only accept mail from 
authenticated senders or from specific IPs.