Re: Firewall suggestion?
From: to email, remove the (eagle28at_at_swbelldot.net)
Date: Mon, 22 Sep 2003 09:43:29 GMT
In article <khvgmvspjfl8dgntgokciv406964jh64a7@
4ax.com>, email@example.com says...
> I have a customer that is using Exchange 5.5 behind a simple firewall.
> Twice this month people outside the network have crashed the Exchange
> server by trying to use it as a Spam relay. I have relay turned off,
> but the non-delivery reports are queueing up and eat all the space
> until the server drops. I cannot turn off the non-delivery reports.
> What I am looking for is a mail filtering firewall that will look at
> any mail coming in, and just dump anything that is not destined for a
> mail address at the customers domain name. Any suggestions?
> It is a small network - 14 users.
> Mike Gallo
Astaro Linux Firewall does recipient verification, as
well as sender verification.
This is from the built-in help in the SMTP relay
section of a working Astaro Linux Firewall
:: General ::
The SMTP mail relay can be used to shield your internal
mail server from attacks. It can act as a "relay" for
both incoming and outgoing messages. In addition, mails
can be scanned for harmful content. You can also employ
antispam measures to block unsolicited email messages.
For proper operation of the relay, the DNS proxy should
be switched on to speed up and cache DNS queries.
After enabling the SMTP relay, the first thing you
should do is to set the mailer hostname and your
postmaster email address.
If you want to use TLS encryption, the mailer hostname
MUST be the same than the one you use in the DNS MX
records for your domains. The postmaster address does
not need to be inside one of the accepted domains (see
Incoming Mail below), but can be any reachable email
The Maximum message size setting applies to both
incoming and outgoing mails. If your backend server has
a limitation on message sizes, you should set the same
or a lower limitation here. 20 or 40 Megabytes are
reasonable maximum settings.
:: Incoming Mail ::
Mails TO your organization are called "incoming" mails.
To accept mail for a domain, you must enter the name of
the domain (for example, "mydomain.com") in the Domain
Name field and select the target host to which mails
for this domain should be forwarded to in the SMTP Host
select box. Then click Add. The target hosts must be
defined in Definitions->Networks. A typical target host
would be the Microsoft Exchange Server on your local
network. All sub-domains are included in the routing
for each domain, meaning that a route for "domain.com"
will also route "subdomain.domain.com" and
"more.subdomains.domain.com". However, routes matching
the exact domain are matched first, so you can pick off
specific sub-domains with extra routes.
You can also select to route mails to your domains by
their MX record. However, when doing so you must make
sure that the firewall itself is NOT the primary MX for
the domain, since it will not deliver mail to itself.
WHEN THE RECIPIENT VERIFICATION FUNCTION IS ACTIVATED,
THE PROXY WILL CHECK EACH RECIPIENT ADDRESS IT RECEIVES
WITH YOUR BACKEND MAIL SERVER(s) BEFORE IT ACCEPTS MAIL
FOR THAT ADDRESS. This is a good way to lower the
traffic volume on spam, since mails are not accepted on
the proxy for invalid recipient addresses. In order for
this function to work, your backend mailserver(s) must
reject mails for unknown recipients at the SMTP stage.
The general rule is: if your backend server rejects it,
the firewall will reject it too.
:: Outgoing Email ::
If your local mail server or mail clients should be
able to use the firewall as an outgoing mail relay, you
must add the networks or hosts who should be able to
send mail via the relay to the list here.
If you want to use an upstream smarthost to send mail,
you can activate the function and enter the hostname or
IP address of the smarthost. In that case, the proxy
will never deliver mail himself, but rather send
anything to the smarthost that is not for domains
listed in Incoming Mail. If the smarthost requires SMTP
authentication, you can enter a username and password
in the respective fields. Both PLAIN and LOGIN auth
types are supported.
:: Encryption/Authentication ::
When activating the TLS SMTP transaction encrytion, all
incoming and outgoing SMTP connection will use strong
encryption automatically if the remote host supports
this feature too. TLS is only used for encryption, not
for authentication purposes. Normal SMTP is unencrypted
and can easily be eavesdropped on by third parties, so
it is recommended to turn on this function.
NOTE: some mail servers ("Lotus Domino" for example),
have seriously broken TLS implementations. They may
announce TLS support even when they really can't speak
TLS due to an incomplete configuration. Sending mails
to such servers will always fail when TLS is switched
When encryption is activated, you can also switch on
the SMTP authentication function. Mail clients like
Microsoft Outlook, Outlook Express or Netscape
Messenger can then use the SMTP relay from any IP
address by authenticating with it. This is extremely
useful for roadwarrior or dynamic IP endpoints who can
not be entered in the "Outgoing Mail" configuration.
In the client configuration, you should enable SMTP
authentication and SSL/TLS. Do NOT activate Microsofts
SPA (Secure Password Authentication).
:: Global Whitelist ::
The global whitelist settings allow you to add
"trusted" hosts (or networks) and sender domains. Hosts
and domains in these lists will not be able to relay on
the firewall, but they are not subject to the following
Realtime Blackhole lists
MIME error checking
The global whitelist can be used for the following
Lower the content scanning load on the firewall, if you
trust hosts that trade large volumes of mail with your
Exempt "problem" hosts from content scanning.
You should use the "Trusted domains" option with
caution, since sender addresses can be easily faked. If
possible, always use the "Trusted Hosts" option.
:: Antispam and Content Control ::
These options allow you to screen email content on the
firewall and reject or quarantine messages according to
Many options have an Action parameter, that determines
how a message matching a filter should be treated. The
following Action options are available:
Reject: The message will be rejected with a 5xx error,
stating the cause for the rejection. This will cause
the sending host to generate a bounce message to the
sender of the message.
Blackhole: The message will be accepted and immediately
destroyed. It is not recommended to use this action
unless you really know what you are doing.
Quarantine: The message is accepted but quarantined. It
will show up in the Proxy content manager as a SMTP_ERR
type entry. You can then review and optionally resend
Pass: The message is treated but will be passed on in
any case. However, the headers added to the message
(see section on headers below) will make it possible to
"treat" messages on the backend mail server or on the
endusers Mail User Agents (MUA).
Headers added to messages
Many options will add headers to messages, informing
the end user of specific characteristics of the
message. If you should select to use the "pass" action
on a facility, end users can use custom filters in
their email software (MUAs) to sort or filter messages
according to these headers. Here is a list of all
headers that the SMTP proxy can add to messages:
X-Spam-Score: This header will be added by the Spam
detection facility. It contains a numeric value and a
"bar" representing this value with a number of '+' or
'-' characters. The higher the spam score value, the
higher is the possibilty of that message being spam. If
you select "pass" as the action for the Spam detection
facility, you can use this header to filter out spam on
end user machines.
X-Spam-Flag: If this header is set, and its value is
'Yes', the proxy has flagged the message as being spam.
X-Spam-Report: If the proxy has flagged a message as
spam, it will add this multiline header which contains
a full human-readable antispam report.
X-Infected: This header is added when a message
contains a virus. Its value is the name of the virus
X-Contains-File: This header is added when the File
Extension Filter is active and a message contains a
listed filetype. In contains the blacklisted file
X-Regex-Match: This header is added when the Expression
Filter is active and a message contains a listed
regular expression. It contains the blacklisted regular
X-RBL-Warning: This header is added if you have set the
action on the RBL facility to "Warn" and a message
comes from a blacklisted host.
Filtering facilities in detail
The MIME Error checking function can detect errors in
messages that are MIME encoded. This can help to detect
exploits that use error tolerance differences in MIME
decoding software. You can select from three
"tolerance" levels. It is recommended to use Level 1
(most severe errors only), since many end user mail
agents have buggy MIME encoder implementations that
will trigger the higher levels.
WHEN YOU ACTIVATE THE SENDER ADDRESS VERIFICATION, THE
"From:" ADDRESSES OF INCOMING EMAILS WILL BE CHECKED
FOR CONSISTENCY. Without the additional Callout
function, it will only be checked if the envelope
sender address (also known as "return path") has a
valid MX or A record in DNS. With the Callout function
activated, the proxy connect to the return-path host
and issue a RCPT command to see if the sender address
is really deliverable. If that is not the case, the
proxy will not accept mail coming from that address.
With the Sender Blacklist, you can block specific
sender addresses. Both envelope sender addresses and
the "From:" or "Reply-To:" headers are compared against
the list. You can use "*" as a wildcard in this list.
Here are some possible patterns:
firstname.lastname@example.org (complete email addresses)
*@*domain.com (block complete domains)
user@* (block specific usernames for all domains)
Mails sent from blacklisted address patterns will be
rejected with a 5xx error and a comment saying "Your
address (envelope or header) is blacklisted at this
The Spam Detection function uses a heuristic approach
to determine if a message is spam. You can set the
"sensivity" of this feature by defining two
"threshold" values for "spam levels". Each of the two
thresholds will trigger an action if the spam level
value is exceeded. It is recommended to use the
"quarantine" or "pass" actions for lower spam levels.
Typical spam messages start at around levels of "03".
At a level of 08 or more, you can be relatively sure
that a message is spam. Be careful not to set the
levels too low, since you may block legitimate email.
Also note that "Threshold One" has precedence over
"Threshold Two". If you reject or blackhole a message
in the first threshold, it will not reach the second
one, however this is possible with "quarantine" or
"pass". If you select the "pass" action parameter, you
can filter on end user systems using the added headers
(see above). A *SPAM* string will also be added to the
subject of messages recognized as spam. Thig tag can
also be used for filtering on end-user machines. If you
need to make exceptions to spam scanning, you can use
the whitelist function to add addresses or user/domain
patterns. This list uses the same format than the
Sender Blacklist. Messages which envelope or header
senders match this list will not be spam-scanned.
Important: Messages sent from hosts listed in "Allowed
Networks" and the Global Whitelist will never be spam-
To prevent spammers from exploiting weaknesses in your
backend server, you can activate the Block RCPT hacks
options. The proxy will then not accept addresses
containing '!', '%' or extra '@' characters.
When using the Virus Protection, incoming and outgoing
emails are screened for unwanted content like viruses,
trojan horses or suspicious file types. It is
recommended to use the "quarantine" action with this
facility. You can also use the "blackhole" action if
you do not want to regularly review caught viruses.
The Realtime Blackhole List feature can be used to
check external databases for "known" spammer hosts.
There are several free services of that kind offered on
the internet. There is also a very reliable, commercial
service available at http://www.mail-abuse.org. When
using the "warn" action, only a header will be added to
messages (see above).
The File extension filter facility can reject mails
which contain certain types of files based on their
extensions (e.g. executables). You can enter the
extensions to be blocked (like "com" or "exe"), without
the dot separator.
The Expression filter can be used to filter mails based
on the presence of text strings in the body of the
mail. You can enter simple strings like "mortgage" or
complete Perl-compatible regular expressions (hint:
here is a short tutorial).
< end quote from Astaro built-in help>
-- http://www.zionministry.com Oscar Ayala Eagle28 at swbell dot net (Replace at with @ and dot with . and remove spaces)