Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mailgw for FJFI Petr Vokáč April 2006 previous presentations and configuration info

Published byDennis Simon Modified over 8 years ago

Similar presentations

Presentation on theme: "Mailgw for FJFI Petr Vokáč April 2006 previous presentations and configuration info"— Presentation transcript:

1 Mailgw for FJFI Petr Vokáč April 2006 http://kmlinux.fjfi.cvut.cz/~vokac/activities/2006/mailgw/ previous presentations and configuration info http://kmlinux.fjfi.cvut.cz/~vokac/activities/2005/mailgw_cont/ http://kmlinux.fjfi.cvut.cz/~vokac/activities/2005/mailgw/ http://kmlinux.fjfi.cvut.cz/~vokac/activities/2005/mailgw_conf/

2 Content ● Data flow ● Postfix ● PPolicy ● Amavis ● DKIM, OpenLDAP,... ● Links

3 Mailgw for FJFI – data flow Internet FJFI Mailgw mail routing -> <- smart host Local mailserver mailgw1 mailgw2 PDA PDA

4 Mailgw for FJFI – Postfix default restrictions ppolicy amavis-new Queue SMTP send data Queue (mynetworks, SMTP AUTH) antivir antispam dkimproxy (DKIM signing) Queue SMTP communication with remote server incomming mail smtp:25,smtps:465,s mtp:587 :10024 :10026 :10025 :10027:10028 :10030 name canonization :10029 SMTP AUTH

5 Default restrictions I 1) [user@kmlinux ~]$ telnet mailgw1.fjfi.cvut.cz 25 2) Trying 147.32.9.3... 3) Connected to mailgw1.fjfi.cvut.cz (147.32.9.3). 4) Escape character is '^]'. 5) 220 mailgw1.fjfi.cvut.cz ESMTP CTU FNSPE 1st MX NO UCE NO SPAM 6) EHLO kmlinux.fjfi.cvut.cz 7) 250-mailgw1.fjfi.cvut.cz 8) 250-PIPELINING 9) 250-SIZE 20480000 10) 250-VRFY 11) 250-ETRN 12) 250-STARTTLS 13) 250 8BITMIME 14) MAIL FROM: 15) 250 Ok 16) RCPT TO: 17) 250 Ok 18) DATA 19) 354 End data with. 20) From: 21) To: 22) Subject: SMTP test 23) This is SMTP conversation. 24). 25) 250 Ok: queued as 4ED6843DAB smtpd_client_restrictions smtpd_helo_restrictions smtpd_sender_restrictions smtpd_recipient_restrictions smtpd_data_restrictions smtpd_end_of_data_restrictions

6 Default restrictions II ● smtpd_client_restrictions – none – all rules stop a lot of legal mails ● reject_unknown_client is too restrictive (A->PTR-A) ● reject_rbl_client – blacklists – reject_unknown_reverse_client_hostname (A->PTR) ● smtpd_helo_restrictions – none for FJFI domain – reject invalid hello (554) ● fjfi.cvut.cz, 147.32.9.3, 147.32.5.45, localhost – reject_invalid_hostname (501) ● invalid HELO/EHLO syntax (illegal characters,...) – other restriction could stop legal mail (1/3 smtpd) ● reject_non_fqdn_hostname ● reject_unknown_hostname

7 Default restrictions III ● smtpd_sender_restrictions – none for FJFI domain and sasl authenticated – reject_unknown_sender_domain (450) ● user@noreply.example.com!? user@noreply.example.com – reject_non_fqdn_sender (504) ● apply this rule also for FJFI domain? – mailgw append its name (mailgwX.fjfi.cvut.cz) – illegal FROM address – check_sender_mx_access (554) ● reject mail with incorrect MX records (private net,...) – check_sender_access (554) ● reject mail /(admin|info|support|...)@.*fjfi.cvut.cz/ – dangerous – not used ● reject_unverified_sender (use for selected domains?) – used only for @fjfi sender from IP outside CTU FNSPE range

8 Default restrictions IV ● smtpd_recipient_restrictions – none for FJFI domain and sasl authenticated ● allow spam@fjfi.cvut.cz, nospam@fjfi.cvut.cz only from FJFIspam@fjfi.cvut.cznospam@fjfi.cvut.cz – reject_unauth_destination (554) ● “open-relay” rule (allow only forwarded and local mails) – reject_unknown_recipient_domain (450) ● recipient domain must exist – reject_unverified_recipient (550) ● only if recipient is in FJFI domain ● require correct configuration of local mail servers – check_recipient_mx_access (554) ● Reject mail with incorrect MX – otherwise they stay in queue – check_policy_service ● ppolicy daemon – see next slides ● smtpd_data_restriction – pipelining, multibounce

9 ppolicy daemon I ● Postfix SMTP Access Policy Delegation – http://www.postfix.org/SMTPD_POLICY_README.html http://www.postfix.org/SMTPD_POLICY_README.html – checking mail during SMTP connection ✔ rejecting mail early stage of mail reception – use less resources (bandwidth, cpu – antivir/antispam,...) ✔ we don't send any bounce mail (backscatter mail) ✔ it is up to sender mail server to generate correct delivery failure message (using information from our reject code) ✗ less informations – client ip/name, sender, recipient, hello name, sasl info,... ✗ short time to check (otherwise SMTP conn. can timeout) ✗ problems in case of fatal error – temporary rejecting mail (mailing lists, incorr. conf. servers ) – depends on correct configuration of ppolicy daemon ✗ rejecting mail with code 450 => it will come again, again,... – any ideas what to check/reject? Stat. analysis.

10 ppolicy daemon II ● ppolicy daemon – http://kmlinux.fjfi.cvut.cz/~vokac/activities/ppolicy/ http://kmlinux.fjfi.cvut.cz/~vokac/activities/ppolicy/ ● RPM package, /etc/postfix/{main.cf,ppolicy.conf) – modular multi threaded daemon ● python + python-twisted (+dnspython+MySQL+GeoIP+...) ● flexible configuration (python code, combining res. of mod.) – Modules ● simple interface – easy to write own modules ● implemented – List, ListBW, ListMailDomain, ListDyn – Dnsbl, DnsblDynamic, DnsblScore, Resolve, SPF – Greylist, Verification – Country, DOS, Trap – DumpDataDB, DumpDataFile – User configurations (similar to Amavis)? – Discuss ppolicy.conf for FNSPE, modules,... CERN.CH rules ● Forbidden attachments ● No reverse DNS configured for IP ● Reverse SMTP Connect ● Flood stopper ● IP blacklist ● Hostname blacklist ● Sender blacklist ● Recipient blacklist FNAL.GOV rules ● Don't accept @fnal.gov from outside

11 ppolicy daemon III ● Configuration (~70% rejected) – accept/reject mail from blacklist/whitelist ● client_address, client_name, sender mail/domain ● https://nms.fjfi.cvut.cz/user/mail.php https://nms.fjfi.cvut.cz/user/mail.php ● https://nms.fjfi.cvut.cz/user/?page=admin&subpage=mail https://nms.fjfi.cvut.cz/user/?page=admin&subpage=mail – score request ● use DNSBL and spamassassin score ● incorrect mailserver configuration (DNS PTR, HELO,...) ● average amavis score, auto-whitelist for sender, *.biz,... – requests with hight score ● apply “reject rules”, slowdown mail processing?! ● e.q. mailserver verification, greylist, DNS, HELO,...

12 Amavis daemon ● Antivirus – KAV – drop all infected mail – don't send any info – use database to log these events? ● Spamfilter – spamassassin (3.1) – sa-update+SARE rules (including adult,oem,drug,...) – my custom rules (geocity, vesmirni-lide,...) ● allow other administrators to create new rules? – learn bayes – spam@fjfi.cvut.cz, nospam@fjfi.cvut.czspam@fjfi.cvut.cznospam@fjfi.cvut.cz ● User configuration – https://nms.fjfi.cvut.cz/user/?page=mail https://nms.fjfi.cvut.cz/user/?page=mail – LDAP amavisAccount, for all addresses (mail, mla) – multiple fjfiMailRoutingAddress, amavisSpamTag* – mail/domain blacklist/whitelist remove or change mime type of executable attachements?

13 DKIM daemon ● DomainKeys Identified Mail x SPF – signing mail headers by outgoing mail server ● we can verify this signature (public key in DNS) ● these headers can't be faked – it doesn't mean, that such mail is not spam – can be only used as one of spam decision criteria – still in process of standardization (IETF WG) – http://www.dkim.org/ http://www.dkim.org/ ● Supported by many big companies – AOL, Cisco, IBM, Sendmail, Yahoo,... – and used by many other ● Google, CERN,... ● Implementation – http://jason.long.name/dkimproxy/ http://jason.long.name/dkimproxy/ ● not yet mature, but Mail-DKIM is now part of spamassassin

14 OpenLDAP daemon ● data synchronization – automatic – Users ● require correct GAN in data source (NDS, ADS)!!! ● expired accounts? (ou=Odpad, entryStatus=K,...) – groups, special – required only for user conf. for mail – synchronization interval?, online (access) ● user configurations – mail address rewriting/canonization rules – mail routing, user configurations for amavis – see: https://nms.fjfi.cvut.cz/user/?page=mailhttps://nms.fjfi.cvut.cz/user/?page=mail ● addressbook – access restriction? (usermap from cvut.cz) – phone numbers and rooms in Usermap?

15 Other daemons ● SMTP AUTH – TLS (25, 578), SSL (465) – plain text login – global authentication source ● http://kmlinux.fjfi.cvut.cz/service.php#auth http://kmlinux.fjfi.cvut.cz/service.php#auth ● require secure connection to LDAP service (TLS, SSL) ✔ Usermap, Novell NDS, OpenLDAP ✗ Windows ADS ● MySQL – persistent cache for results of ppolicy modules – amavis quarantine info ● DNS – named (cache for faster DNS lookup – rbl, mx,...) ● SMTP unrelated daemons – RADIUS (eduroam), racoon (VPN), snmpd (monitoring), watchdog

16 Admin info ● User mail configuration, user whitelist – https://nms.fjfi.cvut.cz/user/?page=mail https://nms.fjfi.cvut.cz/user/?page=mail – http://nms.fjfi.cvut.cz/user/mail.php http://nms.fjfi.cvut.cz/user/mail.php ● Log & summary information accessible – https://nms.fjfi.cvut.cz/user/?page=admin&subpage=log https://nms.fjfi.cvut.cz/user/?page=admin&subpage=log – https://nms.fjfi.cvut.cz/user/?page=admin&subpage=ppolicy https://nms.fjfi.cvut.cz/user/?page=admin&subpage=ppolicy – https://nms.fjfi.cvut.cz/user/?page=admin&subpage=postfix https://nms.fjfi.cvut.cz/user/?page=admin&subpage=postfix – https://nms.fjfi.cvut.cz/user/?page=admin&subpage=amavis https://nms.fjfi.cvut.cz/user/?page=admin&subpage=amavis – https://nms.fjfi.cvut.cz/cgi-bin/mrtg- rrd.cgi/?cfg=mailgw1.fjfi.cvut.cz_comp https://nms.fjfi.cvut.cz/cgi-bin/mrtg- rrd.cgi/?cfg=mailgw1.fjfi.cvut.cz_comp – https://nms.fjfi.cvut.cz/fjfi/mailgraph/ https://nms.fjfi.cvut.cz/fjfi/mailgraph/ – https://nms.fjfi.cvut.cz/fjfi/amavis-stats/ https://nms.fjfi.cvut.cz/fjfi/amavis-stats/ ● Service status (SMTP, LDAP,...) – https://nms.fjfi.cvut.cz/nagios/ https://nms.fjfi.cvut.cz/nagios/ ?

Download ppt "Mailgw for FJFI Petr Vokáč April 2006 previous presentations and configuration info"

Similar presentations

TrustPort Net Gateway Email traffic protection. WWW.TRUSTPORT.COM Keep It Secure Entry point protection –Clear separation of the risky internet and secured.

TrustPort Net Gateway traffic protection. Keep It Secure Entry point protection –Clear separation of the risky internet and secured.
Securing Email Bruce Maggs. Separate Suites of Protocols Protocols for retrieving email: POP, IMAP, MAPI (Microsoft Exchange) Protocols for sending email:

Securing Bruce Maggs. Separate Suites of Protocols Protocols for retrieving POP, IMAP, MAPI (Microsoft Exchange) Protocols for sending
Module 6 Implementing Messaging Security. Module Overview Deploying Edge Transport Servers Deploying an Antivirus Solution Configuring an Anti-Spam Solution.

Module 6 Implementing Messaging Security. Module Overview Deploying Edge Transport Servers Deploying an Antivirus Solution Configuring an Anti-Spam Solution.
Email Protocols and Troubleshooting Brandon Checketts.

Protocols and Troubleshooting Brandon Checketts.
Exchange 2003 and SPAM Fighting Emmanuel Ormancey, Rafal Otto Internet Services Group Department of Information Technology CERN 3 June 2015.

Exchange 2003 and SPAM Fighting Emmanuel Ormancey, Rafal Otto Internet Services Group Department of Information Technology CERN 3 June 2015.
Handling Spam in Postfix. Computer Center, CS, NCTU 2 Nature of Spam  Spam UBE – Unsolicited Bulk Email UCE – Unsolicited Commercial Email  Spam There.

Handling Spam in Postfix. Computer Center, CS, NCTU 2 Nature of Spam  Spam UBE – Unsolicited Bulk UCE – Unsolicited Commercial  Spam There.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
2440: 141 Web Site Administration Email Services Instructor: Enoch E. Damson.

2440: 141 Web Site Administration Services Instructor: Enoch E. Damson.
23 October 2002Emmanuel Ormancey1 Spam Filtering at CERN Emmanuel Ormancey - 23 October 2002.

23 October 2002Emmanuel Ormancey1 Spam Filtering at CERN Emmanuel Ormancey - 23 October 2002.
Spam Reduction Techniques Using greylisting and SpamAssassin.

Spam Reduction Techniques Using greylisting and SpamAssassin.
TrustPort Net Gateway Email traffic protection. WWW.TRUSTPORT.COM Keep It Secure Entry point protection –Clear separation of the risky internet and secured.

TrustPort Net Gateway traffic protection. Keep It Secure Entry point protection –Clear separation of the risky internet and secured.
Belnet Antispam Pro A practical example Belnet – Aris Adamantiadis BNC – 24 November 2011.

Belnet Antispam Pro A practical example Belnet – Aris Adamantiadis BNC – 24 November 2011.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Email Update Unix Users Feb 2006 Kevin Hill. Email Update Spam Cop (We’ve been busted!) Greylisting- Next Generation Spam Fighting.

Update Unix Users Feb 2006 Kevin Hill. Update Spam Cop (We’ve been busted!) Greylisting- Next Generation Spam Fighting.
1 SMTP Transport Configuration SMTP Configurations and Virtual Servers Customizing the SMTP Service.

1 SMTP Transport Configuration SMTP Configurations and Virtual Servers Customizing the SMTP Service.
Login Screen This is the Sign In page for the Dashboard Enter Id and Password to sign In New User Registration.

Login Screen This is the Sign In page for the Dashboard Enter Id and Password to sign In New User Registration.
CensorNet Ltd An introduction to CensorNet Mailsafe Presented by: XXXXXXXX Product Manager Tel: XXXXXXXXXXXXX.

CensorNet Ltd An introduction to CensorNet Mailsafe Presented by: XXXXXXXX Product Manager Tel: XXXXXXXXXXXXX.
Combating E-mail Abuse Brian Nisbet NOC Manager HEAnet.

Combating Abuse Brian Nisbet NOC Manager HEAnet.
Mail Services.

Mail Services.
SMTP PROTOCOL CONFIGURATION AND MANAGEMENT Chapter 8.

SMTP PROTOCOL CONFIGURATION AND MANAGEMENT Chapter 8.

Similar presentations

Ads by Google