Loading ...
Sorry, an error occurred while loading the content.

spam handling of relayed mail

Expand Messages
  • Andrew Long
    This may be slightly off-topic, but I m hoping someone can provide a few clues for me. The postfix MTA acts as a selective relay for certain IP s. These
    Message 1 of 10 , Feb 27, 2008
    • 0 Attachment
      This may be slightly off-topic, but I'm hoping someone can provide a
      few clues for me. The postfix MTA acts as a selective relay for
      certain IP's. These locations are wireless hotspots in hotels, where
      the actual clients are guests coming and going willy nilly. We send
      the smtp-server attribute via freeradius. Now, to my understanding,
      spamassassin or clamav etc. are primarily designed to process incoming
      mail for local recipients. What I want to do is process the mail that
      is relayed to minimize the incidence of spam if a guest laptop becomes
      infected or a local spammer manages to log on to the wireless. Can
      someone point me in the right direction here or clarify my
      understanding. Our ISP (Sprint) does not offer any relaying, so that
      is not an option.

      - Andrew
    • Noel Jones
      ... amavisd-new scans all mail submitted to it. While it s common for people to use different settings for mail depending on whether it originates locally or
      Message 2 of 10 , Feb 27, 2008
      • 0 Attachment
        Andrew Long wrote:
        > This may be slightly off-topic, but I'm hoping someone can provide a
        > few clues for me. The postfix MTA acts as a selective relay for
        > certain IP's. These locations are wireless hotspots in hotels, where
        > the actual clients are guests coming and going willy nilly. We send
        > the smtp-server attribute via freeradius. Now, to my understanding,
        > spamassassin or clamav etc. are primarily designed to process incoming
        > mail for local recipients. What I want to do is process the mail that
        > is relayed to minimize the incidence of spam if a guest laptop becomes
        > infected or a local spammer manages to log on to the wireless. Can
        > someone point me in the right direction here or clarify my
        > understanding. Our ISP (Sprint) does not offer any relaying, so that
        > is not an option.
        >
        > - Andrew

        amavisd-new scans all mail submitted to it. While it's common
        for people to use different settings for mail depending on
        whether it originates locally or from outside, that's
        something configured by the admin, not done automatically.

        You also might want to investigate Cami's policyd policy
        server, which gives you per-user rate controls.
        http://policyd.sourceforge.net/

        --
        Noel Jones
      • Gary V
        ... Your understanding is not correct. These programs are handed messages for evaluation. With SA, the spam score may be affected depending on whether the
        Message 3 of 10 , Feb 27, 2008
        • 0 Attachment
          > From: fursink
          > To: postfix-users@...
          > Subject: spam handling of relayed mail
          >
          > This may be slightly off-topic, but I'm hoping someone can provide a
          > few clues for me. The postfix MTA acts as a selective relay for
          > certain IP's. These locations are wireless hotspots in hotels, where
          > the actual clients are guests coming and going willy nilly. We send
          > the smtp-server attribute via freeradius. Now, to my understanding,
          > spamassassin or clamav etc. are primarily designed to process incoming
          > mail for local recipients.

          Your understanding is not correct. These programs are handed messages for evaluation. With
          SA, the spam score may be affected depending on whether the message is inward or outward
          bound, but other than that, they process any message passed to them. It is a matter of how
          messages are routed to them. It may be typical to filter only inbound mail, but certainly it's not
          limited to that. One suggestion is to use the Postfix content filter mechanism to route messages
          to them. I suggest letting a content filter like amavisd-new call both spamassassin and clamav.
          It will happily process inbound or outbound messages.

          http://www.postfix.org/FILTER_README.html
          http://www.ijs.si/software/amavisd/

          > What I want to do is process the mail that
          > is relayed to minimize the incidence of spam if a guest laptop becomes
          > infected or a local spammer manages to log on to the wireless. Can
          > someone point me in the right direction here or clarify my
          > understanding. Our ISP (Sprint) does not offer any relaying, so that
          > is not an option.
          >
          > - Andrew

          Gary V

          _________________________________________________________________
          Connect and share in new ways with Windows Live.
          http://www.windowslive.com/share.html?ocid=TXT_TAGHM_Wave2_sharelife_012008
        • Jorey Bump
          ... Just curious: Why provide SMTP relay service at all? When would guests ever use it? It seems it would be useful only to spammers or malware scanning for
          Message 4 of 10 , Feb 27, 2008
          • 0 Attachment
            Andrew Long wrote, at 02/27/2008 11:47 AM:
            > This may be slightly off-topic, but I'm hoping someone can provide a
            > few clues for me. The postfix MTA acts as a selective relay for
            > certain IP's. These locations are wireless hotspots in hotels, where
            > the actual clients are guests coming and going willy nilly. We send
            > the smtp-server attribute via freeradius. Now, to my understanding,
            > spamassassin or clamav etc. are primarily designed to process incoming
            > mail for local recipients. What I want to do is process the mail that
            > is relayed to minimize the incidence of spam if a guest laptop becomes
            > infected or a local spammer manages to log on to the wireless. Can
            > someone point me in the right direction here or clarify my
            > understanding. Our ISP (Sprint) does not offer any relaying, so that
            > is not an option.

            Just curious: Why provide SMTP relay service at all? When would guests
            ever use it? It seems it would be useful only to spammers or malware
            scanning for open relays once they are on your network.

            If you're proxying port 25, reconsider. It puts your guests at risk of
            exposing login information when they attempt to authenticate using
            existing configurations in their email clients. Blocking port 25
            completely is reasonable in your situation, as long as guests can use
            port 587 or webmail (once again, not proxied in any way).
          • Andrew Long
            ... We are required by upper hotel management group to provide the relay. ... What are implications of closing port 25 from the public in terms of other MTX
            Message 5 of 10 , Feb 28, 2008
            • 0 Attachment
              On Wed, Feb 27, 2008 at 12:43 PM, Jorey Bump <list@...> wrote:
              > Andrew Long wrote, at 02/27/2008 11:47 AM:
              >
              >
              > > This may be slightly off-topic, but I'm hoping someone can provide a
              > > few clues for me. The postfix MTA acts as a selective relay for
              > > certain IP's. These locations are wireless hotspots in hotels, where
              > > the actual clients are guests coming and going willy nilly. We send
              > > the smtp-server attribute via freeradius. Now, to my understanding,
              > > spamassassin or clamav etc. are primarily designed to process incoming
              > > mail for local recipients. What I want to do is process the mail that
              > > is relayed to minimize the incidence of spam if a guest laptop becomes
              > > infected or a local spammer manages to log on to the wireless. Can
              > > someone point me in the right direction here or clarify my
              > > understanding. Our ISP (Sprint) does not offer any relaying, so that
              > > is not an option.
              >
              > Just curious: Why provide SMTP relay service at all? When would guests
              > ever use it? It seems it would be useful only to spammers or malware
              > scanning for open relays once they are on your network.

              We are required by upper hotel management group to provide the relay.

              > If you're proxying port 25, reconsider. It puts your guests at risk of
              > exposing login information when they attempt to authenticate using
              > existing configurations in their email clients. Blocking port 25
              > completely is reasonable in your situation, as long as guests can use
              > port 587 or webmail (once again, not proxied in any way).
              >

              What are implications of closing port 25 from the public in terms of
              other MTX knowing how to communicate back with our MTX? I understand
              587 is standard alt port, but what about changing to something
              non-standard?

              Andrew
            • Charles Marcus
              ... No, you re only blocking port 25 for relaying by the hotel guests... you still accept connections on port 25 for inbound mail from the public (internet),
              Message 6 of 10 , Feb 28, 2008
              • 0 Attachment
                On 2/28/2008, Andrew Long (fursink@...) wrote:
                >> If you're proxying port 25, reconsider. It puts your guests at risk
                >> of exposing login information when they attempt to authenticate
                >> using existing configurations in their email clients. Blocking port
                >> 25 completely is reasonable in your situation, as long as guests
                >> can use port 587 or webmail (once again, not proxied in any way).

                > What are implications of closing port 25 from the public

                No, you're only blocking port 25 for relaying by the hotel guests... you
                still accept connections on port 25 for inbound mail from the 'public'
                (internet), but only for valid destinations you are authoritative for.

                > I understand 587 is standard alt port, but what about changing to
                > something non-standard?

                It is the STANDARD submission port for [usually authenticated but
                doesn't have to be] relay.

                --

                Best regards,

                Charles
              • Jorey Bump
                ... None, as long as you re only blocking outgoing port 25 connections. There s no reason your guests would need to directly connect to your MX (assuming
                Message 7 of 10 , Feb 28, 2008
                • 0 Attachment
                  Andrew Long wrote, at 02/28/2008 10:41 AM:
                  > On Wed, Feb 27, 2008 at 12:43 PM, Jorey Bump <list@...> wrote:
                  >>
                  >> If you're proxying port 25, reconsider. It puts your guests at risk of
                  >> exposing login information when they attempt to authenticate using
                  >> existing configurations in their email clients. Blocking port 25
                  >> completely is reasonable in your situation, as long as guests can use
                  >> port 587 or webmail (once again, not proxied in any way).
                  >>
                  >
                  > What are implications of closing port 25 from the public in terms of
                  > other MTX knowing how to communicate back with our MTX?

                  None, as long as you're only blocking outgoing port 25 connections.
                  There's no reason your guests would need to directly connect to your MX
                  (assuming that's what you meant), and there's no need to block incoming
                  connections to your MX on port 25 (beyond the usual spam prevention).

                  > I understand
                  > 587 is standard alt port, but what about changing to something
                  > non-standard?

                  It's not for you, it's for your guests to connect to at their own ESPs
                  that offer submission via port 587. For those that don't, there is
                  usually a webmail alternative.

                  It's hard to advise without knowing the reasoning behind offering an
                  SMTP relay to wireless hotspot hotel guests. If this is really for
                  internal purposes, not for guests, you can certainly use a nonstandard
                  port. But for an open relay (even restricted to a subnet), this is
                  merely security through obscurity, so you'll want to restrict access
                  however possible.

                  It sounds like your biggest threat is that you have little control over
                  the machines that join your wireless network. In that situation, I'd be
                  very reluctant to supply an open relay, especially since most users are
                  unlikely to use it in place of their own ESP.
                • Andrew Long
                  ... Actually, I closed port 25 on the MTX via master.cf, #smtp inet - n - - .... submission inet - n --... ...and also on our incoming PIX. I figured if I
                  Message 8 of 10 , Feb 28, 2008
                  • 0 Attachment
                    On Thu, Feb 28, 2008 at 12:05 PM, Jorey Bump <list@...> wrote:
                    > Andrew Long wrote, at 02/28/2008 10:41 AM:
                    >
                    > > On Wed, Feb 27, 2008 at 12:43 PM, Jorey Bump <list@...> wrote:
                    > >>
                    >
                    > >> If you're proxying port 25, reconsider. It puts your guests at risk of
                    > >> exposing login information when they attempt to authenticate using
                    > >> existing configurations in their email clients. Blocking port 25
                    > >> completely is reasonable in your situation, as long as guests can use
                    > >> port 587 or webmail (once again, not proxied in any way).
                    > >>
                    > >
                    > > What are implications of closing port 25 from the public in terms of
                    > > other MTX knowing how to communicate back with our MTX?
                    >
                    > None, as long as you're only blocking outgoing port 25 connections.
                    > There's no reason your guests would need to directly connect to your MX
                    > (assuming that's what you meant), and there's no need to block incoming
                    > connections to your MX on port 25 (beyond the usual spam prevention).

                    Actually, I closed port 25 on the MTX via master.cf,
                    #smtp inet - n - - ....
                    submission inet - n --...
                    ...and also on our incoming PIX.

                    I figured if I block 25 outgoing on the hotspot gateway our guests who
                    use 25 to connect to their own servers would be blocked also.

                    > > I understand
                    > > 587 is standard alt port, but what about changing to something
                    > > non-standard?
                    >
                    > It's not for you, it's for your guests to connect to at their own ESPs
                    > that offer submission via port 587. For those that don't, there is
                    > usually a webmail alternative.
                    >
                    > It's hard to advise without knowing the reasoning behind offering an
                    > SMTP relay to wireless hotspot hotel guests. If this is really for
                    > internal purposes, not for guests, you can certainly use a nonstandard
                    > port. But for an open relay (even restricted to a subnet), this is
                    > merely security through obscurity, so you'll want to restrict access
                    > however possible.

                    Yes, it is really for guests. The corporate side has a totally different setup.

                    > It sounds like your biggest threat is that you have little control over
                    > the machines that join your wireless network.

                    YES!

                    > In that situation, I'd be
                    > very reluctant to supply an open relay, especially since most users are
                    > unlikely to use it in place of their own ESP.

                    No choice, it's a mandate from on high. But, it honestly doesn't see
                    that much traffic, except when a laptop is infected and my MTX is
                    blacklisted. The downside is that the host also needs to send some
                    legit mail from a local monitoring package. If it's blacklisted, that
                    mail has an uphill battle.

                    I am most curious how some of the gurus would handle this.

                    - Andrew
                  • Terry Carmen
                    ... The reason this is difficult is that you re trying to fix a policy problem with technology. You should explain to management that none of the Road Warrior
                    Message 9 of 10 , Feb 29, 2008
                    • 0 Attachment
                      Andrew Long wrote:
                      > Yes, it is really for guests. The corporate side has a totally different setup.
                      >
                      >
                      >> It sounds like your biggest threat is that you have little control over
                      >> the machines that join your wireless network.
                      >>
                      >
                      > YES!
                      >
                      >
                      The reason this is difficult is that you're trying to fix a policy
                      problem with technology.

                      You should explain to management that none of the Road Warrior guests
                      needs an outbound SMTP service, since they have one that's provided by
                      their existing email provider, and that by offering an outbound SMTP
                      service, there's an excellent chance that your business email will get
                      blacklisted and be undeliverable.

                      I suspect that whoever told you do do this doesn't really have any idea
                      what the impact of the request is.

                      As for your initial question, you can certainly scan the outbound mail
                      with SpamAssassin, then add a HOLD pattern to header_checks to hold
                      anything with an X-Spam-Level more than whatever you select. This works
                      well if you have a dedicated postmaster staff, but the HOLD queue will
                      require constant attention, so it tends to be an expensive solution. I
                      have a client that actually does this, but they also have the staff and
                      business requirement to do it.


                      Terry
                    • Dan Farrell
                      On Fri, 29 Feb 2008 08:53:12 -0500 ... Yes, this does seem to be a very poor idea. The spammers will find you faster than you d think!
                      Message 10 of 10 , Mar 1 5:52 PM
                      • 0 Attachment
                        On Fri, 29 Feb 2008 08:53:12 -0500
                        Terry Carmen <terry@...> wrote:

                        > You should explain to management that none of the Road Warrior guests
                        > needs an outbound SMTP service, since they have one that's provided
                        > by their existing email provider, and that by offering an outbound
                        > SMTP service, there's an excellent chance that your business email
                        > will get blacklisted and be undeliverable.

                        Yes, this does seem to be a very poor idea. The spammers will find you
                        faster than you'd think!
                      Your message has been successfully submitted and would be delivered to recipients shortly.