Loading ...
Sorry, an error occurred while loading the content.

Re: avoiding overload on port 587

Expand Messages
  • Robert Schetterer
    ... please reread the doku why and how using submission as its used with auth only, no spammer will ever deliver mail unless he has a valid auth via
    Message 1 of 54 , Nov 30, 2012
    • 0 Attachment
      Am 30.11.2012 11:52, schrieb Tomas Macek:
      > If the Postfix's behaviour on port 587 is the same as with 25, it seems
      > to me to be better to let the MUAs to send their mail to 25. In the
      > postscreen the mynetworks are automatically whitelisted and on 25 they
      > have better chance to send their mails, because 25 should not be
      > overloaded because of postscreen used.
      >
      > Using firewall on 587 is useless, because our clients travel with their
      > computers even around Europe and want to send their mails.

      please reread the doku why and how using submission
      as its used with auth only, no spammer will ever deliver mail unless he
      has a valid auth via submission, most attacks running against submission
      are brute force attacks ,try finding user and auth accouts combination
      to hack in
      for brute force fail2ban or simular is good enough,
      process limits or mail send limits are managed by other stuff i.e
      postfix parameters and/or policy servers

      Best Regards
      MfG Robert Schetterer

      --
      [*] sys4 AG

      http://sys4.de, +49 (89) 30 90 46 64
      Franziskanerstraße 15, 81669 München

      Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
      Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
      Aufsichtsratsvorsitzender: Joerg Heidrich
    • /dev/rob0
      ... Or better yet: replace it with postscreen. ... To clarify, I meant that if those Outlook Expresses are not yet compromised by malware, they will be, soon.
      Message 54 of 54 , Dec 4, 2012
      • 0 Attachment
        On Tue, Dec 04, 2012 at 07:46:10AM -0600, /dev/rob0 wrote:
        > On Tue, Dec 04, 2012 at 11:59:01PM +1300, Peter wrote:
        > > I would still also set up port 587 on the mail.example.com
        > > IP as submission as well and try to encourage your users (at
        > > least the ones you can) to use port 587 from now on.
        >
        > What I would do, on Linux with IPv4 only, is create the submission
        > port and use an iptables redirect for the alternate IP address:
        >
        > # iptables -vt nat -A PREROUTING -p tcp --dport smtp -d \
        > mail.example.com -j REDIRECT --to-port submission
        >
        > This saves the overhead (system and administrative) of running
        > another smtpd on [mail.example.com]:25; he can leave his "smtp ...
        > smtpd" service alone in master.cf.

        Or better yet: replace it with postscreen.

        > I should also add as a reply to Stan in the other subthread: look
        > above at the first quoted paragraph: "Outlook Expresses setup with
        > ... default configuration."
        >
        > Yikes, bad news, very bad. If not doing content filtering nor
        > policy limitation of submission now, he will be soon. And possibly
        > losing his job in any case. Tomas is not in a good place right now.

        To clarify, I meant that if those Outlook Expresses are not yet
        compromised by malware, they will be, soon.
        --
        http://rob0.nodns4.us/ -- system administration and consulting
        Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
      Your message has been successfully submitted and would be delivered to recipients shortly.