Loading ...
Sorry, an error occurred while loading the content.

Re: avoiding overload on port 587

Expand Messages
  • Stan Hoeppner
    ... I specifically avoided mentioning this scenario in hopes of preventing a long OT thread about SA implementation. It seems clear that outbound scanning
    Message 1 of 54 , Dec 3, 2012
    • 0 Attachment
      On 12/3/2012 8:21 PM, /dev/rob0 wrote:
      > On Mon, Dec 03, 2012 at 07:34:13PM -0600, Stan Hoeppner wrote:
      >> On 12/3/2012 2:55 PM, mouss wrote:
      >>> Le 03/12/2012 10:07, Stan Hoeppner a écrit :
      >>>> You might want to look into these as well:
      >>>>
      >>>> -o content_filter=
      >>> ahem? submission or not, it must go through a malware filter.
      >>
      >> Sorry for the oversight. Yes, one would want to include clamav or
      >> other malware checker, but exclude Spamassassin or any spam filter
      >> geared toward inbound public mail. Excluding SA reduces load, and
      >> prevents mail being scored as spam due to dynamic IP status, etc.
      >
      > Spamassassin can be tailored for the job of submission scanning. The
      > URIBL checks are particularly good at detecting compromised accounts.

      I specifically avoided mentioning this scenario in hopes of preventing a
      long OT thread about SA implementation. It seems clear that outbound
      scanning wasn't on the OP's radar. If he chooses to implement it at a
      later date it could be picked up in discussion at that time.

      --
      Stan
    • /dev/rob0
      ... Or better yet: replace it with postscreen. ... To clarify, I meant that if those Outlook Expresses are not yet compromised by malware, they will be, soon.
      Message 54 of 54 , Dec 4, 2012
      • 0 Attachment
        On Tue, Dec 04, 2012 at 07:46:10AM -0600, /dev/rob0 wrote:
        > On Tue, Dec 04, 2012 at 11:59:01PM +1300, Peter wrote:
        > > I would still also set up port 587 on the mail.example.com
        > > IP as submission as well and try to encourage your users (at
        > > least the ones you can) to use port 587 from now on.
        >
        > What I would do, on Linux with IPv4 only, is create the submission
        > port and use an iptables redirect for the alternate IP address:
        >
        > # iptables -vt nat -A PREROUTING -p tcp --dport smtp -d \
        > mail.example.com -j REDIRECT --to-port submission
        >
        > This saves the overhead (system and administrative) of running
        > another smtpd on [mail.example.com]:25; he can leave his "smtp ...
        > smtpd" service alone in master.cf.

        Or better yet: replace it with postscreen.

        > I should also add as a reply to Stan in the other subthread: look
        > above at the first quoted paragraph: "Outlook Expresses setup with
        > ... default configuration."
        >
        > Yikes, bad news, very bad. If not doing content filtering nor
        > policy limitation of submission now, he will be soon. And possibly
        > losing his job in any case. Tomas is not in a good place right now.

        To clarify, I meant that if those Outlook Expresses are not yet
        compromised by malware, they will be, soon.
        --
        http://rob0.nodns4.us/ -- system administration and consulting
        Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
      Your message has been successfully submitted and would be delivered to recipients shortly.