outgoing spam

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

outgoing spam

Martin Schiøtz
Hi

I'm configuring a simple postfix smtp-server that is only used for
outgoing emails for lots of users.
I want to do some simple spam checking with postfix. I was thinking of:

rbl
spf

Any other sugestions?

I'm not sure were to configure rbl and spf  for outgoing emails in main.cf?

postconf -n
---------------------------------
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
html_directory = no
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 21000000
message_strip_characters = \0
mynetworks = 127.0.0.0/8, 10.... etc.
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_type = cyrus
smtpd_tls_CAfile = /etc/ssl/blackpete.cirque.dk.pem
smtpd_tls_cert_file = /etc/ssl/blackpete.cirque.dk.pem
smtpd_tls_key_file = /etc/ssl/blackpete.cirque.dk.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
---------------------------------

Best regards,
Martin
Reply | Threaded
Open this post in threaded view
|

Re: outgoing spam

Martijn de Munnik-2
On Mon, 2009-10-19 at 13:50 +0200, Martin Schiøtz wrote:
> Hi
>
> I'm configuring a simple postfix smtp-server that is only used for
> outgoing emails for lots of users.
> I want to do some simple spam checking with postfix. I was thinking of:
>
> rbl
> spf

RBL and SPF are techniques only used for incoming mail.

>
> Any other sugestions?
>
> I'm not sure were to configure rbl and spf  for outgoing emails in main.cf?
>
> postconf -n
> ---------------------------------
> broken_sasl_auth_clients = yes
> command_directory = /usr/sbin
> config_directory = /etc/postfix
> daemon_directory = /usr/libexec/postfix
> debug_peer_level = 2
> html_directory = no
> mail_owner = postfix
> mailq_path = /usr/bin/mailq.postfix
> manpage_directory = /usr/share/man
> message_size_limit = 21000000
> message_strip_characters = \0
> mynetworks = 127.0.0.0/8, 10.... etc.
> newaliases_path = /usr/bin/newaliases.postfix
> queue_directory = /var/spool/postfix
> readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
> sample_directory = /usr/share/doc/postfix-2.3.3/samples
> sendmail_path = /usr/sbin/sendmail.postfix
> setgid_group = postdrop
> smtpd_banner = $myhostname ESMTP $mail_name
> smtpd_recipient_restrictions = permit_mynetworks,
> permit_sasl_authenticated, reject_unauth_destination
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_authenticated_header = yes
> smtpd_sasl_type = cyrus
> smtpd_tls_CAfile = /etc/ssl/blackpete.cirque.dk.pem
> smtpd_tls_cert_file = /etc/ssl/blackpete.cirque.dk.pem
> smtpd_tls_key_file = /etc/ssl/blackpete.cirque.dk.pem
> smtpd_tls_loglevel = 1
> smtpd_tls_received_header = yes
> smtpd_tls_session_cache_timeout = 3600s
> smtpd_use_tls = yes
> tls_random_source = dev:/dev/urandom
> unknown_local_recipient_reject_code = 550
> ---------------------------------
>
> Best regards,
> Martin
>



Reply | Threaded
Open this post in threaded view
|

Re: outgoing spam

Stan Hoeppner
Martijn de Munnik put forth on 10/19/2009 6:59 AM:

> On Mon, 2009-10-19 at 13:50 +0200, Martin Schiøtz wrote:
>> Hi
>>
>> I'm configuring a simple postfix smtp-server that is only used for
>> outgoing emails for lots of users.
>> I want to do some simple spam checking with postfix. I was thinking of:
>>
>> rbl
>> spf
>
> RBL and SPF are techniques only used for incoming mail.

Correct.  And I'll add that just about all standard anti spam techniques
are not only useless, but in most cases dangerous, when applied to
outgoing mail streams.  The only "sane" anti spam checking one can
perform on outgoing mail is body content analysis with something like
SpamAssassin.

I sincerely hope you really, really, learn up on this before you
implement your new outbound relay.  It's possible you may end up
blocking all outbound mail if you don't get this right.

--
Stan
Reply | Threaded
Open this post in threaded view
|

Re: outgoing spam

Martin Schiøtz
In reply to this post by Martijn de Munnik-2
Can I do any outgoing spam checks with postfix or I'm forced to
install lots of Amavis, spamassassin, etc. software to do that job.

- Martin

On Mon, Oct 19, 2009 at 1:59 PM, Martijn de Munnik <[hidden email]> wrote:

> On Mon, 2009-10-19 at 13:50 +0200, Martin Schiøtz wrote:
>> Hi
>>
>> I'm configuring a simple postfix smtp-server that is only used for
>> outgoing emails for lots of users.
>> I want to do some simple spam checking with postfix. I was thinking of:
>>
>> rbl
>> spf
>
> RBL and SPF are techniques only used for incoming mail.
>>
>> Any other sugestions?
>>
>> I'm not sure were to configure rbl and spf  for outgoing emails in main.cf?
>>
>> postconf -n
>> ---------------------------------
>> broken_sasl_auth_clients = yes
>> command_directory = /usr/sbin
>> config_directory = /etc/postfix
>> daemon_directory = /usr/libexec/postfix
>> debug_peer_level = 2
>> html_directory = no
>> mail_owner = postfix
>> mailq_path = /usr/bin/mailq.postfix
>> manpage_directory = /usr/share/man
>> message_size_limit = 21000000
>> message_strip_characters = \0
>> mynetworks = 127.0.0.0/8, 10.... etc.
>> newaliases_path = /usr/bin/newaliases.postfix
>> queue_directory = /var/spool/postfix
>> readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
>> sample_directory = /usr/share/doc/postfix-2.3.3/samples
>> sendmail_path = /usr/sbin/sendmail.postfix
>> setgid_group = postdrop
>> smtpd_banner = $myhostname ESMTP $mail_name
>> smtpd_recipient_restrictions = permit_mynetworks,
>> permit_sasl_authenticated, reject_unauth_destination
>> smtpd_sasl_auth_enable = yes
>> smtpd_sasl_authenticated_header = yes
>> smtpd_sasl_type = cyrus
>> smtpd_tls_CAfile = /etc/ssl/blackpete.cirque.dk.pem
>> smtpd_tls_cert_file = /etc/ssl/blackpete.cirque.dk.pem
>> smtpd_tls_key_file = /etc/ssl/blackpete.cirque.dk.pem
>> smtpd_tls_loglevel = 1
>> smtpd_tls_received_header = yes
>> smtpd_tls_session_cache_timeout = 3600s
>> smtpd_use_tls = yes
>> tls_random_source = dev:/dev/urandom
>> unknown_local_recipient_reject_code = 550
>> ---------------------------------
>>
>> Best regards,
>> Martin
Reply | Threaded
Open this post in threaded view
|

Re: outgoing spam

Paul Cockings
What are you trying to achieve?
 - why do you want anti-spam on outbound mail?


Martin Schiøtz wrote:
> Can I do any outgoing spam checks with postfix or I'm forced to
> install lots of Amavis, spamassassin, etc. software to do that job.
>
>  

Reply | Threaded
Open this post in threaded view
|

Re: outgoing spam

Mark Blackman-4

On 19 Oct 2009, at 13:41, Paul Cockings wrote:

> What are you trying to achieve?
> - why do you want anti-spam on outbound mail?

I'd guess he has little or no control over the configuration
of the "internal" machines and so he's concerned about malware/botnets
perhaps.

- Mark

smime.p7s (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: outgoing spam

Martin Schiøtz
On Mon, Oct 19, 2009 at 2:43 PM, Mark Blackman <[hidden email]> wrote:

>
> On 19 Oct 2009, at 13:41, Paul Cockings wrote:
>
>> What are you trying to achieve?
>> - why do you want anti-spam on outbound mail?
>
> I'd guess he has little or no control over the configuration
> of the "internal" machines and so he's concerned about malware/botnets
> perhaps.
>
That is correct!

So far I restrict relay to only 'mynetworks' (IP-adresses own by us)
and authenticated users (TLS and ssl).
But I would like to do further spam filter restrictions for the
reasons Mark is pointing out?

- Martin
Reply | Threaded
Open this post in threaded view
|

Re: outgoing spam

Paul Cockings


Martin Schiøtz wrote:

> On Mon, Oct 19, 2009 at 2:43 PM, Mark Blackman <[hidden email]> wrote:
>  
>> On 19 Oct 2009, at 13:41, Paul Cockings wrote:
>>
>>    
>>> What are you trying to achieve?
>>> - why do you want anti-spam on outbound mail?
>>>      
>> I'd guess he has little or no control over the configuration
>> of the "internal" machines and so he's concerned about malware/botnets
>> perhaps.
>>
>>    
> That is correct!
>
> So far I restrict relay to only 'mynetworks' (IP-adresses own by us)
> and authenticated users (TLS and ssl).
> But I would like to do further spam filter restrictions for the
> reasons Mark is pointing out?
>
> - Martin
>
>  
For Malware/Bots wouldn't you do a Virus scan (ClamAV?)
Setup some logging and watch for users sending vast amounts of email?
(your could Zabbix for that)
You try something like Dspam, but you'll need to train it with spam and
ham to become effective (dspam.sf.net)
Reply | Threaded
Open this post in threaded view
|

Re: outgoing spam

mouss-4
In reply to this post by Martin Schiøtz
Martin Schiøtz a écrit :
> Can I do any outgoing spam checks with postfix or I'm forced to
> install lots of Amavis, spamassassin, etc. software to do that job.
>

I'm sorry to tell you that blocking outbound spam is at least harder
than blocking inbound spam.

- you certainly need an anti-virus
- you "can" use spamassassin. but it's not enough. (note that "per
recipient Bayes" is of no use here).

but you need to watch the behaviour of internal clients. you need to
detect abusive/abused clients. and to avoid problems, you want rate
limiting.

Reply | Threaded
Open this post in threaded view
|

Re: outgoing spam

Martin Schiøtz
>> Can I do any outgoing spam checks with postfix or I'm forced to
>> install lots of Amavis, spamassassin, etc. software to do that job.
>>
>
> I'm sorry to tell you that blocking outbound spam is at least harder
> than blocking inbound spam.
>
> - you certainly need an anti-virus
> - you "can" use spamassassin. but it's not enough. (note that "per
> recipient Bayes" is of no use here).
>
> but you need to watch the behaviour of internal clients. you need to
> detect abusive/abused clients. and to avoid problems, you want rate
> limiting.

I just want to do some simple checks and rate limit seems like a good
idea and it can be performed by postfix.

- Martin
Reply | Threaded
Open this post in threaded view
|

Re: outgoing spam

Peter Blair-3
On Tue, Oct 20, 2009 at 4:40 AM, Martin Schiøtz <[hidden email]> wrote:

>>> Can I do any outgoing spam checks with postfix or I'm forced to
>>> install lots of Amavis, spamassassin, etc. software to do that job.
>>>
>>
>> I'm sorry to tell you that blocking outbound spam is at least harder
>> than blocking inbound spam.
>>
>> - you certainly need an anti-virus
>> - you "can" use spamassassin. but it's not enough. (note that "per
>> recipient Bayes" is of no use here).
>>
>> but you need to watch the behaviour of internal clients. you need to
>> detect abusive/abused clients. and to avoid problems, you want rate
>> limiting.
>
> I just want to do some simple checks and rate limit seems like a good
> idea and it can be performed by postfix.

Rate limiting would be done by adding the following to your main.cf:

smtpd_end_of_data_restrictions =
  check_policy_service inet:{HOST}:{PORT}

Where a service is listening on HOST:PORT and can keep track of how
many messagesXrecipients a given _AUTHENTICATED_ user has sent over a
certain time period.

Listen to everyone else -- you also need to do deep content filtering,
otherwise your relays will be blocked by the Yahoo!s, Comcasts,
Hotmails, Outblazes, etc of the world.

Be sure that you're not running an open relay, that you're not sending
out spam/viruses (you will be! everyone's network leaks a bit) and
rate limiting will cause customer escalations, but helps with the
night-spammer scenario.

One other thing: if you decide to _not_ go with spam filtering,
announce your outbound IPs to this list so that we can all block you
:)