Author: Mike Barnard Date: To: Exim List CC: exim-users Subject: Re: [exim] how do I block mail to local domains except SMTP auth or
trusted source?
On Tue, Oct 7, 2008 at 5:50 PM, Exim List <eximlist@???> wrote:
>
> We migrated these domains to our server from an acquisition. I'm presuming
> that many spammers look for mail.domain.com as a valid hostname anyway --
> even without previous history of sending to that address. In this case, the
> mail.domain.com was the MX for many of these domains so they already have
> the history of sending to mail.domain.com.
>
> So, us changing the MX record to a separate filtering appliance doesn't
> force a spammer to use that appliance. They simply continue to send to
> mail.domain.com instead. We want to prevent that by disallowing SMTP
> traffic except from the trusted spam filter source and from any SMTP AUTH
> clients in the field.
>
now i get you... not to belabor the point but it helps to give as much
detailed information about your setup so that you can get the assistance
that you need.
Your problem is receiving spam email. As far as sending is concerned, only
those networks that you allow to send through you will be able oto send
through you and SMTP AUTH does take care of a few things for you as far as
sending email for your clients is concerned.
> A firewall can (a) stop all mail or (b) allow trusted hosts or (c) allow
> all mail.
>
> A firewall, to my knowledge, doesn't have the capacity to understand SMTP
> AUTH. If I'm wrong, enlighten me.
>
> I need a solution which will stop all mail to the host mail.domain.comEXCEPT for (a) the trusted spam filter host and (b) anyone who authenticates
> against the domain using SMTP AUTH. They should be allowed to relay through
> their SMTP server or send mail to other users on the domain.
>
as mentioned above, sending emails is not your problem here, receiving spam
is, unless your servers are open relays.
So the question remains: how can this be done?
To stop spammers from flooding your mail.domain.com servers, you will have
to look at the design of your mail server.
1 -- Look at {white,black,grey}listing.
2 -- You may need to run Spam Assassin or its equivalent on your
mail.domain.com servers to capture the spam that is not going through your
spam filtering devices.
3 -- You can also add headers to the emails passing through your spam
filtering devices and pass them exclusively through your mail server with no
further checks.
4 -- You may also pass all emails whose session has been authenticated with
no further checks.
3 and 4 will make sure that all emails hitting your mail.domain.com servers
have gone through either the spam filtering devices or have been
authenticated. If checks 3 and 4 fail, you can forward (smarthost) the mail
to the spam filtering devices so that they get checked for spam. This will
avoid spam checking on the servers.
The other option, if your spam filtering devices permit it, is to point all
mx records to these filtering devices and have the filtering devices forward
the sessions to the respective mail.domain.com server. This is a long short
but it may work.
PS: Exim spec.txt file has got numerous examples that you can look at. I
still think you need to look at your legacy setup and redesign... may take
time to implement, but at least you will have managed your setup better.
--
Mike
Of course, you might discount this possibility, but remember that one in
a million chances happen 99% of the time.
------------------------------------------------------------
