Topic: SOLVED: How do I reject mail to invalid users that comes from the local network?

[nekatreven]

Hello,

The SME 7.6 install that we have for processing email has a private address on our LAN and we've always port forwarded to it. I've recently added a commercial spam filtering appliance to our network and given it a local IP as well, and then forwarded tcp 25 to the filtering device instead of our SME server. The spam filter then hands the mail off to SME.

All of our user's mail clients send via SSL/465 so redirecting 25 has not been an issue there. The place where it causes a problem is that the SME server whitelists local senders from /usr/share/qpsmtpd/plugins/check_goodrcptto on line 49:

Code: [Select]

return (DECLINED) if $self->qp->connection->relay_client;
We still get some spam (and some real mail like notifications from google calendar) to accounts that no longer exist on our server. Because the spam filter is on a local IP the SME server will accept mail to $anyone@domain.com as long as the domain is valid.

I commented out that line I mentioned in check_goodrcptto and suddenly both the SME server and the spam filter were able to reject mail to non-existent users correctly.

Unfortunately this also broke the ability to send to off-server users via Horde because (I'm guessing) suddenly localhost is not whitelisted in check_goodrcptto and cannot send to whoever it wants. So I've had to revert the change. As you might imagine this causes a lot of bounces and double bounces.

Would anyone have any suggestions? TIA for any insight you may have,
Mark

[nekatreven]

I should mention that I do have other public IPs I could give the spam filter directly and set our mx record to that address, and with SME seeing a public again that would fix this particular issue. The problem with that is if the ISP goes down I'm 'unnecessarily' offline. Our LAN gateway does failover and load balancing of our 2 WAN links, so that is the draw for having it on the LAN.

[Jean-Philippe Pialasse]

Hello,

seems that you need to deactivate relay from local network but not from localhost.

First let's try this to check if it is really your needs:

Code: [Select]

vim /var/service/qpsmtpd/config/relayclients
remove every lines after 127.0.0.1 (except 127.0.0.1)

then

Code: [Select]

service qmail restart

check if it works good for you.

if not revert with this

Code: [Select]

signal-event email-update
if yes you will have to make a template custom, like this :

Code: [Select]

mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients
cp /etc/e-smith/templates/var/service/qpsmtpd/config/relayclients/80relayFromLocalNetwork  \ /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients/80relayFromLocalNetwork
then modify it:

Code: [Select]

mcedit /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients/80relayFromLocalNetwork

    foreach my $prefix ( @prefixes )
    {
        my $dot = ( $prefix =~ /\d+\.\d+\.\d+\.\d+/ ) ?  : '.';

#        $OUT .= $prefix . $dot . "\n";
        $OUT .="# $prefix  $dot :rem to avoid relay  from local network remove template customs to revert\n";
    }
}

Notes :

As far as i guess :
your sme is server only and is hosting mails,
the commercial box recieve public email from outside, and works as your MX, and then send it back to SME.

Are you certain SME spamfilter would not do the trick with some tune up ? Because as far as i see your problem is that your commercial filtering box is accepting more spam than SME alone would accept ( sad isn't it ?), as it would not relay mail to accounts that do not exists. A good way would be to have this box to accept the content of  /var/service/qpsmtpd/config/goodrcptto to refuse everything that is not in the list.

SME server with some tune up like activating spamassassin anf clamav, file filtering,  enabling bayesian learning, enabling whitelisting and blacklisting or even grey listing  is really really efficient !!!

[nekatreven]

Hello,

Thanks very much for the help! I wrote a better reply showing my full solution but failed the Recaptcha and my reply was gone when I clicked the on-page 'Back' button.   In any case, using your examples as a basis I was able to add a template for norelayclients instead of relayclients and block out only the IP I needed.

Are you certain SME spamfilter would not do the trick with some tune up ? Because as far as i see your problem is that your commercial filtering box is accepting more spam than SME alone would accept ( sad isn't it ?), as it would not relay mail to accounts that do not exists. A good way would be to have this box to accept the content of  /var/service/qpsmtpd/config/goodrcptto to refuse everything that is not in the list.

This was the only part of your message that was not accurate for our situation. We only get about 50 messages a day to addresses that no longer exist out of about 4,000 per day total, so even with this address verification problem the spam appliance was blocking much more spam without any additional false-positives. I didn't want to have to manually keep a copy of goodrcptto up to date on the appliance due to maintenance overhead. Instead, the spam appliance has a list of valid domains and begins a delivery run to SME at the same time that it is processing the message it is receiving. If SME rejects the destination address the appliance relays the failure back to the original sender before accepting the destination. So, the appliance was only accepting mail to invalid users because SME was.

I'm not actually sure what the reason would be for SME to accept invalid email addresses (for the domains it hosts) from its local networks; you'll just get a bounce. However it seems like it would take another plugin to check if a domain is local to the server and then check the user...and the fact that more people aren't having a problem with this scenario means it probably isn't worth changing (or is moot in SME8). I will agree that SME's filtering is very capable, but you have to use all of the features to get there and that means some added up keep. After crunching the numbers it became apparent that we were spending more in upkeep labor than the cost of the appliance license. (It's a barracuda, and while I'd never pay their hardware prices, their virtual machine appliances aren't as bad)

Thank you again for the excellent example,
Mark

[Jean-Philippe Pialasse]

Great thing you have it up and reunning as you want.

If you can repost your template it might be usefull for the next person that will search for this answer.


For the job of spam filtering all is explained in contribs wiki, and i never had to touch it ever after setting up, only users have the choice to move their false negative to a spam learn folder. The ratio of rejects is about 2000 for 60 hams

For the false positives it is difficult to really quantify them as long as you do not check all the spam folders and logs, so with a commercial solution there is few chance that you never hear of all the ham rejected.

But finally the important is to obtain a solution that works for you

[nekatreven]

Certainly. This is what I was able to pull together:

Code: [Select]

mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/norelayclients
cp /etc/e-smith/templates/var/service/qpsmtpd/config/norelayclients/20norelayFromRouter /etc/e-smith/templates-custom/var/service/qpsmtpd/config/norelayclients/80norelayFromCuda
mcedit /etc/e-smith/templates-custom/var/service/qpsmtpd/config/norelayclients/80norelayFromCuda


{
    # block relaying from spam filter so it can get rejections on bad users
    return '172.17.0.23';
}

Thanks,
Mark

[nekatreven]

I have upgraded to SME8 and wanted to note that my norelayclients template was no longer needed because the default relayclients are now only localhost:

127.0.0.
172.17.0.20

Not sure if they changed it for situations like I was in or (more likely) just for increased security, but I was glad to see it.

[Jean-Philippe Pialasse]

the new policy for SME 8 is to no longer relay mail from lan to reduce spam.

Lan client have to be properly configured for  smtp connection.