Topic: restricting internal smtp traffic

[NickT]

We have a web/mail server sitting in a data center that is running our corporate email server.  Here in our office we have an e-smith box which sends the email out, and receives email from the corporate email server for the few users we have in this office.

Is it possible to restrict incoming smtp traffic to that of the single ip address of the email server so to stop people trying to tamper with the smtp server?

Thanks

[Nathan Fowler]

Sure, I'm going to assume you are pre-6.0 and using ipchains.

/sbin/ipchains -A input -p tcp --dport 25 --source ! aaa.bbb.ccc.ddd/32 -j DENY -i ethX

Where:
aaa.bbb.ccc.ddd is the IP address you want to allow.
ethX is your external interface, or, if it's a once NIC system, use eth0.

If you want these rules to remain persistent upon reboot, simply append them to the bottom of /etc/rc.d/rc.local

Hope this helped,
Nathan

[Dan Brown]

Nathan, that would actually be pre-5.6, as 5.6 was using 2.4/iptables.

[Nathan Fowler]

Thanks Dan, I'm not up to speed on the version differences.  I appreciate the correction, sorry for any I've mislead.

Glad I have you here to keep me straight

[NickT]

Thank you so much for this!!  

I'm not sure if SMTP abuse is the problem here, but according to my ISP's logs, while I was away on holiday there was 60meg of data coming into my server each day!!  We don't run a public site on the server, and there are only two users in this office.   It definitely wasn't 60meg of valid emails!

I'm still using e-smith 5.5, so I'll give this a try.   Can I use -i ppp0 or does it have to be ethX?

One further question though..   I don't use the e-smith for email.. I have delegated email to a server inside our network..  I'm just wondering whether it's possible.. rather than use the built in SMTP server, is there a way I can route incoming SMTP traffic (from the valid server) to go through the e-smith box, and open a session on our internal mail server?   I guess that leads me to ask, am I not really using the right tool in e-smith?  Should I now just be using a firewall product?

Thanks again!

Nick

[Nathan Fowler]

You can use -i ppp0

Give me a little "diagram" on your request about re-routing traffic, you can route traffic to another ipaddr but I'm not sure I quite understand your entire situation.

[NickT]

Thanks Nathan.

Our company works out of several locations.  We have a "central" web/email server for the company situated in Sydney.   At my work location, I have an e-smith server as the gateway to the internet, and I have a Mandrake server on our internal network.  The Mandrake server runs our imap email server and stores all email for all users at this location.

Before we got the Mandrake server in, we used the e-smith box for imap email for staff at this office.   I then moved email to the mandrake server so that I had everything on the one server, and backups were easier.  It also meant less things on the e-smith server to worry about.  The mandrake server is also considerably more powerful than the e-smith box.  I digress! :^)

What's happening at the moment is that email for all our employees arrives at the central server, and for anyone at this location their email is then delivered to their username@domainname.of.e-smith.box.  The e-smith config then has the option set that hands of email processing to another server, and therefore passes email through to the internal Mandrake server.

My thinking is that life might be better opening up some sort of socket through the e-smith box (restricted to the IP of the central web/email server) rather than sending the email to the smtp server on the e-smith box which then forwards it to smtp server on the Mandrake server.  I can then switch off the SMTP server on the e-smith box, cutting off another possible excuse for people to try and get into the server.

Am I way off course here??   This all started because my ISP tells me that I was downloading 60 meg a day while there was no one physically in this office for a week.   They seem to think it may have been people trying to exploit my smtp server, even though relaying is disabled.

Thanks for your help so far!  I hope all this makes sense!!

N

[NickT]

hmm, my other option was to just switch off the smtp server on e-smith altogether, stop the email being forwarded to the servers here, and simply setup fetchmail on the mandrake box to pull the email down.

I'm not experienced enough to know whether this is a better or worse option though.  It's nice knowing incoming email is instantaneous, as opposed to having to wait for the fetchmail polling.

[Bill]

>Am I way off course here?? This all started because my ISP tells me that I was >downloading 60 meg a day while there was no one physically in this office for >week. They seem to think it may have been people trying to exploit my smtp >server, even though relaying is disabled.

I think it far more likely that you are seeing the traffic from the latest generation of worm.  I average about 50 Megs of traffic per day and a large portion of that is icmp pings and web server "document not found" replys. Another possibilty is that someone is running a P2P sharing program during off hours although the traffic volume is a bit low for that sort of bad behavior.