Koozali.org: home of the SME Server
Legacy Forums => Experienced User Forum => Topic started by: gman on February 22, 2003, 08:08:42 PM
-
I have searched the forum and came up with this link:
http://forums.contribs.org/index.php?topic=12716.msg47777#msg47777
Has anyone performed this and if so what was the results ? Where do I make this modification ? "hosts.deny" ?
Thanks,
G
-
These go in smtp_check_rules, which applies to SME Pre 5.5. If you run pre-5.5 I can assist you.
-
Well, currently I run 5.5 update2, however next weekend I will be upgrading to 5.6. Is there any other way to just block "bad" IP blocks/subnets from connecting to the SME server ? I know I can use "hosts.deny", however I do not want to completely block them, only from attaching to my mail server.
Thanks for replying !
G
-
Will http://myezserver.com/downloads/mitel/contrib/Mailrules/ work? FYI, I got this installed on 5.5 with an updated version of mailfront. I did need to expand a file manually, and it wants to see 5.6's files for a default install. I'm not sure if it's working though...
-
Easiest way would be to use ipchains to block the CIDR noted addresses, just like in smtpd_check_rules.
Syntax:
ipchains -A input -p tcp --dport 25 --source /CIDR -j DENY
Example:
/sbin/ipchains -A input -p tcp --dport 25 --source 216.0.0.0/8 -j DENY
This would deny the range access to TCP 25, which is SMTP, which basically would accomplish the same thing. I don't believe you can do CIDR notation in /etc/hosts.deny (please correct me if I am wrong).
I'm not exactly sure if 5.5/5.6 is using IPTables, if it is, I believe that you may still use the ipchains syntax to create iptable rules. I don't know a great deal about iptables, so it may be necessary for you to translate the chain rule to iptables. If you can use CIDR notation in /etc/hosts.deny and ipchains doesn't exist on your system then hosts.deny would be a good fall-back as well.
Thanks,
Nathan
-
Note that I would also be more than happy to provide my rules, which in my eyes are more accurate that the previous posted rules, and also include LACNIC (Latin America) as well as RIPE and APNIC hosts.
-
Nathan Fowler wrote:
>
> I'm not exactly sure if 5.5/5.6 is using IPTables, if it is,
> I believe that you may still use the ipchains syntax to
> create iptable rules. I don't know a great deal about
> iptables, so it may be necessary for you to translate the
> chain rule to iptables. If you can use CIDR notation in
> /etc/hosts.deny and ipchains doesn't exist on your system
> then hosts.deny would be a good fall-back as well.
5.5 still uses the 2.2 kernel and ipchains. 5.6 uses 2.4 and iptables. I'm still using 5.5, but from what little I've seen the iptables syntax is very similar to ipchains, though not exactly the same.
-
Bill Talcott wrote:
>
> Will http://myezserver.com/downloads/mitel/contrib/Mailrules/
> work? FYI, I got this installed on 5.5 with an updated
> version of mailfront. I did need to expand a file manually,
> and it wants to see 5.6's files for a default install. I'm
> not sure if it's working though...
This doesn't appear to be working. I don't have the time and knowledge to really figure out why. If you've got the updated version of mailfront installed on 5.5, it probably shouldn't be too hard to make work, I would think...
-
Nathan Fowler wrote:
> I'm not exactly sure if 5.5/5.6 is using IPTables
5.5 isn't, 5.6 is.
You might want to look at my e-smith-mailfront contrib. It allows you to use multiple RBLs. Should work with 5.5 and 5.6.
Charlie
-
Great addition Charlie...thanks
I installed with
rpm -Uvh e-smith-mailfront-1.0.0-01rbl.noarch.rpm
I then ran the following (not sure I needed to)
service smtpfront-qmail restart
Since I get quite a bit of SPAM..I waited a few minutes and checked the log file using:
more /var/log/smtpfront-qmail/current |grep rblsmtpd
I noticed I have already gotten 4 blocks....
The rpm defaults to using the list at:
lists.dsbl.org
I haven't tried adding other services to it yet...though it appears to go in the following file:
/var/service/smtpfront-qmail/rblsmtpd.conf
I hope this helps anyone else interested in installing it...
-
How would one go about adding other servers to the list, or removing the default? I can figure out how to change the default to something else, but what about using <>1 list?
-
Bill Talcott wrote:
>
> How would one go about adding other servers to the list, or
> removing the default? I can figure out how to change the
> default to something else, but what about using <>1 list?
http://cr.yp.to/ucspi-tcp/rblsmtpd.html
You probably want "-r rbl.one -r rbl.two ....". Templating rblsmtpd.conf to use a db to generate the list would be easy.
Charlie
-
Thanks for the link. I already made a template from the default file, so that I could make my customizations without worrying about screwing stuff up. =) If you were to fancy it up a bit, and even make a Server Manager panel for modifying blacklists, that would be cool. Perhaps a bit of overkill, but I like making things as idiot-proof as possible...
-
I noticed that there are quite a few retries when rblsmtpd denies a smtp transaction. There also appears to be an option to return a hard error of 533 or bounce immediately as opposed to the soft error of 451 or try again later.
Is there any reason we wouldn't want to include the option to bounce "-b -C" instead of the default try again later "-B -C" ?
-
I have added:
spews.relays.osirusoft.com to my rbl list and changed the default action to reject email by using the -b (lowercase) switch.
RBLARGS="$RBLARGS -b -C -r list.dsbl.org -r spews.relays.osirusoft.com"
The above is on one line....