Postini MX and firewall

**bomonguny** · 08-08-2007, 11:28 AM

So one of my users has postini for spam filtering. All MX records point to Postini and then mail from postini that is filtered is then sent on to my server. The server then serves up that e-mail as it should.

The problem is that my server accepts port 25 traffic from anyone (as it should) but for this one domain it should only accept e-mail from 2 IP addresses. This domain should only ever get e-mail from Postini.

It seems spammers are still using mail.domain.com which will still work, but it shouldn't. This particular domain is a shared IP address, and its a virtual deticated server at godaddy so a hardware firewall is not an option. Any suggestions?

-Nick

**rossh_cp** · 08-08-2007, 12:32 PM

I've had Postini like this. Need to remove all dns MX that go direct to the MTA here - only have the 4 MX going direct to Postini. Don't leave any easy to guess DNS records like mail.domain.com. Also as you say, the spam can still be sent to port 25 of the A record, which will almost certainly be the same as the MTA.

You can put a filter in place that checks the connecting IP for all mail and blackhole all those not from Postini range. I did this at the user level in cpanel under email admin, block email:

Code:

$sender_host_address: does not match "\\N\(^64\\.18\\.(\\d|\\d[0-5])\\.\\d{1,3}|^205\\.234\\.107\\.122|^$|^:|localhost)\\N"+++++++no_mx_lookup@domain.com

Here we test for postini range and local mail and forward the cheats to a holding account. Note that you may need to add support IP's too.

To get that into the cpanel you need to do some trickery... You can't get that rule in with the regular interface...

Make a temporary rule (anything) using the cpanel interface and save it. Then use FTP and extract the \home\domain\.filter file and manually add the rule above, including all the plus sign formatting. Save it and overwrite the original. Now remove that temporary rule from before, and this tricks cpanel into saving that complex rule into where ever cpanel puts it.

Enjoy.

**bomonguny** · 08-15-2007, 12:36 PM

Since I have shell access it was a little easier to create this, but it doesn't appear to be working.

I have

/home/username
.filter

and in .filter I have:

Code:

$sender_host_address: does not match "\\N\(^64\\.18\\.(\\d|\\d[0-5])\\.\\d{1,3}|^205\\.234\\.107\\.122|^$|^:|localhost)\\N"no_mx_lookup@domain.com

I went back and removed the rule, and cpanel removed the rule from the user interface of cpanel.

I still have .filter in the /home/username folder

**bomonguny** · 08-15-2007, 12:43 PM

Ohh, nevermind, add the new line, then remove the original, I missed that step, I deleted the whole rule once it was edited. I will try again... sorry.

**bomonguny** · 08-19-2007, 10:39 AM

Well, that worked.... Kinda. I haven't received an e-mail (even the Quarentine Summary) in 4 days, so I htink its just blocking everything. Any suggestions?

**rossh_cp** · 08-25-2007, 08:35 PM

Originally Posted by bomonguny

Well, that worked.... Kinda. I haven't received an e-mail (even the Quarentine Summary) in 4 days, so I htink its just blocking everything. Any suggestions?

Postini has two server farms...

64.18.0.0 - 64.18.15.255
207.126.144.0 - 207.126.159.255

Check he is not on the second set of IP's

If you substitute the no_mx_lookup@xyz.com with a real address on your server, you can test that the mail either delivers normal / correctly, or rejects into that holding account. When your satisfied its all working, the address could be replaced with :blackhole:

A test mail from Yahoo does what? Delivers? Or goes to the holding account? Thats the only two choices here?

My original also had a reference to an IP of LiquidWeb - the 205\\.234\.. is their support ticket server, which seems to bypass regular DNS lookups. Replace this with your own domain support ticket address.

Check the DNS on the server this account is set up on. I found that the CPanel user account setup also assumes it has DNS record control, and sets an authoritive record into the local DNS server. If the real DNS is controlled elsewhere, then you get confusing results with MX records for mail sent from within the local net.

Also note that everything is still filtered by the hosts mail systems. Hence the attempt to deliver quarintined postini mail will almost always get it dropped by the hosts mail filters. And that is the problem here with this setup. Postini has great filtering and quarintine inspection systems, where as the host has questionable filtering that will make false positives, throw out some of the good mail and no way to inspect or check on the process or rejected mails. Mail is effectively filtered twice. The host would need to make a special exempt rule in the exim config to allow mail from trusted sources (postini) to bypass all its own filter testing.

rossh

**meeven** · 09-04-2007, 07:51 AM

I am trying to figure out the same issue on my VPS, the only difference being that I am using MXLogic.

I got the following instructions from the MXLogic reseller:

-- Have the email server listen to a different port for this domain's email (and not port 25)
-- Lock down that port so that it only accepts connections from MXLogic (via the firewall)
-- Update your setup tab in MXLogic so that the new port is specified

My host responded that it would be difficult to make such changes (making Exim listen to a different port only for a particular domain's email). When I pressed, they suggested the following:

If you could move all of the domains which are not using this service to a single IP then you would have the option of having SMTP listen on two separate SMTP ports open and then block port 25 on a given IP

I haven't fully figured out how this will work, but it sounds plausible, except for the fact that I have no idea if a VPS will support two shared IPs, one for regular domains and the other, for domains using MXLogic.

Just wanted to share it anyhow.

**bomonguny** · 11-25-2007, 10:21 PM

anyone know the perl regular expression for the second second of postini servers?

**bomonguny** · 11-26-2007, 02:58 PM

I have one server that seems to work fine with any domain that I add to postini, I have a second server that doesn't seem to work.

I have the domains in the /etc/localdomains but it appears that EXIM on the one server is not allowing messages from postini as it thinkg its a relay. I get a 550 error.

How do I configure Exim to allow relay from postini, and postini only? Is this something that I did and forgot on the other server, or why does that one work?

-Nick

**Samuraid** · 12-06-2007, 12:44 AM

I have this setup as well:
- 4 MX records all pointing to postini servers
- A WHM server that gets all the postini-filtered mail forwarded to it

And one of my users is getting spam that (according to the mail logs) is being sent by spammers (with a valid domain name) directly to my server using the A record, thus bypassing all the postini filtering.

I learned the exim configuration file format today, but it seems that the contents of the exim config file shown in WHM and the actual /etc/exim.conf are different!?. What's going on with that? Has anyone been able to figure out a water-tight configuration of exim that will allow SMTP from:
- Authenticated users (that have mailboxes on the WHM server)
- Any server in Postini's IP address range

And reject any other servers at SMTP time (preferably RCPT)?

I would dive into the exim configuration and do this, but I'm afraid to do so seeing that WHM seemingly isn't synchronized with the actual exim.conf.

Forums

Thread: Postini MX and firewall

LinkBack

Thread Tools

Postini MX and firewall

Alternative solution?

Similar Threads

Exim ACL for Postini

Automated Postini Provisioning

Cpanel and Postini

Postini Configuration

Postini and CPANEL/Exim

cPanel & WHM

Enkompass

Help

Community

Company

Connect with Us