The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Postini MX and firewall

Discussion in 'E-mail Discussions' started by bomonguny, Aug 8, 2007.

  1. bomonguny

    bomonguny Member

    Joined:
    Dec 5, 2006
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    So one of my users has postini for spam filtering. All MX records point to Postini and then mail from postini that is filtered is then sent on to my server. The server then serves up that e-mail as it should.

    The problem is that my server accepts port 25 traffic from anyone (as it should) but for this one domain it should only accept e-mail from 2 IP addresses. This domain should only ever get e-mail from Postini.

    It seems spammers are still using mail.domain.com which will still work, but it shouldn't. This particular domain is a shared IP address, and its a virtual deticated server at godaddy so a hardware firewall is not an option. Any suggestions?

    -Nick
     
  2. rossh_cp

    rossh_cp Member

    Joined:
    May 31, 2005
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    I've had Postini like this. Need to remove all dns MX that go direct to the MTA here - only have the 4 MX going direct to Postini. Don't leave any easy to guess DNS records like mail.domain.com. Also as you say, the spam can still be sent to port 25 of the A record, which will almost certainly be the same as the MTA.

    You can put a filter in place that checks the connecting IP for all mail and blackhole all those not from Postini range. I did this at the user level in cpanel under email admin, block email:

    Code:
    
    $sender_host_address: does not match "\\N\(^64\\.18\\.(\\d|\\d[0-5])\\.\\d{1,3}|^205\\.234\\.107\\.122|^$|^:|localhost)\\N"+++++++no_mx_lookup@domain.com
    
    
    Here we test for postini range and local mail and forward the cheats to a holding account. Note that you may need to add support IP's too.

    To get that into the cpanel you need to do some trickery... You can't get that rule in with the regular interface...

    Make a temporary rule (anything) using the cpanel interface and save it. Then use FTP and extract the \home\domain\.filter file and manually add the rule above, including all the plus sign formatting. Save it and overwrite the original. Now remove that temporary rule from before, and this tricks cpanel into saving that complex rule into where ever cpanel puts it.

    Enjoy.
     
  3. bomonguny

    bomonguny Member

    Joined:
    Dec 5, 2006
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Since I have shell access it was a little easier to create this, but it doesn't appear to be working.

    I have

    /home/username
    .filter

    and in .filter I have:

    Code:
    $sender_host_address: does not match "\\N\(^64\\.18\\.(\\d|\\d[0-5])\\.\\d{1,3}|^205\\.234\\.107\\.122|^$|^:|localhost)\\N"no_mx_lookup@domain.com
      
    
    I went back and removed the rule, and cpanel removed the rule from the user interface of cpanel.

    I still have .filter in the /home/username folder
     
    #3 bomonguny, Aug 15, 2007
    Last edited: Aug 15, 2007
  4. bomonguny

    bomonguny Member

    Joined:
    Dec 5, 2006
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Ohh, nevermind, add the new line, then remove the original, I missed that step, I deleted the whole rule once it was edited. I will try again... sorry.
     
  5. bomonguny

    bomonguny Member

    Joined:
    Dec 5, 2006
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Well, that worked.... Kinda. I haven't received an e-mail (even the Quarentine Summary) in 4 days, so I htink its just blocking everything. Any suggestions?
     
  6. rossh_cp

    rossh_cp Member

    Joined:
    May 31, 2005
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1


    Postini has two server farms...

    64.18.0.0 - 64.18.15.255
    207.126.144.0 - 207.126.159.255

    Check he is not on the second set of IP's

    If you substitute the no_mx_lookup@xyz.com with a real address on your server, you can test that the mail either delivers normal / correctly, or rejects into that holding account. When your satisfied its all working, the address could be replaced with :blackhole:

    A test mail from Yahoo does what? Delivers? Or goes to the holding account? Thats the only two choices here?

    My original also had a reference to an IP of LiquidWeb - the 205\\.234\.. is their support ticket server, which seems to bypass regular DNS lookups. Replace this with your own domain support ticket address.

    Check the DNS on the server this account is set up on. I found that the CPanel user account setup also assumes it has DNS record control, and sets an authoritive record into the local DNS server. If the real DNS is controlled elsewhere, then you get confusing results with MX records for mail sent from within the local net.

    Also note that everything is still filtered by the hosts mail systems. Hence the attempt to deliver quarintined postini mail will almost always get it dropped by the hosts mail filters. And that is the problem here with this setup. Postini has great filtering and quarintine inspection systems, where as the host has questionable filtering that will make false positives, throw out some of the good mail and no way to inspect or check on the process or rejected mails. Mail is effectively filtered twice. The host would need to make a special exempt rule in the exim config to allow mail from trusted sources (postini) to bypass all its own filter testing.

    rossh
     
    #6 rossh_cp, Aug 25, 2007
    Last edited: Aug 25, 2007
  7. meeven

    meeven Well-Known Member

    Joined:
    May 8, 2007
    Messages:
    124
    Likes Received:
    0
    Trophy Points:
    16
    Alternative solution?

    I am trying to figure out the same issue on my VPS, the only difference being that I am using MXLogic.

    I got the following instructions from the MXLogic reseller:

    My host responded that it would be difficult to make such changes (making Exim listen to a different port only for a particular domain's email). When I pressed, they suggested the following:

    I haven't fully figured out how this will work, but it sounds plausible, except for the fact that I have no idea if a VPS will support two shared IPs, one for regular domains and the other, for domains using MXLogic.

    Just wanted to share it anyhow.:)
     
  8. bomonguny

    bomonguny Member

    Joined:
    Dec 5, 2006
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    anyone know the perl regular expression for the second second of postini servers?
     
  9. bomonguny

    bomonguny Member

    Joined:
    Dec 5, 2006
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    I have one server that seems to work fine with any domain that I add to postini, I have a second server that doesn't seem to work.

    I have the domains in the /etc/localdomains but it appears that EXIM on the one server is not allowing messages from postini as it thinkg its a relay. I get a 550 error.

    How do I configure Exim to allow relay from postini, and postini only? Is this something that I did and forgot on the other server, or why does that one work?

    -Nick
     
  10. Samuraid

    Samuraid Member

    Joined:
    Apr 20, 2006
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    I have this setup as well:
    - 4 MX records all pointing to postini servers
    - A WHM server that gets all the postini-filtered mail forwarded to it

    And one of my users is getting spam that (according to the mail logs) is being sent by spammers (with a valid domain name) directly to my server using the A record, thus bypassing all the postini filtering.

    I learned the exim configuration file format today, but it seems that the contents of the exim config file shown in WHM and the actual /etc/exim.conf are different!?. What's going on with that? Has anyone been able to figure out a water-tight configuration of exim that will allow SMTP from:
    - Authenticated users (that have mailboxes on the WHM server)
    - Any server in Postini's IP address range

    And reject any other servers at SMTP time (preferably RCPT)?

    I would dive into the exim configuration and do this, but I'm afraid to do so seeing that WHM seemingly isn't synchronized with the actual exim.conf.
     
Loading...

Share This Page