Topic: Protecting your network against infected Guest systems

[batje]

For the second time we got caught ofguard by a guest on our local network that was infected with a spambot.

We are using the SMTP proxy as we are on a very slow link. So if a spambot enters the network, it is too easy to start emailing.

I figured there is 2 ways to prevent this:

- Requiring Internal Users to authenticate for SMTP
- Limit the amount of relayable 'from' domains.
- run smtp on a non-standard port.

I tried looking on the forums (and found people with similar problems), but not a howto for achieving either of the three.

I tried some ssmtp, qsmtpd and other things, but to no avail.

Did i miss a howto?

[mmccarn]

http://wiki.contribs.org/Email#How_do_I_enable_smtp_authentication_for_users_on_the_internal_network.

[batje]

This wiki is indeed growing into a very valuable information source. I will keep the improvements in mind, the next time i search for something.

It works, in that the change does enable Authentication. I also added the property:

config setprop qpsmtpd Authentication enabled  

As qpsmtpd did not have an Authentication property initially. You may now authenticate against SMTP.

But its not mandatory! I:

- started outlook express
- deleted all profiles
- created a profile for an imaginary POP3 mailbox
- Sent an email from whereever@blabla.org to my mailbox
- SMEServer happily accepted the message.

How can i make authentication mandatory?

This is my full qpsmtp config:

qpsmtpd=service
    Authentication=enabled
    Bcc=disabled
    BccMode=cc
    BccUser=maillog
    DNSBL=enabled
    LogLevel=8
    MaxScannerSize=25000000
    RBLList=sbl-xbl.spamhaus.org:whois.rfc-ignorant.org:dnsbl.njabl.org
    RHSBL=enabled
    RequireResolvableFromHost=no
    SBLList=dsn.rfc-ignorant.org
    access=public
    status=enabled

[mmccarn]

Try this and let me know if it blocks unauthenticated relay from local hosts (but still lets you send using authentication).  If it does I'll add it to the wiki:

Code: [Select]

mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients
echo "# SMTP Relay from local network denied by custom template" >\
/etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients/80relayFromLocalNetwork
signal-event email-update

If anything goes wrong, you can undo these changes with:

Code: [Select]

rm -f /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients/80relayFromLocalNetwork
signal-event email-update

[batje]

I almost thought it didnt work. But my KMail by default chooses to send using SSL.

On port 25 everything is fine, you cant relay anymore. Using SSL on Port 465 will still allow relaying.

For now, that should be fine with me. Thanx a million.