Koozali.org formerly Contribs.org

Filter outgoing mail?

Filter outgoing mail?
« on: October 10, 2007, 05:33:05 AM »
Is it possible to filter outgoing mail from SME for non-domain/workgroup pc's?

Scenario: Small pc repair shop plugs pc into network to check for problems. Moments later ISP rings complaining about spam eminating from pc shops ADSL connection.

EDIT: I did a search, but didn't locate anything appropriate.
PS I'm using SME7.2 in gateway mode

Offline raem

  • *
  • 3,972
Re: Filter outgoing mail?
« Reply #1 on: October 10, 2007, 06:20:46 AM »
gippsweb

>...spam eminating from pc shops ADSL connection.

Do you have the smtp proxy enabled on your sme server ?
With the smtp proxy enabled, then the email client must be configured to use your mail server. If not configured, then mail should not be able to get sent, so don't configure the client PC's being repaired to use your mail server.

If you don't have the smtp proxy enabled, then rougue viruses on workstations can create their own software smtp server, or use an external smtp server to send spam etc. So it's better (safer) to enable the sme smtp proxy to protect against this scenario ie the virus won't know what smtp server to use.
...

Re: Filter outgoing mail?
« Reply #2 on: October 10, 2007, 06:45:48 AM »
Damn that was a quick reply Ray.

I should have mentioned that the SMTP proxy is on. (I figured it only worked on incoming mail as it figured anything on the LAN would be "safe")
We don't change any mail settings on clients PC's.

I have mail to unknown users set to reject (no good in this case as the mail is just passing through)
Virus scanning and Spam filtering on(Spam Filtering set fairly aggressively)
POP3 server access is set to private and public as we have a couple of remote users.

Offline raem

  • *
  • 3,972
Re: Filter outgoing mail?
« Reply #3 on: October 10, 2007, 07:22:17 AM »
gippsweb

Quote
.... SMTP proxy is on. (I figured it only worked on incoming mail as it figured anything on the LAN would be "safe")
We don't change any mail settings on clients PC's.

The smtp proxy forces local users to send mail via the sme server smtp mail server, to my undertanding it has nothing to do with incoming mail.

So you surmise that the phone call from your ISP, suggests the spam is coming from the recently connected customers PC under test. So how then is the mail getting from the PC to your sme server's mail server if you do not configure the client PC's to use your mail server ?

Did you check the qpsmtpd log files to see where the spam was really coming from ?

If spam email is being sent directly from the PC (not via your sme server), then the smtp proxy must be disabled.
...

Re: Filter outgoing mail?
« Reply #4 on: October 10, 2007, 07:40:00 AM »
Going by the qpsmtpd log, it's the recently connected pc causing the spam.

There has "never" been any need for us to change mail settings on a customers pc to connect to our SME pc.

The smtp proxy must be working as qpsmtpd is passing and logging the mail. SME appears to be virus scanning outgoing mail but not spam filtering.

Spam filtering on incoming mail definately works as it blocks more than 60% of incoming mail.

SMTP proxy is definately enabled. I've even disabled and reenabled it just to be sure.

Offline raem

  • *
  • 3,972
Re: Filter outgoing mail?
« Reply #5 on: October 10, 2007, 07:59:21 AM »
gippsweb

Quote
There has "never" been any need for us to change mail settings on a customers pc to connect to our SME pc.

Exactly how is the customers PC configured then to send email to your sme servers mail server ?
Surely you must need to have mail.yourdomain.com as the smtp & POP/IMAP servers setup in their email client, or are you talking about some other eg webmail system ?

...

Re: Filter outgoing mail?
« Reply #6 on: October 10, 2007, 08:17:50 AM »
After re-reading that it doesn't sound right does it  :?
The customers pc would be configured to send via there own isp.

Although this bug must to using it's own smtp engine as no email programs are open/running on it.

As SME thinks pc's on the LAN are safe (if thats the right way to look at it) is the machine relaying through it? Or am I just way to tired and looking at it all wrong.

Offline raem

  • *
  • 3,972
Re: Filter outgoing mail?
« Reply #7 on: October 10, 2007, 09:11:07 AM »
gippsweb

Quote
Although this bug must to using it's own smtp engine as no email programs are open/running on it.

That's typically what happens, and it can only connect to the outside world if your smtp proxy is disabled.

Are you sure we are referring to the same setting.
What output do these commands show ?

config show SMTPSmartHost

config show smtpd

...

Re: Filter outgoing mail?
« Reply #8 on: October 10, 2007, 09:30:47 AM »
config show SMTPSmartHost shows our ISP's mail server

config show smtpd
smtpd=service
    Authentication=disabled
    Instances=40
    InstancesPerIP=5
    MaximumDateOffset=0
    PatternsScan=enabled
    Proxy=enabled
    TCPPort=25
    TCPProxyPort=25
    VirusScan=enabled
    access=public
    status=enabled
    tnef2mime=enabled


Offline mmccarn

  • *
  • 2,391
Re: Filter outgoing mail?
« Reply #9 on: October 10, 2007, 04:16:55 PM »
You could enable smtp authentication for internal users: http://wiki.contribs.org/Email#How_do_I_enable_smtp_authentication_for_users_on_the_internal_network.

Or you could block outgoing traffic from unauthorized computers using http://bugs.contribs.org/show_bug.cgi?id=2977

I'd recommend something like this:

Code: [Select]
Internet
   |
Router----DMZ->SME----Work_PCs
   |
Client_PCs

Then make a rule on 'Router' that blocks everything except 80 & 443 from every system except the SME...  This solution will prevent "sick" client computers from pushing windows viruses onto your office computers... 

Re: Filter outgoing mail?
« Reply #10 on: October 12, 2007, 05:38:11 AM »
Whats the difference between smtpd and qpsmtpd?

I added smtp authentication for internal users as per the wiki and did a config show smtpd, it still shows Authentication=disabled
I did a config setprop smtpd Authentication enabled
was this correct or should I have left it disabled?

Anyway having followed the wiki for setting authentication didn't stop the spam flowing outwards, I am about to try again since changing the other setting.

Offline raem

  • *
  • 3,972
Re: Filter outgoing mail?
« Reply #11 on: October 12, 2007, 07:37:28 AM »
gippsweb

I would have thought the more important task was to virus scan the errant PC and remove the virus that is sending the mail, before reconnecting to the Internet.
...

Re: Filter outgoing mail?
« Reply #12 on: October 12, 2007, 07:43:09 AM »
You are dead right Ray, and that is what will happen.

The issue is that this pc didn't come in for this and although it only ran for 10 minutes, I got caught unawares. I want to stop this unfortunate event from accidentally happening again. Hence trying to find a way to stop it.


Offline raem

  • *
  • 3,972
Re: Filter outgoing mail?
« Reply #13 on: October 12, 2007, 01:12:46 PM »
gippsweb

Try this
http://forums.contribs.org/index.php?topic=37821.0

You will need to do

mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
cp /etc/e-smith/templates/var/service/qpsmtpd/config/peers/0/05auth_cvm_unix_local .
signal-event email-update

(note the "." at the end of the 3rd line)
Authentication for the local network will now follow the setting of config::qpsmtpd::Authentication

Then do
config setprop qpsmtpd Authentication enabled 
signal-event email-update

Then
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients
echo "# SMTP Relay from local network denied by custom template" >\
/etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients/80relayFromLocalNetwork
signal-event email-update

In all your email clients,
change outgoing smtp port to 465 and select SSL and
enable Authentication against the outgoing mail server

« Last Edit: October 12, 2007, 02:20:46 PM by RayMitchell »
...

Offline raem

  • *
  • 3,972
Re: Filter outgoing mail?
« Reply #14 on: October 12, 2007, 02:24:19 PM »
gippsweb

Quote
I did a config setprop smtpd Authentication enabled
was this correct or should I have left it disabled?

Wrong key, it should have been qpsmtpd. Leave it disabled, so do

config setprop smtpd Authentication disabled
signal-event email-update

...