[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Amavis... interesting



> > Depends on mailer. For postfix I would say yes, don't know exim etc.
> > so
> > good.
>
> Same thing, easy, examples are included. The docs and config-file all
> explain the lot
>
> As you are at it, check out amaia, (see sourceforge) you will like it.
> This one makes admin of spam and virus quarantine easy for admin and
> user.

Even with postfix you can do a lot.
The mechanisms presented here you can use with any mailer daemon providing
the same features.

Here are some basic examples from one of my setups (postfix, amavis,
rbl_filter, body & headerchecks).
With this setup our local mailserver rejects the critical spam without the
usage of spamd.
Be sure you have activated the dns lookup function (this kicks header
fakers).

Before changing anything make backups of your configs.

You can enter rbl_lists - even in the case you don't have an open relay -
and all mails from well known spammers go to /dev/null.

/etc/postfix/main.cf

smtpd_sender_restrictions = hash:/etc/postfix/access,
reject_unknown_sender_domain
smtpd_client_restrictions = reject_rbl_client relays.ordb.org

After that you can implement mime_header_checks and body_checks.

/etc/postfix/main.cf:

mime_header_checks = regexp:/etc/postfix/mime_header_check
body_checks = regexp:/etc/postfix/body_checks

/etc/postfix/body_cheacks
# sobig rejection
# The following statement should all be on one line,
# with a space before "reject"
# It's two lines due to formatting constraints.
/^TVqQAAMAAAAEAAAA\/\/8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA$/ REJECT keep your viruses

# Klez rejection
# The following statement should all be on one line,
# with a space before "reject"
# It's two lines due to formatting constraints.
/^<iframe src=3Dcid:\S+ height=3D0 width=3D0>/ REJECT No IFRAMEs please
/^<FONT>/ REJECT No viruses wanted here
/^<IMG>/ REJECT No Images please
/etc/postfix/mime_header_checks:#Mime Header Checks
#Nimda
/^Subject: Make Money Fast/    REJECT Nimda Protection
/^To: friend@xxxxxxxxxx/       REJECT Nimda Protection
#Filetypes
/^Content-Type:
multipart\/related;.*type=\"multipart\/alternative\";.*boundary=\"====_ABC12
34567890DEF_====\#"*$ /
    REJECT Blocked File types not allowed
#Spammers
/^ Body content=\.*(MMailer|K-ML|GoldMine|MAGIC|bomber|expeditor|Brooklyn
North|Broadcast|DMailer|Extractor|EMailing List Pro|Group|Fusion|News
Breaker|dbMail|Unity|PG-MAILINGLIST PRO|Dynamic|
Splio|Sarbacane|sMailing|JMail|Broadc@st|WorkZ).*$ /
    REJECT Blocked File types not allowed
/^Content-Type: application\/octect-stream; name=*\.bat *$/
    REJECT Blocked File types not allowed
/^Content-Type: audio\/x-wav; name=*\.scr *$/
    REJECT Blocked File types not allowed
/^Content-Type: audio\/x-midi; name=*\.bat *$/
    REJECT Blocked File types not allowed
/^Content-Type: application\/octect-stream"; name=*\.bat *$ /
    REJECT Blocked File types not allowed
/^Content-(?:Disposition:\s+attachment;|Type:).*\b(?:file)?name\s*=.*\.(ad[e
p]|asd|ba[st]|chm|cmd|com(?=$|&quot;)|cpl|crt|dll|eml|exe|hlp|hta|in[fs]|isp
|jse?|lnk|md[betw]|ms[cipt]|nws|ocx|ops|pcd|p[ir]f|reg|sc[frt]|sh[bsm]|swf|u
rl|vb[esx]?|vxd|ws[cfh])\b/x /
    REJECT Blocked File types not allowed
/filename=\"?(.*)\.(bat|chm|cmd|com|do|exe|hta|jse|rm|scr|pif|vbe|vbs|vxd|xl
)\"?$/
    REJECT For security reasons we reject attachments of this type
/^\s*Content-(Disposition|Type).*name\s*=\s*"?(.+\.(lnk|asd|hlp|ocx|reg|bat|
c[ho]m|cmd|exe|dll|vxd|pif|scr|hta|jse?|sh[mbs]|vb[esx]|ws[fh]|wav|mov|wmf|x
l))"?\s*$/
    REJECT Attachment type not allowed. File "$2" has the unacceptable
extension "$3"
/^x-mailer: *(CTMailer|MailKing|eMerge|Diffondi|ACE Contact
Manager|CyberCreek Avalanche|Achi-Kochi Mail)/      REJECT
/^x-mailer: .*(E-mail Magnet|Avalanche|Mailcast|Group
Mail|AristotleMail|WorldMerge|Extractor Pro|Floodgate Pro|Emailer Platinum.*
InternetMarketing|Ellipse Bulk Emailer|RamoMail|MultiMailer|Advanced Mass
Sender)/ REJECT
And postfix itself has some basic spam protection since 8.2.You need to
activate amavis via /etc/sysconfig/amavis (USE_AMAVIS="yes").
Install any virusscanner, you might want and enter them at
/etc/amavisd.conf.
Here you have to enter the full path to the virus-scanners.

In /etc/postfix/main.cf you must add this line:

content_filter = vscan:

and in /etc/postfix/master.cf you must add this lines:

localhost:10025 inet    n       -       y       -       -       smtpd -o
content_filter=

vscan     unix  -       n       n       -       10       pipe
  user=vscan argv=/usr/sbin/amavis ${sender} ${recipient}

If there exists something for exim you will find examples at
http://www.debian.org/.
It's debians "default" mailer, some use qmail instead.
You will get some informations about both on the debian pages with the
search function.

> > Don't think so, guess they use a MTA which does not change any
> > header.
> > You can do a port redirect with iptables on port 25 on your scanning
> > host,
> > redirecting it into a MTA you configure to resend the stuff after
> > scanning.
>
> Hmm, well thinking about this it is rather easy.
> primary MX is the proxy so that's easy. And mail is used to being
> relayed (aka proxied) so maybe redirecting outgoing 25 to internal
> interface ip might just work.
>
> Much easier is to disallow forwarding of connections to port 25 and
> set internal mailers to use proxy/fw as the standard relay.

First you need a mailer entry in the dns and set the priority of 1st, 2nd
... MX in the dns entries.
Then you can configure one smtp as spam- & virus- filter.
This "external" mailserver will be setup as smarthost for all the "internal"
ones (2nd, 3rd ...).
This even works with exchange or any somehow "insecure" mailserver in the
internal network.
I did this with david sl, exchange 2000 (for exchange you can even get a
free or/rbl filter from http://martijnjongen.com/eng/).

On the firewall you block incoming traffic to all internal mailservers.

Depending on the transfer you might want to add the rates of the mailserver.
If it gets too much mails some mails will be rejected with standard config.

For postfix there are some basic infos in the
/usr/share/doc/packages/postfix folder.

Reguards

Philippe

P.S.: After all changes you made you have to restart postfix and amavis.


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here