From owner-freebsd-questions@FreeBSD.ORG Fri Jul 13 08:40:53 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 291CA16A407 for ; Fri, 13 Jul 2007 08:40:53 +0000 (UTC) (envelope-from pprocacci@bellsouth.net) Received: from imf22aec.mail.bellsouth.net (imf22aec.mail.bellsouth.net [205.152.59.70]) by mx1.freebsd.org (Postfix) with ESMTP id E0B5C13C4B6 for ; Fri, 13 Jul 2007 08:40:52 +0000 (UTC) (envelope-from pprocacci@bellsouth.net) Received: from ibm65aec.bellsouth.net ([70.156.10.107]) by imf22aec.mail.bellsouth.net with ESMTP id <20070713084052.DOSO25073.imf22aec.mail.bellsouth.net@ibm65aec.bellsouth.net> for ; Fri, 13 Jul 2007 04:40:52 -0400 Received: from [10.5.21.243] (really [70.156.10.107]) by ibm65aec.bellsouth.net with ESMTP id <20070713084052.JXLL3928.ibm65aec.bellsouth.net@[10.5.21.243]>; Fri, 13 Jul 2007 04:40:52 -0400 Message-ID: <46973A8A.4050009@bellsouth.net> Date: Fri, 13 Jul 2007 03:40:42 -0500 From: Paul procacci User-Agent: Thunderbird 2.0.0.4 (X11/20070706) MIME-Version: 1.0 To: Olivier Nicole References: <200707130730.l6D7U6v9086226@banyan.cs.ait.ac.th> <46973936.6080104@bellsouth.net> In-Reply-To: <46973936.6080104@bellsouth.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: Transparent email proxy X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jul 2007 08:40:53 -0000 Paul procacci wrote: > Olivier Nicole wrote: >> Hi, >> >> As an ISP, or the person in charge of a large organisation, have you >> ever set-up a transparent email redirection: all outgoing email would >> be proceeded to an outgoing server in order to check for virus, spam, >> whatever. >> >> Best regards, >> >> Olivier >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to >> "freebsd-questions-unsubscribe@freebsd.org" >> >> > The answer to your question is yes. To elaborate a bit more however > here is a personal document I wrote (i.e. wasn't intended for anyone > else), hopefully it provides you with good enough information and/or > the information you were looking for. Mind you, this is BSD and qmail > (yes, I'm a fanboy) specific. This assumes you are familiar with the > software I decided to use under the components heading. Certainly > feel free to ask any questions. I realize the document isn't > "production quality" due to the reasons given about, but rest assured > I can vouche for this method. > > Additionally note, this is obviously not the only method.....just that > it's my method. ;P Cheers! > > ~Paul > > ---------------------------------------------- > > I have 5 machines behind a load balancer, one of which is FBSD 4.11, > and the other 4 are FBSD 6.2. The component list I used is as follows: > > Components > > tcpserver > daemontools > qmail w/ QMAILQUEUE patch > qmail-qfilter > spamassassin > *custom c scripts (These are optional; one is provided) > > > Flow > > This is the current flow of any emails that reach the cluster. Note > the items listed within *'s are custom programs and explained later in > this document: > > tcpserver->qmail-smtpd->qmail-qfilter->spamc->*reject_spam*->qmail-queue->qmail-remote > > > **Note :: reject_spam is included because that is needed for denying > emails. (You could rewrite it in perl or sh if you needed to) > > Installation > > The installation for any new and existing proxy boxes is extremely > straightforward. > > For all but qmail listed above, use the ports tree. > > Setup spamd to create the /tmp/.spamd.sock socket. That's what I call > mine, yours can/will vary. > > Once all this is installed, create /etc/tcp.smtp with the following > entry and build the cdb file: > :+RELAYCLIENT=+QMAILQUEUE=/var/qmail/bin/qmail-queue-spam > > Ensure tcpserver uses that file(i.e. -x) > > While in /usr/ports/qmail..... > > a) upload the attached files (patch-qmail.c and patch-Makefile) into > ./files/ > > b) edit patch-qmail.c to reflect a message you would like to give. > '+ case 20: return "DAnti-SPAM Threshold Reached see > http://domain.com/legal_information.aspx";' > > c) type: make extract > > d) type: make patch > > e) copy the attached file (reject-spam.c) to ./work/qmail*/ > > f) Now, I haven't included some of my patches here do to sensative > information. Therefore, you'll need to edit the Makefile > (work/qmail-*/Makefile) to removed any and all references to > check_block and reject-record-spam. > > g) type: make install > > h) copy reject-spam to /var/qmail/bin > > i) Copy the attached shell script (qmail-queue-spam) to > /var/qmail/bin/; that is going to tie this together. > > Please note that it's NECESSARY to use the local software FW to allow > relaying. IPFW is a good choice (my preference anyways). Deny > everything to port 25, and only allow the hosts you want. I found > this to be the easiest. > Then on those hosts, smarthost the "hidden" (not really) machine. > ------------------------------------------------------------------------ > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" My attached c file got stripped. Here is it. reject-spam.c ------------------------------------------------------------------- #include "stralloc.h" #include "substdio.h" #include "readwrite.h" #include "getln.h" #include "str.h" stralloc s = {0}; substdio i = {0}; substdio o = {0}; char ibuf[1024]; char obuf[1024]; int main(void){ int match; substdio_fdbuf(&i,read,0,ibuf,sizeof(ibuf)); substdio_fdbuf(&o,write,1,obuf,sizeof(obuf)); for(;;){ if(getln(&i,&s,&match,'\n') == -1) _exit(81); if(!match || s.len == 1) break; if(!str_diffn("X-Spam-Flag: YES\n", s.s, s.len)) _exit(20); substdio_put(&o,s.s,s.len); } substdio_put(&o,s.s,s.len); substdio_copy(&o,&i); substdio_flush(&o); _exit(0); }