From owner-freebsd-isp@FreeBSD.ORG Thu Feb 9 22:44:37 2006 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3864816A420 for ; Thu, 9 Feb 2006 22:44:37 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: from uproxy.gmail.com (uproxy.gmail.com [66.249.92.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1474943D46 for ; Thu, 9 Feb 2006 22:44:35 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: by uproxy.gmail.com with SMTP id c2so40180ugf for ; Thu, 09 Feb 2006 14:44:34 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=X9yv+LWCSN4FJqQktyemBzcd7pFFgLOOXjGOYu0I8HOLDIWi2Xuge6vOlHwKj7Fed9wBGKQ0M8GCDTQniP6WTRnjeJu3qfdr6j6T5UEE5cOFpMA4gJt1VHEdNIrMIGAb/M9ESS1fG3ZbkmBEZMSQ7BIXIQZLNihrWcjOVR231IQ= Received: by 10.66.236.20 with SMTP id j20mr649420ugh; Thu, 09 Feb 2006 14:44:34 -0800 (PST) Received: by 10.66.223.13 with HTTP; Thu, 9 Feb 2006 14:44:34 -0800 (PST) Message-ID: <8eea04080602091444g662986dan4bbf2a4124dab1d9@mail.gmail.com> Date: Thu, 9 Feb 2006 14:44:34 -0800 From: Jon Simola Sender: jsimola@gmail.com To: freebsd-isp@freebsd.org In-Reply-To: <43EBB765.6060709@domainit.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <43EBB765.6060709@domainit.com> Subject: Re: Outbound mail filtering X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Feb 2006 22:44:37 -0000 On 2/9/06, Gregory T Pelle wrote: > What is the recommended setup for outbound spam filtering? On your router, forward all port 25 connections to your filtering server except those from your filtering server, as well as other standard firewalling for a webserver. I'd also use some sort of throttling to cut off any machines that exceed an amount that you set per machine (big paying customer website vs $2/month cheap user). I'd recommend qmail on the filtering machine (my preference, I've not used anything else). I've used qmail-scanner before for spamassassin and virus scanning, simscan is supposed to be just as good and maybe a bit faster. Also check out the spamcontrol patch. > I know I am not going to catch 100% of all spam, but I would like to > catch most. > > I also plan on setting up firewall rules on the servers to block all > outbound smtp traffic unless it is going to my filtering server. I would do that on a router in front of the web servers, as comprimise of a webserver would most likely lead to the attacker disabling the firewall to send spam. Seperate tasks, web servers should serve web pages, routers and firewalls should be seperate from the servers they're protecting. > Any suggestions? Am I missing something? Stuffing your servers into a DMZ makes things easier to secure and harder to use. -- Jon Simola Systems Administrator ABC Communications