From owner-freebsd-security@FreeBSD.ORG Tue May 11 20:41:11 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 32C0116A4CE for ; Tue, 11 May 2004 20:41:11 -0700 (PDT) Received: from gw.visp.com.au (gw.visp.com.au [202.6.158.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id 428C143D39 for ; Tue, 11 May 2004 20:41:10 -0700 (PDT) (envelope-from tim@spyderweb.com.au) Received: from bofh.spyderweb.com.au (202-6-150-37.ip.visp.com.au [202.6.150.37] (may be forged)) by gw.visp.com.au (8.12.8p2/8.12.8) with ESMTP id i4C3fDkH025057 for ; Wed, 12 May 2004 13:11:13 +0930 (CST) (envelope-from tim@spyderweb.com.au) Received: from spyderweb.com.au (localhost [127.0.0.1])i4C3fAic083745 for ; Wed, 12 May 2004 13:11:11 +0930 (CST) (envelope-from tim@spyderweb.com.au) Date: Wed, 12 May 2004 13:11:10 +0930 From: Tim Aslat To: freebsd security list Message-Id: <20040512131110.65e9ab02@bofh.spyderweb.com.au> In-Reply-To: <20040512030648.GA2102@sheol.localdomain> References: <20040512115607.23ac80ea@bofh.spyderweb.com.au> <20040512030648.GA2102@sheol.localdomain> Organization: Spyderweb Consulting X-Mailer: Sylpheed version 0.9.10claws (GTK+ 1.2.10; i386-portbld-freebsd5.2.1) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: quick FW question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 May 2004 03:41:11 -0000 In the immortal words of D J Hawkey Jr ... > Set up the mail server as the hub for your internal network, and have > the workstations forward mail to it. If you're running sendmail on the > workstations, put this in their .mc file: > define(`SMART_HOST', `smtp:mailhub.privatedomain') > And rebuild their sendmail.cf (I use the same .mc file for all U**X > boxen on my network, except for the mail hub). Basically, just point > all internal boxen's mailers to the hub. I'm using Exim, and I already have this part working (smart host) > My mail hub, in turn, defines SMART_HOST to be my ISP's mail cluster, > and I define MASQUERADE_AS to be my ISP's domain (I use the feature > masquerade_envelope, too). You might not be able to do this, of > course, it'll depend on your connectivity. Not really required for this particular setup. > You'll need an MX record set up for the mail hub in your DNS. Got one :) > Given the above approach, the only thing I have in my firewall for > SMTP is a rule for stateful outbound on ports 25 and 995 (I use SSL- > enabled POP3 to download incoming mail from my ISP's mail cluster). Hmmm, that doesn't really solve my problem, but it's useful to have in the archives anyhow. What I want to do is grab any outgoing packets bound for a port 25 and redirect them back to the local mailserver which has spam/virus filtering. This should eliminate problems of viruses/trojans which use their own internal smtp servers to propogate themselves, coming from this network. The reason for this approach is the domain in question being RBL'd a couple of days ago after one of the machines in this network had a virus(actually a couple of thousand of various types). Cheers Tim -- Tim Aslat Spyderweb Consulting http://www.spyderweb.com.au Phone: +61 0401088479