From owner-freebsd-isp@FreeBSD.ORG Fri Feb 10 14:42:21 2006 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AA38316A422 for ; Fri, 10 Feb 2006 14:42:21 +0000 (GMT) (envelope-from gregp@domainit.com) Received: from ns3.domainit.com (ns3.domainit.com [216.195.78.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 233E243D46 for ; Fri, 10 Feb 2006 14:42:20 +0000 (GMT) (envelope-from gregp@domainit.com) Received: from [192.168.2.69] (ddsl-216-196-247-106.fuse.net [216.196.247.106]) by ns3.domainit.com (8.13.3/8.13.3) with ESMTP id k1AEgIoE099720 for ; Fri, 10 Feb 2006 09:42:18 -0500 (EST) (envelope-from gregp@domainit.com) Message-ID: <43ECA64A.3000908@domainit.com> Date: Fri, 10 Feb 2006 09:42:18 -0500 From: Gregory T Pelle User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051214) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-isp@freebsd.org References: <43EBB765.6060709@domainit.com> <8eea04080602091444g662986dan4bbf2a4124dab1d9@mail.gmail.com> In-Reply-To: <8eea04080602091444g662986dan4bbf2a4124dab1d9@mail.gmail.com> X-Enigmail-Version: 0.93.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.88/1283/Thu Feb 9 15:55:06 2006 on ns3.domainit.com X-Virus-Status: Clean X-Spam-Status: No, score=0.1 required=5.0 tests=AWL autolearn=disabled version=3.1.0 X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on ns3.domainit.com Subject: Re: Outbound mail filtering X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Feb 2006 14:42:21 -0000 Jon Simola wrote: >On 2/9/06, Gregory T Pelle wrote: > > > >>What is the recommended setup for outbound spam filtering? >> >> > >On your router, forward all port 25 connections to your filtering >server except those from your filtering server, as well as other >standard firewalling for a webserver. I'd also use some sort of >throttling to cut off any machines that exceed an amount that you set >per machine (big paying customer website vs $2/month cheap user). > >I'd recommend qmail on the filtering machine (my preference, I've not >used anything else). I've used qmail-scanner before for spamassassin >and virus scanning, simscan is supposed to be just as good and maybe a >bit faster. Also check out the spamcontrol patch. > > > After your setup has determined that the mail is spam, what do you use to quarentine it? In my testbed, I have a setup using sendmail, clamav, and spamassassin that classifies the mail, but does not perform the quarentine function. The tools that I have found to quarentine email expect that the mail is going to be delivered to your users (which in this instance is not always the case). >>I know I am not going to catch 100% of all spam, but I would like to >>catch most. >> >>I also plan on setting up firewall rules on the servers to block all >>outbound smtp traffic unless it is going to my filtering server. >> >> > >I would do that on a router in front of the web servers, as comprimise >of a webserver would most likely lead to the attacker disabling the >firewall to send spam. Seperate tasks, web servers should serve web >pages, routers and firewalls should be seperate from the servers >they're protecting. > > > I would agree that a router would be more secure, but I am limited to what hardware I have on hand. >>Any suggestions? Am I missing something? >> >> > >Stuffing your servers into a DMZ makes things easier to secure and >harder to use. > >-- >Jon Simola >Systems Administrator >ABC Communications >_______________________________________________ >freebsd-isp@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-isp >To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" > >