[Mimedefang] filter relay installation
Lucas Albers
admin at cs.montana.edu
Tue Jun 17 20:49:00 EDT 2003
I recently enabled filter_relay on my system.
This verifies that the ip address of the machine matches the helo it sends.
I have rejected a large number of connections because of this.
Steps to Enable Filter Relay:
Install mimedefang, verify it works, etc.
ENABLE FEATURES INCREMENTALLY!,
Your users will tear you apart if you reject too much...
Uncomment line in /etc/sysconfig/mimedefang:
MX_RELAY_CHECK=yes
to enable filter relay.
Add this code in /usr/bin/mimedefan.pl to enable filter_relay checking:
################################
sub filter_relay {
my($ip, $name, $helo) = @_;
return(1, "OK") if ($ip eq "127.0.0.1"); # no further checking if
localhost
# or maybe reject only when it's an obvious forgery...
if (($helo =~ /^(\d{1,3})(.)(\d{1,3})(.)(\d{1,3})(.)(\d{1,3})$/) &&
($ip ne $helo)) {
return (0, "Header forgery attempt, $ip claims to be $helo")
}
return(1, "OK");
}
################################
Validate the perl code for typos:
/usr/bin/mimedefang.pl -test
Then restart mimedefang.
Caveats:
Their are usually 3 types of forgeries.
SMTP Server A says they are SMTP Server B.
SMTP Server A says they are YOU.
SMTP Server A says they are Server B in the same subnet as A.
False Positives:
Some mail server will says they are another machine in their same domain.
(Forgery type 3.)
This does not appear to be spam, just a mail relay thing.
I still reject this mail.
Example:
So Server 153.90.199.5 says they are 153.90.199.47.
If you wanted to allow a server to fudge it's address to an address in
it's same subnet, you would modify the above regexp to only check the
first 3 octets for equality.
I think this code will skip comparisons where the helo command is not an
ip address?
Example:
Brainless windows clients give a helo "hostname" instead of helo
"hostname.domain"
--Luke
More information about the MIMEDefang
mailing list