Re: Flexible mail-relay protection

[mea@nic.funet.fi]

> Hello!
> 
> Due to countless spam-attacks, we switched off mail-relay
> in our university. Following to this, we only accept SMTP
> connections, if the recepient of the email is located
> inside the university.
> 
> The huge disadvantage of this is the fact, that members of
> our university can't use our server for their outgoing mail,
> if the connect from outside.
> 
> Is it possible to solve this problem? Is there any possibility
> of a more flexible mail-relay protection?

	Yes and no -- "flexible" ways, well..

> My first idea was to use password protected smtp-sessions,
> e.g. with MS Outlook Express. The user from the outside would
> authenticate himself with his password and the server accepts
> any mail from this user during this session.
> Unfortunately zmailer doesn't support password protected
> smtp-sessions right now...

	Have a look into zmailer list archive during past
	week, subject "Password for sending mail".

	I have tried to look for the M$ specifications about
	what the Exchange servers mean with their EHLO
	response:
		AUTH=LOGIN

	If you can find M$ document at it, I would be very gratefull,
	indeed.

	I would prefer to have a system where I don't need to store
	the passwords in clear, which most of the SMTP-AUTH algorithms
	seem to mandate ( see doc/rfc/rfc2554.txt, or your nearby
	RFC repository.. )

> Another way would be, that the user first checks for new mail
> using the pop3- or imap4-protocol. The pop3- or imap4-server
> stores the date/time and ip-adress of the connected server in
> a list. After he checked for new mail, he sends his outgoing
> mail. zmailer looks up for the users ip in the list. If the
> ip-adress is found and the pop3-/imap4-connection was within
> the last two or three minutes, zmailer accepts all mail from
> this user during this smtp-session...

	ZMailer package does contain 'whoson' daemon,
	and library support just for this purpose :)

	You have to open  contrib/whoson-1.05.tar.gz,
	configure, compile, and install it, then modify
	your imap/pop/radius servers, and finally
	configure ZMailer with  '--with-whoson=...'
	option.

> My last idea was using PGP. Before sending his mail, the user
> has to sign every mail with his private key. zmailer accepts
> every mail from the user, but before delivering it to the
> outside, zmailer validates the signed mail with the user's
> public key.

	Could be fairly easy by diverting input files (which
	would be rejected normally) into freezer, and then a
	pre-router scans the freezer and does this signature
	analysis.  (And all failures would be put into a deep-
	freeze ;) )

	Offhand I can't guarantee that doing this would succeed
	without any actual code changes.  A very unusual version
	of the policy database boilerplate would be needed, very
	least..   ... adding "freeze +" to the "." entry would
	likely do that.

	You would propably need to list your local email suffixes
	in 'smtp-policy.mx' file so that email destined to those
	won't be frozen, when coming in from anywhere...
	Oh yes, the 'smtp-policy.relay' file must have your local
	network(s) listed so that from inside the transmission
	won't meet the freezer at all, when outbound.

	For that matter, I think it would be quite fine to freeze all
	incoming email (if a clear rejection hasn't been mandated by
	e.g. DNS MXDOMAIN result for source or destination address),
	and then just analyze them all.   I think some IBM ISP mail
	system does things essentially that way.  The routers do
	message spam-blocking/-filtering.

> I don't know, if my ideas are realistic or easy to implement.
> They are just the thoughts of a non-zmailer-expert who wants
> to offer a little more service to his users...
> 
> I would really like to know, how you are solving my problem...
> 
> Replies are welcome... :-)
> 
> Greetings,
> Matthias

/Matti Aarnio <mea@nic.funet.fi>