[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Flexible mail-relay protection
> Hello!
>
> Due to countless spam-attacks, we switched off mail-relay
> in our university. Following to this, we only accept SMTP
> connections, if the recepient of the email is located
> inside the university.
>
> The huge disadvantage of this is the fact, that members of
> our university can't use our server for their outgoing mail,
> if the connect from outside.
>
> Is it possible to solve this problem? Is there any possibility
> of a more flexible mail-relay protection?
Yes and no -- "flexible" ways, well..
> My first idea was to use password protected smtp-sessions,
> e.g. with MS Outlook Express. The user from the outside would
> authenticate himself with his password and the server accepts
> any mail from this user during this session.
> Unfortunately zmailer doesn't support password protected
> smtp-sessions right now...
Have a look into zmailer list archive during past
week, subject "Password for sending mail".
I have tried to look for the M$ specifications about
what the Exchange servers mean with their EHLO
response:
AUTH=LOGIN
If you can find M$ document at it, I would be very gratefull,
indeed.
I would prefer to have a system where I don't need to store
the passwords in clear, which most of the SMTP-AUTH algorithms
seem to mandate ( see doc/rfc/rfc2554.txt, or your nearby
RFC repository.. )
> Another way would be, that the user first checks for new mail
> using the pop3- or imap4-protocol. The pop3- or imap4-server
> stores the date/time and ip-adress of the connected server in
> a list. After he checked for new mail, he sends his outgoing
> mail. zmailer looks up for the users ip in the list. If the
> ip-adress is found and the pop3-/imap4-connection was within
> the last two or three minutes, zmailer accepts all mail from
> this user during this smtp-session...
ZMailer package does contain 'whoson' daemon,
and library support just for this purpose :)
You have to open contrib/whoson-1.05.tar.gz,
configure, compile, and install it, then modify
your imap/pop/radius servers, and finally
configure ZMailer with '--with-whoson=...'
option.
> My last idea was using PGP. Before sending his mail, the user
> has to sign every mail with his private key. zmailer accepts
> every mail from the user, but before delivering it to the
> outside, zmailer validates the signed mail with the user's
> public key.
Could be fairly easy by diverting input files (which
would be rejected normally) into freezer, and then a
pre-router scans the freezer and does this signature
analysis. (And all failures would be put into a deep-
freeze ;) )
Offhand I can't guarantee that doing this would succeed
without any actual code changes. A very unusual version
of the policy database boilerplate would be needed, very
least.. ... adding "freeze +" to the "." entry would
likely do that.
You would propably need to list your local email suffixes
in 'smtp-policy.mx' file so that email destined to those
won't be frozen, when coming in from anywhere...
Oh yes, the 'smtp-policy.relay' file must have your local
network(s) listed so that from inside the transmission
won't meet the freezer at all, when outbound.
For that matter, I think it would be quite fine to freeze all
incoming email (if a clear rejection hasn't been mandated by
e.g. DNS MXDOMAIN result for source or destination address),
and then just analyze them all. I think some IBM ISP mail
system does things essentially that way. The routers do
message spam-blocking/-filtering.
> I don't know, if my ideas are realistic or easy to implement.
> They are just the thoughts of a non-zmailer-expert who wants
> to offer a little more service to his users...
>
> I would really like to know, how you are solving my problem...
>
> Replies are welcome... :-)
>
> Greetings,
> Matthias
/Matti Aarnio <mea@nic.funet.fi>