Greylisting with Securepoint 2007R1P4

Ein Forum für Leitfäden rund um Securepoint und verwandte Themen. Beachten Sie, dass dies kein Support-Forum ist.

Moderator: Securepoint

Antworten
philipp
Beiträge: 119
Registriert: Mi 07.02.2007, 15:44
Kontaktdaten:

Greylisting with Securepoint 2007R1P4

Beitrag von philipp »

How to configure greylisting with Securepoint 2007 Release 1 Patch 4:

The Feature could be configured only when Patch 4 is installed. You have to login via ssh (under windows use putty). Use the following CLI commands to activate this feature.

Add a new application greylisting:

Code: Alles auswählen

add extc_application greylist
Configure a new Template for this application:

Code: Alles auswählen

add extc_template greylist /etc/mail/greylist.conf
Copy the following entries to the template. To complete the
command and return to the CLI command prompt, enter the signs **

Code: Alles auswählen

acl whitelist addr ${WHITELIST,listx}
acl greylist default delay ${DELAY}m autowhite ${AUTOWHITE}d
Add the following commands to create a whitelist and to configure
the action of the greylisting:

Code: Alles auswählen

add extc_entry greylist WHITELIST
add extc_value greylist WHITELIST 127.0.0.0/8
add extc_value greylist WHITELIST 10.0.0.0/8
add extc_value greylist WHITELIST 172.16.0.0/12
add extc_value greylist WHITELIST 192.168.0.0/16
add extc_entry greylist DELAY
add extc_value greylist DELAY 15
add extc_entry greylist AUTOWHITE
add extc_value greylist AUTOWHITE 1
add extc_entry sendmail ENABLE_GREYLIST
You can add more IP addressses to the whitelisting when required.
Whitelisting means on this Networks or single IP addresses is the greylisting (delaying) not active.

How is greylisting configured now configured:

The command "add extc_value greylist DELAY 15" means that the mailrelaying is delayed for 15 minutes.

The command "add extc_value greylist AUTOWHITE 1" means, when the firewall received the email after the delay, every following email of the sender will be whitelisted for 1 day.

Now you have to change the template of sendmail to add greylisting milter support.

Type the following command in the CLI and copy the template into the ssh session. To complete the command and return to the CLI command prompt, enter the signs **

Code: Alles auswählen

change extc_template /etc/mail/sendmail.mc

Code: Alles auswählen

divert(-1)
#
# Copyright (c) 1983 Eric P. Allman
# Copyright (c) 1988, 1993
#       The Regents of the University of California.  All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
#    notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer in the
#    documentation and/or other materials provided with the distribution.
# 3. All advertising materials mentioning features or use of this software
#    must display the following acknowledgement:
#       This product includes software developed by the University of
#       California, Berkeley and its contributors.
# 4. Neither the name of the University nor the names of its contributors
#    may be used to endorse or promote products derived from this software
#    without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#

#
#  This is a generic configuration file for FreeBSD 5.X and later systems.
#  If you want to customize it, copy it to a name appropriate for your
#  environment and do the modifications there.
#
#  The best documentation for this .mc file is:
#  /usr/share/sendmail/cf/README or
#  /usr/src/contrib/sendmail/cf/README
#

divert(0)
include(`/etc/mail/m4/cf.m4')
VERSIONID(`$FreeBSD: src/etc/sendmail/freebsd.mc,v 1.30.2.2 2006/08/23 03:31:00 gshapiro Exp $')
OSTYPE(linux)
DOMAIN(generic)

define(`confDONT_PROBE_INTERFACES',true)

FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(access_db, `hash -o -T<TMPF> /etc/mail/access')
FEATURE(blacklist_recipients)
FEATURE(local_lmtp)
FEATURE(mailertable, `hash -o /etc/mail/mailertable')
FEATURE(virtusertable, `hash -o /etc/mail/virtusertable')
FEATURE(domaintable, `hash -o /etc/mail/domaintable')

dnl Uncomment to allow relaying based on your MX records.
dnl NOTE: This can allow sites to use your server as a backup MX without
dnl       your permission.
dnl FEATURE(relay_based_on_MX)

dnl DNS based black hole lists
dnl --------------------------------
dnl DNS based black hole lists come and go on a regular basis
dnl so this file will not serve as a database of the available servers.
dnl For that, visit
dnl http://directory.google.com/Top/Computers/Internet/Abuse/Spam/Blacklists/

dnl Uncomment to activate Realtime Blackhole List
dnl information available at http://www.mail-abuse.com/
dnl NOTE: This is a subscription service as of July 31, 2001
#IF ${ENABLE_DNSBL}=1
FEATURE(`dnsbl', `bl.spamcop.net',`"554 Rejected "$&{client_addr} " found in bl.spamcop.net - see http://www.spamcop.net"')
FEATURE(`dnsbl', `dialups.mail-abuse.org',`"554 Rejected "$&{client_addr} " found in dialups.mail-abuse.org - see http://www.mail-abuse.org"')
FEATURE(`dnsbl', `dnsbl.sorbs.net',`"554 Rejected "$&{client_addr} " found in dnsbl.sorbs.net - see http://www.sorbs.net"')
FEATURE(`dnsbl', `cn-kr.blackholes.us',`"554 Rejected "$&{client_addr} " found in cn-kr.blackholes.us - see http://www.black-holes.us"')
#ENDIF



dnl Alternatively, you can provide your own server and rejection message:
dnl FEATURE(dnsbl, `blackholes.mail-abuse.org', `"550 Mail from " $&{client_addr} " rejected, see http://mail-abuse.org/cgi-bin/lookup?" $&{client_addr}')

dnl Dialup users should uncomment and define this appropriately

#IF ${ENABLE_SMARTHOST}=1
define(`confAUTH_OPTIONS', `A')
define(`SMART_HOST', [${SMARTHOST_ADDR}])
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')
FEATURE(`authinfo',`hash -o /etc/mail/auth_info')
#ENDIF

dnl Uncomment the first line to change the location of the default
dnl /etc/mail/local-host-names and comment out the second line.
dnl define(`confCW_FILE', `-o /etc/mail/sendmail.cw')
define(`confCW_FILE', `-o /etc/mail/local-host-names')

dnl Enable for both IPv4 and IPv6 (optional)
DAEMON_OPTIONS(`Name=IPv4, Family=inet')
dnl DAEMON_OPTIONS(`Name=IPv6, Family=inet6, Modifiers=O')

define(`confBIND_OPTS', `WorkAroundBrokenAAAA')
define(`confNO_RCPT_ACTION', `add-to-undisclosed')
define(`confPRIVACY_FLAGS', `authwarnings,noexpn,novrfy')


include(`ldaproute_domain')
FEATURE(`ldap_routing', `hash -o /etc/mail/validusers',`null',`bounce')

#IF ${MAX_MESSAGE_SIZE}>0
define(`confMAX_MESSAGE_SIZE', `${MAX_MESSAGE_SIZE}')
#ENDIF

MAILER(procmail)
MAILER(smtp)

#IF ${ENABLE_SPAMFILTER}=1
INPUT_MAIL_FILTER(`sp-spam-milter',
                  `S=local:/spam/sp_spam, F=T, T=S:10m;R:10m;E:10m')
#ENDIF
#IF ${ENABLE_ATTACHMENTFILTER}=1
INPUT_MAIL_FILTER(`sp-attach-cleaner',
                  `S=local:/spam/sp_cleaner, F=T, T=S:10m;R:10m;E:10m')
#ENDIF
#IF ${ENABLE_VIRUSFILTER}=1
INPUT_MAIL_FILTER(`clamav-milter',
                  `S=local:/spam/cl_milter, F=T, T=S:10m;R:10m;E:10m')
#ENDIF
define(`_FFR_MILTER', `true')

#IF ${ENABLE_GREYLIST}=1
INPUT_MAIL_FILTER(`greylist',
                  `S=local:/spam/gl_milter')
define(`confMILTER_MACROS_CONNECT', `j, {if_addr}')
define(`confMILTER_MACROS_HELO', `{verify}, {cert_subject}')
define(`confMILTER_MACROS_ENVFROM', `i, {auth_authen}')
define(`confMILTER_MACROS_ENVRCPT', `{greylist}')
#ENDIF
To activate greylisting, type the following command:

Code: Alles auswählen

add extc_value sendmail ENABLE_GREYLIST 1
And restart the mail service:

Code: Alles auswählen

restart application SERVICE_SENDMAIL
To deactivate greylisting, type the following command:

Code: Alles auswählen

change extc_value sendmail ENABLE_GREYLIST 0
And restart the mail service:

Code: Alles auswählen

restart application SERVICE_SENDMAIL
When greylisiting is active, you should see messages like this in log:

Code: Alles auswählen

l3C9hYHH010448: Milter: to=<XXX@securepoint.de>, reject=451 4.7.1 Greylisting in action, please come back in 00:15:00   
You should save the settings permanent:

config list

You could save the configuration also with Security Manager. The configuration is in the backup when you export the configuration with Security Manager.
Zuletzt geändert von philipp am Do 03.05.2007, 09:37, insgesamt 1-mal geändert.

Antworten