NAME¶
mxallowd - dynamically whitelist your Mail eXchanger
SYNOPSIS¶
mxallowd [-d] [-c
configfile] [-t
whitelist-time] [-p
pflog-interface] [-l
pcap-filter] [-F] [-s] [-q] [-p] -f
fake-mailserver -r
real-mailserver -n
queue-num
DESCRIPTION¶
mxallowd is a daemon which uses libnetfilter_queue (on Linux) or pf and
pflog (on BSD) to allow (or deny) connections to a mailserver (or similar
application) if the remote host hasn't connected to a fake daemon before.
This is an improved version of the so-called nolisting (see
http://www.nolisting.org/). The assumption is that spammers are not using RFC
2821-compatible SMTP-clients and are sending fire-and-forget spam (directly to
the first or second MX-entry without retrying on error). This direct access is
blocked with mxallowd, you'll only get a connection if you retry.
NOTE: It is highly recommended to install nscd (nameserver caching daemon) or a
similar software in order to speed-up DNS lookups. Since version 1.3, DNS
lookups are done in a thread (so they don't block the main process), however,
on very-high-traffic-sites, mxallowd may show significantly better overall
performance in combination with nscd.
OPTIONS¶
- -b, --no-rdns-whitelist
- Disable whitelisting all IP-addresses that have the same
RDNS as the connecting one (necessary for google mail)
- -c, --config
- Specifies an alternative configuration file (instead of
/etc/mxallowd.conf)
- -t, --whitelist-time
- Specify the amount of time (in seconds) until an IP-address
will be removed from the whitelist
- -s, --stdout
- Log to stdout, not to syslog
- -q, --quiet
- Don't log anything but errors.
- -f, --fake-mailserver
- Specify which IP-address the fake mailserver has
(connecting to it will whitelist you for the real mailserver)
- -r, --real-mailserver
- Specify which IP-address the real mailserver has
- -F, --foreground
- Do not fork into background, stay on console
- -n, --queue-num (only available when compiled for
netfilter_queue)
- Specify the queue number which will be used for the
netfilter_queue-link. This has to be the same which is specified in the
iptables-rule and it has to be specified, there is no default.
- -p, --pflog-interface (only available when compiled for
pf)
- Specify the pflog(4) interface which you configured in
pf(4). The default is pflog0. Also see the pcap-filter-option if you use
an interface which does not only get smtp-traffic.
- -l, --pcap-filter (only available when compiled for
pf)
- Specify the filter for pcap. The default is "port
25". See tcpdump(8) for more information on the filters.
FILES¶
- /etc/mxallowd.conf
- System-wide configuration file. Use the long options
without the beginning two dashes. For example:
stdout
fake-mailserver 192.168.1.3
fake-mailserver 192.168.1.4
real-mailserver 192.168.1.5
queue-num 23
EXAMPLES FOR NETFILTER¶
The machine has two IP-addresses. The mailserver only listens on 192.168.1.4,
the nameserver returns the mx-records mx1.domain.com (192.168.1.3) with
priority 5 and mx2.domain.com (192.168.1.4) with priority 10.
# modprobe nfnetlink_queue
# iptables -A INPUT -p tcp --dport 25 -m state --state NEW -j NFQUEUE --queue-num 23
# mxallowd -s -F -f 192.168.1.3 -r 192.168.1.4 -n 23
Then open a separate terminal and connect via telnet on your real mailserver.
You'll see the connection attempt being dropped. Now connect to the fake
mailserver and watch mxallowd's output. Afterwards, connect to the real
mailserver to verify your mailserver is still working.
EXAMPLES FOR PF¶
The machine has two IP-addresses. The mailserver only listens on 192.168.1.4,
the nameserver returns the mx-records mx1.domain.com (192.168.1.3) with
priority 5 and mx2.domain.com (192.168.1.4) with priority 10.
Create a pf.conf like this:
table <mx-white> persist
real_mailserver="192.168.1.4"
fake_mailserver="192.168.1.3"
real_mailserver6="2001:dead:beef::1"
fake_mailserver6="2001:dead:beef::2"
pass in quick log on fxp0 proto tcp from <mx-white> to $real_mailserver port smtp
pass in quick log on fxp0 inet6 proto tcp from <mx-white> to $real_mailserver6 port smtp
block in log on fxp0 proto tcp to { $fake_mailserver $real_mailserver } port smtp
block in log on fxp0 inet6 proto tcp to { $fake_mailserver6 $real_mailserver6 } port smtp
Afterwards, load it and start mxallowd using the following commands:
# pfctl -f /etc/pf.conf
# mxallowd -s -F -f 192.168.1.3 -r 192.168.1.4
Then open a separate terminal and connect via telnet on your real mailserver.
You'll see the connection attempt being dropped. Now connect to the fake
mailserver and watch mxallowd's output. Afterwards, connect to the real
mailserver to verify your mailserver is still working.
The ruleset for pf is actually longer because pf does more than netfilter on
linux -- netfilter passes the packets and lets mxallowd decide whether to
drop/accept whilst pf blocks/passes before even "passing" to
mxallowd.
SEE ALSO¶
iptables(8),
pf(4),
pflog(4),
tcpdump(8)
AUTHOR¶
Michael Stapelberg <michael+mxallowd at stapelberg dot de>