Outbound mail filtering
Jon Simola
jon at abccomm.com
Thu Feb 9 14:44:37 PST 2006
On 2/9/06, Gregory T Pelle <gregp at domainit.com> wrote:
> What is the recommended setup for outbound spam filtering?
On your router, forward all port 25 connections to your filtering
server except those from your filtering server, as well as other
standard firewalling for a webserver. I'd also use some sort of
throttling to cut off any machines that exceed an amount that you set
per machine (big paying customer website vs $2/month cheap user).
I'd recommend qmail on the filtering machine (my preference, I've not
used anything else). I've used qmail-scanner before for spamassassin
and virus scanning, simscan is supposed to be just as good and maybe a
bit faster. Also check out the spamcontrol patch.
> I know I am not going to catch 100% of all spam, but I would like to
> catch most.
>
> I also plan on setting up firewall rules on the servers to block all
> outbound smtp traffic unless it is going to my filtering server.
I would do that on a router in front of the web servers, as comprimise
of a webserver would most likely lead to the attacker disabling the
firewall to send spam. Seperate tasks, web servers should serve web
pages, routers and firewalls should be seperate from the servers
they're protecting.
> Any suggestions? Am I missing something?
Stuffing your servers into a DMZ makes things easier to secure and
harder to use.
--
Jon Simola
Systems Administrator
ABC Communications
More information about the freebsd-isp
mailing list