Whether to filter (for spam, viruses) outgoing mail or not

emailspam

The purpose of this questions, is to understand pros and cons of filtering outgoing mail.

I am admin of an ISP. As usual, users, who have dynamic IPs, can send mail only with ISP's SMTP server. Nowadays users can send mail without authorization inside the network, but sending mail to internet requires authorization on the SMTP server. Thereby I can protect my network from been banned for spam.

But I see, that some providers permit sending mail to internet with their SMTP server without authorization. Is it good? Aren't they afraid to appear in DNSBL?

So, what do think about filtering outgoing mail? Use content filter? Deny or permit non-authorized users to send mail? How it is configured in your production?

Best Answer

I'm not sure if I fully understand the question with the part about providers permit sending mail to the Internet without authorization. If you mean internet users using the server to send to other internet users, that's bad. It would be considered an open relay and yes you'd get most likely filtered by other ISP's.

If you mean your internal users sending to the Internet, it's not necessarily bad it's just a policy decision. You can do that by securing the server to only relay mail for your IP ranges.

We aren't an ISP but I have worked with them. While there we only allowed sending from our own IP range, and if you were outside the network you had to authorize to the mail server to send messages and/or use the web interface to use email.

Mail servers were throttled in how much they could send per message so people couldn't email huge attachments.

The mail server was monitored for unusual traffic spikes...no home user should be sending a constant stream of mail.

The router locked out port 25 for any server that wasn't designated as the mail server, so home users couldn't run their own mail servers.

Filtering outgoing mail with something like bayesian filtering can be a pain in that false positives create a bad user experience. Users don't like it when their webbertubes act like magic and that magic won't work for them, especially if it fails seemingly at random. Your tech support won't appreciate the angry calls either. Or you may lose users who just get fed up if they have a bad experience with things "just not working" (unless these are people you want off your network, I don't know).

In general you want to prevent unauthorized access to your server. SMTP authorization can be somewhat annoying for the users to set up, but it usually isn't too bad. Beyond that locking it down to whitelisting your own IPs for relay and limiting message size should be fine. You may or may not want to also add a block on sending executable attachments as well (bat, pif, exe, com...), but that's a policy decision.

Either way you need to make it clear on your website and instructions for home users how and what is allowed for your mail server. You'll still get the phone calls about why something didn't work or what a bounce message means since users usually can't read the message with "attachment too large" written in it, but the slightly more tech savvy will appreciate the ability to look up your policies and errors without dealing with your help line.

Related Solutions

Postfix – Check Outgoing Mail for Spam

Below is a config "stub" for also checking outgoing messages.

In main.cf:

smtpd_sender_restrictions = 
   check_client_access cidr:/etc/postfix/internal_clients_filter

And: /etc/postfix/internal_clients_filter

192.168.0.0/24 FILTER smtp:[127.0.0.1]:12501
10.0.0.0/24 FILTER smtp:[127.0.0.1]:12501

(you could also do this in other ways for logged in users, ip, from etc..)

Use a policybank in Amavisd-new:

$interface_policy{'12501'} = 'INTERNAL'; 
$policy_bank{'INTERNAL'} = {  # mail originating from clients in cidr:/etc/postfix/internal_clients_filter
  bypass_spam_checks_maps   => [0],  # spam-check outgoing mail 
  bypass_banned_checks_maps => [0],  # banned-check outgoing mail 
  bypass_header_checks_maps => [0],  # header-check outgoing mail  
  forward_method => 'smtp:[127.0.0.1]:12502', # relay to Postfix listener on port 12502
};

And the reinject path in postfix:

127.0.0.1:12502 inet    n    -    n    -    -    smtpd
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_restriction_classes=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o mynetworks=127.0.0.0/8
    -o smtpd_data_restrictions
    -o smtpd_end_of_data_restrictions=
    -o local_header_rewrite_clients=
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o smtpd_milters=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings

Settings to change to allow PostFix to accept outgoing mail from authenticated users

1)
To make smtpd listen on an alternate port, you modify master.cf copy the existing smtpd entry and just change the first field from smtp to 587 or whatever port you want to listen on. If you want to use port 465, uncomment the smtps entry. I would not advise using unecrypted smtp on this port as it will likely just cause confusion and problems with mail clients (since 465 is designated as an ssl port).
The option your looking for to enable authentication is smtpd_sasl_auth_enable=yes and smtpd_recipient_restrictions=permit_sasl_authenticated (which you already have, so you just need to configure it). As you have these settings in your main.cf, they are enabled for all ports. There is no reason to only allow them on ports other than 25. If the mail comes through unauthenticated, then it will only be accepted for local delivery. If it comes through authenticated, it can go anywhere.

I'm not sure what you mean by 'why doesn't the SMTP have a reject restriction?'.

2)
You have to use SASL for authentication. So authentication is provided by an external service which postfix talks to. You can still use your existing MySQL database, you just need to configure an SASL service to use it. Cyrus SASL is the default provider in postfix. More can be read here.

3)
You already have smtpd_recipient_restrictions = permit_mynetworks, and mynetworks = 127.0.0.0/8, so anything from localhost will be accepted, including PHP.

NOTE I advise looking at all the options available for smtpd_recipient_restrictions. Just setting this to the values provided here and nothing else can cause undesired behavior. I'd read the postconf man page on all the settings I mentioned so that you understand what theyre doing before you implement them.

Best Answer

Related Solutions

Postfix – Check Outgoing Mail for Spam

Settings to change to allow PostFix to accept outgoing mail from authenticated users

Related Topic