New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Force OVZ to forward outgoing SMTP 25 to an enxternal SMTP relay?
Is it possible to do something on the node to force all outgoing email on the VM(OVZ) has to go through a pre-set external SMTP relay?
e.g. I setup a SMTP relay server somewhere else. And forward all outgoing SMTP traffic to that smtp relay server transparently?
Comments
That is an awesome idea. I would be interested in this as well.
@dnwk
I remember when I had a node in Redstation a while ago, we had to give the external mail relay to the user under reasons, they blocked SMTP and PHP Mail through their switches / routers, most likely a way to stop abuse reports, stopped abuse reports for spam e-mails for us though :').
The only way I could figure it out is to either manually modify each template with the information already configured, but there must be a way to forward all X request to X SMTP relay.
@eastonch
Is there a way to do that in iptables on the node? like port forwarding?
@dnwk I don't know off-by-heart but I'm sure there must be.
From a providers perspective perhaps. From the perspective of a legitimate user who sends legitimate mail it sucks.
However, it does not stop user from sending emails. Their email still get delivered.
This is simple in the config of your SMTP server, if you are trying to hyjack clients, again it is simple in the router, but highly unethical
@sleddog not really, if you have a relay which checks the content before sending, limits sending per CTID, stops duplicate mail, etc. Header analysis whatnot.
Would be good to stop abuse.
Also could be a very good way to piss off your legitimate customers.
@rds100 which part? The analysis of e-mail? Privacy invasion, especially if the mail is socialable and legitimate.
How to do that in iptable command?
@eastonch
Norton Cloud Security has a pretty affordable outgoing SMTP relay service which does email analysis and also ensure delivery.
If it inserts another hop between me and the destination smtp server then it's going to be seen as the last hop by the destination smtp server. Which will affect stuff like my dkim sigs. And if the relay is down I can't send mail. And if the relay ever gets blacklisted my mail may not get delivered.
So, you think better tell them we block port 25 and give them a relay as alternative? If relay get blacklist, it is much easier to deal with then to deal with your DC
Block the ports by default, unblock by request. Rate limit SMTP, alert when rate limit hit, open dialogue with client. Use maxmind, require address to match on PayPal. There are a lot of ways to cut down on spammers.
iptables on your node:
iptables -t nat -A OUTPUT -p tcp --dport 25 -j DNAT --to-destination <ip of relay>:<port>Yes. Upfront. Before purchase. So people understand what they are buying.
And clearly mention it on the site instead of hiding it in the TOS/AUP/etc.
Not sure if being sarcastic or not....
Do you know they can view all your emails contents, not just the headers they claim. Was posted on WHT few months back and someone queried that and they didn't respond.
http://www.mailjet.com/
6k free messages per month, works with Exim and SMTP on clients. DKIM and SPF setup as well.
@miTgiB and @Kris got the idea on this .. and no shame in paying for these services imho
If you want to prevent spammers from abusing your node it might be a better idea to rate limit outgoing SMTP connections rather than redirecting to a relay without the users' knowledge.
With iptables:
Log your blocked connections so you can identify the abuser.
That isn't fair to a lot of legit companies out there.. I call it directing mail to an authorized smart host through secure smtp with the intention of handling my ISP feed back loop communication, spf records, sender or ip reputation management and general adaptive technologies for management of certain Email activities. Some effective business models combine these processes with Dedicated account management on various levels to give corporations around the world a clear path for this part of their business. Bad form Pan!
Rate limiting is the key. If they need to send 10,000 emails a minute and they can't afford the isolation of a truly dedicated environment then they should really think about their business plans. Now, I've got a couple high volume mailers I work with on our nodes, don't get me wrong, but providers need to take care of their nodes. Rate limit or block. But tunnel blindly? Yeah that's a bad move. Cool idea, just a bad move to execute.
it is interesting that ceo, founders, sysadmins don't have basic knowledge about iptables.
@tcreu
Unless the ceo or founder is the technical contact of the company, why would he/she know of iptables?
Sysadmin is another thing.
because probably all of leb companies from this forum are one-to-three man show where everyone does almost everything.
@t3k9 I assume the 'blocked' connections would shout the IP that it's originating from too, right?
The -j DROP target will silently drop packets, nothing is logged.