OnMEssageRejection sub??

Use this forum if you want to suggest a new feature to hMailServer. Before posting, please search the forum to confirm that it has not already been suggested.
Post Reply
User avatar
mattg
Moderator
Moderator
Posts: 20474
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

OnMEssageRejection sub??

Post by mattg » 2017-03-07 15:40

Would an OnMessageRejection sub be useful?

I'm thinking that I'd like to invoke some firewall level blocking after a certain level of rejections from one IP address or even email address
Thoughts??
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

estradis
Normal user
Normal user
Posts: 154
Joined: 2014-09-09 10:47

Re: OnMEssageRejection sub??

Post by estradis » 2019-12-22 11:16

mattg wrote:
2017-03-07 15:40
Would an OnMessageRejection sub be useful?

I'm thinking that I'd like to invoke some firewall level blocking after a certain level of rejections from one IP address or even email address
Thoughts??
Is there any other point than OnAcceptMessage which will reject *complete* messages while the deliverer is still connected? Let's take a look between OnSMTPData and OnDeliveryStart.

In OnSMTPData you have only information about the ip address, the port, the client is logged on, the sender and the recipients. Is that enough to decide about blocking the client completly?

*In OnMessageAccept you have all information about the client and the message*, even if it's spam or ham. This is a very good point to decide to accept or reject a message as well as to block or not by the firewall.

In OnDeliveryStart the deliverer is already disconnected and you have no more information about it except you have stored it previsiously in Mail Headers in OnAcceptMessage (as we do). How can you decide to block the client's ip address at this point when you don't have it?

To answer your question, if there is a rejection point between OnAcceptMessage and OnDeliveryStart, then I would say yes, if not then it is enough to invoke any blocking procedure in OnAcceptMessage.

By the way, is it really necessary to block by firewall? When we are blocking an ip address, we do it by registering it to our own dnsbl in OnAcceptMessage. HMS can handle this very good and you will see any dropping event into hms logs.

palinka
Senior user
Senior user
Posts: 1432
Joined: 2017-09-12 17:57

Re: OnMEssageRejection sub??

Post by palinka » 2019-12-22 14:55

estradis wrote:
2019-12-22 11:16
mattg wrote:
2017-03-07 15:40
Would an OnMessageRejection sub be useful?

I'm thinking that I'd like to invoke some firewall level blocking after a certain level of rejections from one IP address or even email address
Thoughts??
By the way, is it really necessary to block by firewall? When we are blocking an ip address, we do it by registering it to our own dnsbl in OnAcceptMessage. HMS can handle this very good and you will see any dropping event into hms logs.
It takes stress of the server. Way more cycles for hmailserver to process a message than for windows firewall to drop a connection. Even less if your router is doing it.

Right now I have 16,880 IPs banned via rules in windows firewall. I figure I banned most of the world's bots trying to connect to port 25 because I'm down to a trickle of daily bans. I started this in July, so I'm ~5 months into it. Firewall still going strong. There doesn't seem to be much of a limit on the number if IPs - only the number of rules. I figured that out when I got to over 10k firewall rules and I started getting weird errors. Since then I've consolidated the rules into daily ones and it's going strong again.

Anyway, if you're interested: https://www.hmailserver.com/forum/viewt ... =9&t=34082

estradis
Normal user
Normal user
Posts: 154
Joined: 2014-09-09 10:47

Re: OnMEssageRejection sub??

Post by estradis » 2019-12-24 10:33

palinka wrote:
2019-12-22 14:55
estradis wrote:
2019-12-22 11:16

By the way, is it really necessary to block by firewall? When we are blocking an ip address, we do it by registering it to our own dnsbl in OnAcceptMessage. HMS can handle this very good and you will see any dropping event into hms logs.
It takes stress of the server. Way more cycles for hmailserver to process a message than for windows firewall to drop a connection. Even less if your router is doing it.
Right now I have 16,880 IPs banned via rules in windows firewall. I figure I banned most of the world's bots trying to connect to port 25 because I'm down to a trickle of daily bans. I started this in July, so I'm ~5 months into it. Firewall still going strong. There doesn't seem to be much of a limit on the number if IPs - only the number of rules.
I figured that out when I got to over 10k firewall rules and I started getting weird errors. Since then I've consolidated the rules into daily ones and it's going strong again.

Anyway, if you're interested: https://www.hmailserver.com/forum/viewt ... =9&t=34082
Almost 17k forbidden addresses? What is your banning policy?

We only prohibit attempted intrusion with brute force, nothing else. Spammers are now treated by our outer firewall and what is not detected there runs through our own set of rules. Detection rate is now 99.999%.

If an address is blocked in hms via autoban, it first runs through an evaluation process before the IP address is entered into the DNSBL. Among other things, it is checked whether
- it is an internal address
- whether an internal login name is used
- for all others more complex test conditions apply

As a result
- If it is an internal address, the ban is immediately removed
- If it is an internal login name, the user is informed about XMPP and is directed to a special URL to remove the ban.
- What now remains is checked against further rules before an entry is made.

Particularly conspicuous addresses are redirected to a honeypot so that they can let off steam there. As long as they do this, they cannot cause any damage elsewhere.

But back to the firewall rules. Why don't you ban the addresses on the front firewall but on the mail server? The front firewall is much better suited for such tasks than the Windows firewall.

palinka
Senior user
Senior user
Posts: 1432
Joined: 2017-09-12 17:57

Re: OnMEssageRejection sub??

Post by palinka » 2019-12-24 14:46

My front firewall was supplied by my ISP and can't do much more than port forwarding. It's really lame. :mrgreen:

This is a hobby for me and I don't have a lot invested in it other than time. It's like a never ending puzzle - battling spammers, among other things.

Nice setup you have there. Thanks for the description. I use SMS for the things you use XMPP for. It's also handy for letting me know about all kinds of things: services failing, power outages, sometimes I use it to notify me when a hmailserver filter gets triggered for testing purposes.

estradis
Normal user
Normal user
Posts: 154
Joined: 2014-09-09 10:47

Re: OnMEssageRejection sub??

Post by estradis » 2020-01-02 11:52

palinka wrote:
2019-12-24 14:46
My front firewall was supplied by my ISP and can't do much more than port forwarding. It's really lame. :mrgreen:

This is a hobby for me and I don't have a lot invested in it other than time. It's like a never ending puzzle - battling spammers, among other things.
That's the reason why we use paid services and let others fight our battles. :twisted:
Nice setup you have there. Thanks for the description. I use SMS for the things you use XMPP for. It's also handy for letting me know about all kinds of things: services failing, power outages, sometimes I use it to notify me when a hmailserver filter gets triggered for testing purposes.
The setup is very easy! All you need to do is host all your servers in house. :lol:

And by the way, I wish you a happy new year!

User avatar
SorenR
Senior user
Senior user
Posts: 3294
Joined: 2006-08-21 15:38
Location: Denmark

Re: OnMEssageRejection sub??

Post by SorenR » 2020-01-02 17:30

palinka wrote:
2019-12-24 14:46
My front firewall was supplied by my ISP and can't do much more than port forwarding. It's really lame. :mrgreen:

This is a hobby for me and I don't have a lot invested in it other than time. It's like a never ending puzzle - battling spammers, among other things.

Nice setup you have there. Thanks for the description. I use SMS for the things you use XMPP for. It's also handy for letting me know about all kinds of things: services failing, power outages, sometimes I use it to notify me when a hmailserver filter gets triggered for testing purposes.
I used to run my ISP box with everything on maximum lockdown, WiFi OFF and the DMZ pointing to my Cisco ASA5500. The Cisco box would then manage everything going in or out, stateful packet inspection, quality of service with bandwith control (good thing with teens in the house) and much more...

Then the PSU blew up and even though I got a new PSU (without PoE capacity) I don't really miss it. It's just sitting on the shelf. It turned out to be total overkill for my installation.

Another thing is the Cisco software license is based on IP addresses registered by the ASA5500... Over the past 3 years I have gone from 4 to 20'ish clients including IoT devices like video surveillance, electrical heater management, Chrome casts, Apple TV's - and all that Jazz.
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

estradis
Normal user
Normal user
Posts: 154
Joined: 2014-09-09 10:47

Re: OnMEssageRejection sub??

Post by estradis » 2020-01-07 10:08

SorenR wrote:
2020-01-02 17:30
palinka wrote:
2019-12-24 14:46
My front firewall was supplied by my ISP and can't do much more than port forwarding. It's really lame. :mrgreen:

This is a hobby for me and I don't have a lot invested in it other than time. It's like a never ending puzzle - battling spammers, among other things.

Nice setup you have there. Thanks for the description. I use SMS for the things you use XMPP for. It's also handy for letting me know about all kinds of things: services failing, power outages, sometimes I use it to notify me when a hmailserver filter gets triggered for testing purposes.
I used to run my ISP box with everything on maximum lockdown, WiFi OFF and the DMZ pointing to my Cisco ASA5500. The Cisco box would then manage everything going in or out, stateful packet inspection, quality of service with bandwith control (good thing with teens in the house) and much more...
Your setup is not much worse than mine! How do you manage your reverse proxy without passing the internal IPs through?
Then the PSU blew up and even though I got a new PSU (without PoE capacity) I don't really miss it. It's just sitting on the shelf. It turned out to be total overkill for my installation.
This is exactly the reason why I do not use PoE switches, but supply each device individually with a PoE injector. If one breaks, the others continue to run.
Another thing is the Cisco software license is based on IP addresses registered by the ASA5500... Over the past 3 years I have gone from 4 to 20'ish clients including IoT devices like video surveillance, electrical heater management, Chrome casts, Apple TV's - and all that Jazz.
In the company we are running a Watchguard cluster with 1Y licenses for unlim. Users , at home I use a Rhode & Schwarz cluster with 5Y license for 30 users, which is enough for my household. Both systems are directly on the front ans with both systems I have only positive experiences. If a problem arises, I pass it on to others and do not invest additional time for it.

I personally believe that everyone should be willing to invest in paid firewall systems with pass-through security. The attacks are increasing and getting better and better. It's definitifly no longer manageable for an individual, even if he is a professional. All others no longer have a chance anyway.

User avatar
SorenR
Senior user
Senior user
Posts: 3294
Joined: 2006-08-21 15:38
Location: Denmark

Re: OnMEssageRejection sub??

Post by SorenR » 2020-01-07 10:34

estradis wrote:
2020-01-07 10:08
Your setup is not much worse than mine! How do you manage your reverse proxy without passing the internal IPs through?
Reverse proxy ? Hairpinning is the work of the devil !
I have split DNS, one inside and one outside and all outside FQDN's are matched to inside IP addresses.

ISP Internet thingy <-DMZ-> Cisco ASA5500 <-> Gigabit switches, WiFi AP's and LAN clients/servers.
I just treat the ISP WiFi DSL/Cable/Fiber box thingy like a simple router and build the network like I have been doing the past 30 years.

The only thing I use an "almost proxy" for is my webmail. Roundcube on Linux (Apache) with plugins to access hMailServer PHP webadmin on IIS. IIS is not accessible from outside.
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

estradis
Normal user
Normal user
Posts: 154
Joined: 2014-09-09 10:47

Re: OnMEssageRejection sub??

Post by estradis » 2020-01-09 10:56

SorenR wrote:
2020-01-07 10:34

Reverse proxy ? Hairpinning is the work of the devil !
I have split DNS, one inside and one outside and all outside FQDN's are matched to inside IP addresses.

ISP Internet thingy <-DMZ-> Cisco ASA5500 <-> Gigabit switches, WiFi AP's and LAN clients/servers.
I just treat the ISP WiFi DSL/Cable/Fiber box thingy like a simple router and build the network like I have been doing the past 30 years.
Again, nice setup! Thank you for the information.
The only thing I use an "almost proxy" for is my webmail. Roundcube on Linux (Apache) with plugins to access hMailServer PHP webadmin on IIS. IIS is not accessible from outside.
We never really got Roundcube to work but instead we use Tine20, which was installed by my predecessor. I was never happy with it, but it always did not have enough time in the end to install an alternative.

In the end, it doesn't matter anymore, because we are going to migrate to O365 with Exchange - even not my decision either.

Post Reply