Would an OnMessageRejection sub be useful?
I'm thinking that I'd like to invoke some firewall level blocking after a certain level of rejections from one IP address or even email address
Thoughts??
OnMEssageRejection sub??
OnMEssageRejection sub??
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: OnMEssageRejection sub??
Is there any other point than OnAcceptMessage which will reject *complete* messages while the deliverer is still connected? Let's take a look between OnSMTPData and OnDeliveryStart.
In OnSMTPData you have only information about the ip address, the port, the client is logged on, the sender and the recipients. Is that enough to decide about blocking the client completly?
*In OnMessageAccept you have all information about the client and the message*, even if it's spam or ham. This is a very good point to decide to accept or reject a message as well as to block or not by the firewall.
In OnDeliveryStart the deliverer is already disconnected and you have no more information about it except you have stored it previsiously in Mail Headers in OnAcceptMessage (as we do). How can you decide to block the client's ip address at this point when you don't have it?
To answer your question, if there is a rejection point between OnAcceptMessage and OnDeliveryStart, then I would say yes, if not then it is enough to invoke any blocking procedure in OnAcceptMessage.
By the way, is it really necessary to block by firewall? When we are blocking an ip address, we do it by registering it to our own dnsbl in OnAcceptMessage. HMS can handle this very good and you will see any dropping event into hms logs.
Re: OnMEssageRejection sub??
It takes stress of the server. Way more cycles for hmailserver to process a message than for windows firewall to drop a connection. Even less if your router is doing it.
Right now I have 16,880 IPs banned via rules in windows firewall. I figure I banned most of the world's bots trying to connect to port 25 because I'm down to a trickle of daily bans. I started this in July, so I'm ~5 months into it. Firewall still going strong. There doesn't seem to be much of a limit on the number if IPs - only the number of rules. I figured that out when I got to over 10k firewall rules and I started getting weird errors. Since then I've consolidated the rules into daily ones and it's going strong again.
Anyway, if you're interested: https://www.hmailserver.com/forum/viewt ... =9&t=34082
Re: OnMEssageRejection sub??
Almost 17k forbidden addresses? What is your banning policy?palinka wrote: ↑2019-12-22 14:55It takes stress of the server. Way more cycles for hmailserver to process a message than for windows firewall to drop a connection. Even less if your router is doing it.
Right now I have 16,880 IPs banned via rules in windows firewall. I figure I banned most of the world's bots trying to connect to port 25 because I'm down to a trickle of daily bans. I started this in July, so I'm ~5 months into it. Firewall still going strong. There doesn't seem to be much of a limit on the number if IPs - only the number of rules.
I figured that out when I got to over 10k firewall rules and I started getting weird errors. Since then I've consolidated the rules into daily ones and it's going strong again.
Anyway, if you're interested: https://www.hmailserver.com/forum/viewt ... =9&t=34082
We only prohibit attempted intrusion with brute force, nothing else. Spammers are now treated by our outer firewall and what is not detected there runs through our own set of rules. Detection rate is now 99.999%.
If an address is blocked in hms via autoban, it first runs through an evaluation process before the IP address is entered into the DNSBL. Among other things, it is checked whether
- it is an internal address
- whether an internal login name is used
- for all others more complex test conditions apply
As a result
- If it is an internal address, the ban is immediately removed
- If it is an internal login name, the user is informed about XMPP and is directed to a special URL to remove the ban.
- What now remains is checked against further rules before an entry is made.
Particularly conspicuous addresses are redirected to a honeypot so that they can let off steam there. As long as they do this, they cannot cause any damage elsewhere.
But back to the firewall rules. Why don't you ban the addresses on the front firewall but on the mail server? The front firewall is much better suited for such tasks than the Windows firewall.
Re: OnMEssageRejection sub??
My front firewall was supplied by my ISP and can't do much more than port forwarding. It's really lame.
This is a hobby for me and I don't have a lot invested in it other than time. It's like a never ending puzzle - battling spammers, among other things.
Nice setup you have there. Thanks for the description. I use SMS for the things you use XMPP for. It's also handy for letting me know about all kinds of things: services failing, power outages, sometimes I use it to notify me when a hmailserver filter gets triggered for testing purposes.
This is a hobby for me and I don't have a lot invested in it other than time. It's like a never ending puzzle - battling spammers, among other things.
Nice setup you have there. Thanks for the description. I use SMS for the things you use XMPP for. It's also handy for letting me know about all kinds of things: services failing, power outages, sometimes I use it to notify me when a hmailserver filter gets triggered for testing purposes.
Re: OnMEssageRejection sub??
That's the reason why we use paid services and let others fight our battles.
The setup is very easy! All you need to do is host all your servers in house.Nice setup you have there. Thanks for the description. I use SMS for the things you use XMPP for. It's also handy for letting me know about all kinds of things: services failing, power outages, sometimes I use it to notify me when a hmailserver filter gets triggered for testing purposes.
And by the way, I wish you a happy new year!
Re: OnMEssageRejection sub??
I used to run my ISP box with everything on maximum lockdown, WiFi OFF and the DMZ pointing to my Cisco ASA5500. The Cisco box would then manage everything going in or out, stateful packet inspection, quality of service with bandwith control (good thing with teens in the house) and much more...palinka wrote: ↑2019-12-24 14:46My front firewall was supplied by my ISP and can't do much more than port forwarding. It's really lame.
This is a hobby for me and I don't have a lot invested in it other than time. It's like a never ending puzzle - battling spammers, among other things.
Nice setup you have there. Thanks for the description. I use SMS for the things you use XMPP for. It's also handy for letting me know about all kinds of things: services failing, power outages, sometimes I use it to notify me when a hmailserver filter gets triggered for testing purposes.
Then the PSU blew up and even though I got a new PSU (without PoE capacity) I don't really miss it. It's just sitting on the shelf. It turned out to be total overkill for my installation.
Another thing is the Cisco software license is based on IP addresses registered by the ASA5500... Over the past 3 years I have gone from 4 to 20'ish clients including IoT devices like video surveillance, electrical heater management, Chrome casts, Apple TV's - and all that Jazz.
SørenR.
Woke is Marxism advancing through Maoist cultural revolution.
Woke is Marxism advancing through Maoist cultural revolution.
Re: OnMEssageRejection sub??
Your setup is not much worse than mine! How do you manage your reverse proxy without passing the internal IPs through?SorenR wrote: ↑2020-01-02 17:30I used to run my ISP box with everything on maximum lockdown, WiFi OFF and the DMZ pointing to my Cisco ASA5500. The Cisco box would then manage everything going in or out, stateful packet inspection, quality of service with bandwith control (good thing with teens in the house) and much more...palinka wrote: ↑2019-12-24 14:46My front firewall was supplied by my ISP and can't do much more than port forwarding. It's really lame.
This is a hobby for me and I don't have a lot invested in it other than time. It's like a never ending puzzle - battling spammers, among other things.
Nice setup you have there. Thanks for the description. I use SMS for the things you use XMPP for. It's also handy for letting me know about all kinds of things: services failing, power outages, sometimes I use it to notify me when a hmailserver filter gets triggered for testing purposes.
This is exactly the reason why I do not use PoE switches, but supply each device individually with a PoE injector. If one breaks, the others continue to run.Then the PSU blew up and even though I got a new PSU (without PoE capacity) I don't really miss it. It's just sitting on the shelf. It turned out to be total overkill for my installation.
In the company we are running a Watchguard cluster with 1Y licenses for unlim. Users , at home I use a Rhode & Schwarz cluster with 5Y license for 30 users, which is enough for my household. Both systems are directly on the front ans with both systems I have only positive experiences. If a problem arises, I pass it on to others and do not invest additional time for it.Another thing is the Cisco software license is based on IP addresses registered by the ASA5500... Over the past 3 years I have gone from 4 to 20'ish clients including IoT devices like video surveillance, electrical heater management, Chrome casts, Apple TV's - and all that Jazz.
I personally believe that everyone should be willing to invest in paid firewall systems with pass-through security. The attacks are increasing and getting better and better. It's definitifly no longer manageable for an individual, even if he is a professional. All others no longer have a chance anyway.
Re: OnMEssageRejection sub??
Reverse proxy ? Hairpinning is the work of the devil !
I have split DNS, one inside and one outside and all outside FQDN's are matched to inside IP addresses.
ISP Internet thingy <-DMZ-> Cisco ASA5500 <-> Gigabit switches, WiFi AP's and LAN clients/servers.
I just treat the ISP WiFi DSL/Cable/Fiber box thingy like a simple router and build the network like I have been doing the past 30 years.
The only thing I use an "almost proxy" for is my webmail. Roundcube on Linux (Apache) with plugins to access hMailServer PHP webadmin on IIS. IIS is not accessible from outside.
SørenR.
Woke is Marxism advancing through Maoist cultural revolution.
Woke is Marxism advancing through Maoist cultural revolution.
Re: OnMEssageRejection sub??
Again, nice setup! Thank you for the information.SorenR wrote: ↑2020-01-07 10:34
Reverse proxy ? Hairpinning is the work of the devil !
I have split DNS, one inside and one outside and all outside FQDN's are matched to inside IP addresses.
ISP Internet thingy <-DMZ-> Cisco ASA5500 <-> Gigabit switches, WiFi AP's and LAN clients/servers.
I just treat the ISP WiFi DSL/Cable/Fiber box thingy like a simple router and build the network like I have been doing the past 30 years.
We never really got Roundcube to work but instead we use Tine20, which was installed by my predecessor. I was never happy with it, but it always did not have enough time in the end to install an alternative.The only thing I use an "almost proxy" for is my webmail. Roundcube on Linux (Apache) with plugins to access hMailServer PHP webadmin on IIS. IIS is not accessible from outside.
In the end, it doesn't matter anymore, because we are going to migrate to O365 with Exchange - even not my decision either.