20090703

Arming Messaging Server

Today I've got the three recipes to tighten the unwanted malicious user activity.
All of them are related to mappings file rules.

First i want to prohibit all the unauthenticated users from sending emails.
It could be achieved with a following line in the FROM_ACCESS table:

TCP|*|25|*|*|SMTP*|*|tcp_local|*@*|* $C$}$6,_canonical_name_{$N$ -$ Authentication$ required$ when$ sending$ with$ this$ envelope$ sender$ domain$E


The second step is to block attemtps of faking From header, after successful authentication
(for ex. using stolen password, or personal account in a negative manner).
I've prepared the suitable lines, also in FROM_ACCESS table:

*|SMTP*|*|tcp_auth|*@*|*@$4* $Y
*|SMTP*|*|tcp_auth|*@*|*@* $N$_Sender$ address$ rejected$ for$ $4

It reject the use of tcp_auth channel when domain of authenticated account is different from the one used within the From header.

The third method take advantage of check_metermaid.so library (included in Messaging Server installation).
MeterMaid could be used to throttle the agressive usage of mail server.
I've used two rules (to block them all ;-) ).
First one restrict the number of connections (15) in a unit of time (60 s.).
It's assigned under PORT_ACCESS table:

*|*|*|*|* $C$:A$[/opt/sun/comms/messaging64/lib/check_metermaid.so,throttle,ext_throttle,$3]$N421$ Connection$ declined$ at$ this$ time$E

Related thresholds are defined with a configutil command or by edition of msg.conf:

metermaid.config.secret = [your shared secret to authenticate incoming connections]
metermaid.config.serverhost = [host name or ip address of your metermaid server]
metermaid.table.ext_throttle.data_type = string
metermaid.table.ext_throttle.options = nocase
metermaid.table.ext_throttle.quota = 15
metermaid.table.ext_throttle.quota_time = 60

Ex.

# configutil -o metermaid.config.serverhost -v somehost.somedomain
# configutil -o metermaid.config.secret -v somesecret
and so on...

ext_throttle is defined by you throttling table name, and must be the same within the mappings and msg.conf files.

The second rule restrict number of total recipients sent to by a user (i've used the same limit values, but you could add the next throttle table with required thresholds).
It should be addes within the ORIG_SEND_ACCESS mapping tables:

tcp_auth|*|*|* $C$[/opt/sun/comms/messaging64/lib/check_metermaid.so,throttle,ext_throttle,$0]$NExcessive$ email$ sent$ -$ Please$ try$ again$ later$E

So, run imsimta cnbuild && imsimta restart and...

[...]
235 2.7.0 LOGIN authentication successful.
250 2.5.0 Address Ok.
250 2.1.5 marcin.wisnios@somedomain OK.
354 Enter mail, end with a single ".".
250 2.5.0 Ok.
250 2.5.0 Address Ok.
250 2.1.5 marcin.wisnios@somedomain OK.
354 Enter mail, end with a single ".".
250 2.5.0 Ok.
250 2.5.0 Address Ok.
250 2.1.5 marcin.wisnios@somedomain OK.
354 Enter mail, end with a single ".".
250 2.5.0 Ok.
[...]
250 2.5.0 Address Ok.
250 2.1.5 marcin.wisnios@somedomain OK.
354 Enter mail, end with a single ".".
250 2.5.0 Ok.
250 2.5.0 Address Ok.
550 5.7.1 Excessive email sent - Please try again later: marcin.wisnios@somedomain

Enjoy.

No comments: