[ngw] non-NDS users sending outbound

Keith Larson klarson at K12GROUP.NET
Thu Apr 15 20:59:15 UTC 2010 

I don't understand why you would do this with TCPCON.  Are you just trying to secure smtp?  Here are the steps that I'd recommend.
 
1.  Check that GWIA does not allow relaying.
2.  Configure relay exceptions within GWIA config for copiers and known safe devices within your network.
3.  Change your firewall to only allow smtp to come or go from GWIA.  You should not allow smtp to leave your network from anything except a known mail server.  Moodle may try to send mail directly.  You should either configure it to relay through GWIA or allow it to send out through your firewall, but understand the added risk.
4.  If you are spam filtering through an appliance or through your ISP or some other service.  Configure your firewall to ONLY allow INBOUND smtp from their range of ip addresses to GWIA's ip address, nothing else.  
5.  If you are relaying outbound mail through that same device, then only allow OUTBOUND smtp from GWIA to their ip address, nothing else.
 
I have every one of my schools configured this way and it works very well. 
 
 
 
Keith Larson
Franklin Computer Services - K12 Group
(614) 561-4887
klarson at k12group.net






>>> Maurice <mauricep at cds-cumberland.org> 4/15/2010 4:20 PM >>>
Well, having little experience with TCPCON, what would the general steps
be to exclude traffic from 192.168.x.x to the Server?
Also, how are exceptions written, I have three copiers that scan to e-mail??



Thanks

-Maurice Pelletier
Child Development Services - Cumberland County
50 Depot Road
Falmouth, ME 04105
207-781-8881 (voice)
207-781-8855 (fax)

www.cds-cumberland.org


"Linux -- it's not just for breakfast anymore..."
-Moe

CONFIDENTIALITY NOTICE: This communication (including any attachments) may contain privileged or confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this communication and/or shred the materials and any attachments and are hereby notified that any disclosure, copying, or distribution of this communication, or the taking of any action based on it, is strictly prohibited. Thank you.



On 04/15/2010 12:00 PM, Joe Acquisto wrote:
> The idea is to keep "unauthorized" clients from connecting to port 25
> on gwia.  Block everyone and allow
> only whom you choose to allow.
>
> On Linux, one can do this on the box itself, with iptables.  We do
> this internally.
> In NetWare, it is a bit more painful, using TCPCON, say, but still do-able.
>
> That way, "the network" can be left alone and the box itself protected.
>
> joe a.
>
> On Thu, Apr 15, 2010 at 11:55 AM, David Gerisch
> <DEGerisch at co.tulare.ca.us> wrote:
>   
>> I think what Kevin is saying, is to have the router block incoming port 25 from your internal network to the GWIA.
>>
>> In my environment, it is rare for a user level workstation to need to send SMTP mail.  Our GIS guy has an app that does it, but that is about 50 PCs out of 4,500.  Wholesale blocking of SMTP is likely not appropriate for the network the servers are on.
>>
>> David Gerisch
>>
>>     
>>>>> Maurice <mauricep at cds-cumberland.org> 04-14-2010 12:24 >>>
>>>>>           
>> All the traffic appears to be at the GWIA level, when I ran my report
>> for PO usage there's a listing without a GW User Domain or GW User PO
>> identifier but the total listed matches the offending User in the
>> Outbound report.
>>
>>
>> What setting for the GWIA can I change to stop this type of relay???
>> Currently I have Prevent Message relaying checked, with a few exceptions
>> (that we've had for years) for Servers that produce e-mail notifications.
>>
>> How would blocking port 25 at the Router level help my GWIA with
>> outbound e-mail?
>>
>>
>>
>>
>>
>>
>> -Maurice Pelletier
>> Child Development Services - Cumberland County
>> 50 Depot Road
>> Falmouth, ME 04105
>> 207-781-8881 (voice)
>> 207-781-8855 (fax)
>>
>> www.cds-cumberland.org
>>
>>
>> "Linux -- it's not just for breakfast anymore..."
>> -Moe
>>
>> CONFIDENTIALITY NOTICE: This communication (including any attachments) may contain privileged or confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this communication and/or shred the materials and any attachments and are hereby notified that any disclosure, copying, or distribution of this communication, or the taking of any action based on it, is strictly prohibited. Thank you.
>>
>>
>>
>> On 04/14/2010 12:29 PM, Kevin Parris wrote:
>>     
>>> Is the malware output going through the POA, as in is the malware using the GW Client to make the connection?  Or is the malware finding your GWIA and using direct SMTP to drop off the garbage for relaying?
>>>
>>> If the latter, set your firewall rules to block port 25 outbound from your internal network.
>>>
>>>
>>>       
>>>>>> Maurice <mauricep at cds-cumberland.org> 04/14/10 12:03 PM >>>
>>>>>>
>>>>>>             
>>> Over the course of the last week or so I've been dealing with a
>>> reoccurring problem.
>>> Basically someone on the network is getting infected at the PC level
>>> with malware, then that malware using my GWIA sends out a ton of junk
>>> until I can jump in and stop it...
>>> My first warning of trouble is a staff that checks the Sent folder often
>>> and will report a Pending piece of mail, then I'll check the GWAVA
>>> 3rd/Send folder an it will have thousands of entries...
>>> At this point I'll review a few samples and go from there...
>>> I also import the ACCT data file each morning into a database that
>>> allows reporting - Chris Premo of the Medical Board of CA wrote it...
>>> The generated report will list the offending sender - always a non-NDS
>>> ID - I then look at the top 5 in this list and we review those PC for
>>> malware.
>>> Once I have the naming for the offending sender I then add it to GWAVA
>>> and all is good for a while.
>>>
>>> Is there a way on the PO, MTA or GWIA level to stop any outbound e-mail
>>> that isn't connected to a known NDS ID?
>>> What tools are other running GroupWise 7.0.2HP to avoid this problem?
>>>
>>>
>>> Also, are any of you running something to Filter for malware on the
>>> Router or between your Router and internal network; Untangle, Cisco
>>> add-ons, etc.?
>>>
>>>
>>>
>>> Thanks
>>>
>>>
>>>       
>>
>> _______________________________________________
>> ngw mailing list
>> ngw at ngwlist.com
>> http://ngwlist.com/mailman/listinfo/ngw
>>
>>     
> _______________________________________________
> ngw mailing list
> ngw at ngwlist.com
> http://ngwlist.com/mailman/listinfo/ngw
>
>
>   
_______________________________________________
ngw mailing list
ngw at ngwlist.com
http://ngwlist.com/mailman/listinfo/ngw
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://ngwlist.com/pipermail/ngw/attachments/20100415/9571476f/attachment.html

More information about the ngw mailing list