User Tools

Site Tools


en:howtos


Part 7 - HowTos

For all that follows the same rules apply as written in the Introduction:

  • The main purpose of this part is to collect and describe several recommendable HowTos regarding the Copfilter-Addon for IPCop 1.4.2x (abbreviated: V1) and 1.9.x/2.x (abbreviated: V2).
  • If problems occur during these Guides, please open a new thread in the Copfilter-Forum or send us (karesmakro, severus, fischerm) a PM (Private Message) via Copfilter Forum.
    Any requests for changes or extensions will be taken in account.
  • This comes with absolutely no functional guarantees!

ATTENTION!

  • Extensive knowledge about the working(s) of the IPCop-Firewall and Copfilter in general, plus extensive Linux experiences are an absolute must for the methods that are described!
  • This is not for novices to experiment, you need to know what you are doing and what the consequences may be…
  • A full backup, a functioning restore, and the willingness to reinstall a defective IPCop-system are prerequisites!

1. Copfilter and Exchange

Because from time to time someone asks for it now and then, here's a short tutorial on how to configure Copfilter for use with Exchange Server (2003).

  • This guide is not intended to be exhaustive - no functional guarantees - additions or corrections are welcome!

Exchange 2003 Configuration

Exchange 2003 configuration step by step:
http://www.servolutions.com/support/config_exchange_2003.htm

Preventing Exchange 2000/2003 from Relaying:
http://www.petri.co.il/preventing_exchange_2000_2003_from_relaying.htm

Copfilter-FAQ and Exchange Screenshots

See: http://www.copfilter.org/pg65:

##################################################

Question
I'm using incoming SMTP scanning, emails get forwarded to my internal Microsoft Exchange server, but now the exchange server is an open relay now, how can i resolve this?

Answer (from the forum - unfortunately gone!):

As described above I only allowed the Mailserver itself to relay.

  • In the System-ManagerServerProtocolSMTPvirtual SMTP opened the Properties window.

Exchange smtp virtual server properties

  • There in the sheet AccessRelay restrictions marked 'only computers in the list below'.

Exchange smtp virtual server prop. access Exchange smtp virtual server prop. relay

  • In the list the only entry is 'allow 127.0.0.1':

Exchange relay restrictions

  • Do not allow authenticated computers to relay.
  • Do not enter the IP address of the Copfilter-Host here.
  • At 'users': authenticated users are allowed to transmit, not to relay.
  • We have the german version of MS-Exchange 2003, so translation could differ a bit.
  • I did some tests before with online services to check the relay behaviour of the server.
  • It was marked as open relay there.
  • After the changings in the relay options it was OK, no more open relay.“

##################################################

http://www.spamhelp.org/shopenrelay/

SMTP Open Relay Test
This is a SMTP open relay test script which is able to optionally report open relays to DSBL (Distributed Server Boycott List).

Article: Is Your Exchange Server Relay-Secure?

http://www.windowsitpro.com/article/configuration/is-your-exchange-server-relay-secure-

Summary:
Protect Your Server and Your Reputation
These changes protect your Exchange server against relaying and help protect your reputation.
If you need to allow relaying, check out the Microsoft articles “XFOR: New IMS Routing Functionality in Exchange Server 5.0 SP2”
http://support.microsoft.com/support/kb/articles/q169/6/83.asp and ”XFOR: Restricting Routing in the Internet Mail Service,“ (german translation: XFOR: Festlegen von Routing-Beschränkungen im Internet Mail-Dienst) which I cited earlier.
You can make your server safer when you configure the system to allow as few systems as possible to relay through your server.
And don't forget to always thoroughly test your configuration!

For orientation: Screenshot Copfilter-"SMTP Filter"

ProxSMTP

GUI-settingSwitchComment
1. Enable ProxSMTP to filter outgoing traffic on GREEN ONMust be ON
2. Add Copfilter Comment to Email HeaderON Please write comments to the header:
X-Filtered-With:
X-Copfilter-Virus-Scanned:
3. Enable ProxSMTP to filter incoming traffic on RED and forward to internal Email Server ONsee 1.
4. Email Server is located in network GREENSelf-explanatory…
5. Email Server IP AddressAAA.BBB.CCC.DDD IP address Exchange server.
6. Email Server Port Number 25
7. Add email addresses from outgoing email to Copfilter Whitelist ONOurselves are ok, we may be in whitelist.
8. Disable all spam scanning on outgoing email from internal network ONOutgoing Emails should NOT be scanned…
9. Quarantine spam emails if… ON…but we send suspected spam in quarantine.
10. Permitted DomainsDOMAINNAME All trusted domain names from which emails are expected (for example: Provider).
11. Stop virus emails and opt. send virus notifications instead (see below) ON
12. Tag Spam in emails and modify the subject ONMakes filtering easier.
13. Rename dangerous email attachments ON
14. Send user a virus notification with information about the originally sent email containing the virus ONNotify user.
15. Send a copy of virus notification to Email address ONDo we want a copy?
16. Discard (delete) all SMTP virus emails OFFDon't throw anything away, 'false positives' exist.
17. Discard (delete) all SMTP spam emails if… OFFsame as above.
18. Discard (delete) all SMTP emails with dangerous attachments ON
19. Reject email instead of discarding (uses SMTP 550 instead of SMTP 250 error code) ON550: Requested action not taken: mailbox unavailable
250: Requested mail action okay, completed 1)
20. Allow incoming email only from this IP Address(es): The IP address of a possibly upstream relay. Leave empty, or enter the IP address of a trusted relay.
21. Enable Copfilter Whitelist modifications via email OFF
22. Use Copfilter Whitelist and Blacklist ON
23. Quarantine virus infected emailsON see 9., virus emails are quarantined, too.
24. Remove emails in quarantine if older than (in days) 7 or 14 or… Matter of taste


en/howtos.txt · Last modified: 2016/12/04 13:01 by fischerm