OPNsense Forum
English Forums => General Discussion => Topic started by: BenKenobi on April 15, 2017, 01:25:10 pm
-
One of the things that brought me to OPNSense was the arrogance of the pFSense team, particularly surrounding the implementation of Postfix as part of a valid firewall IPS / IDS strategy.
Instead of stopping the traffic at the door 'their' opinion is that I should waste server resource and network by processing such things internally i.e. setting up an internal Postfix 'filter'.
Afraid I disagree with this philosophy and whilst it is currently what I'm forced to do I don't plan this as a long term strategy.
I don't use postfix for outgoing e-mail at all - I filter only port 25 incoming to prevent such things as directory harvest attacks, account bruteforce attacks, invalid e-mail i.e one that fails reverse DNS / SPF validation, mail to non existent recipients (such mail just gets black holed). By implementing this I've cut the amount of 'spam' hitting our mail server by 98% - it never gets to the server.
So is anyone planning to implement a similar solution on OPNSense ?
I'd take this on maybe, I can code but I'm no expert on FreeBSD or Linux architectures, I find the configuration inconsistencies between the distro's a massive frustration - how many 'etc' folders scattered in how many locations !!! - and who puts what where just isn't consistent.
If this isn't on anybody's radar how easy is it to convert an already existing pFSense package (Postfix by Marcelloc) into something viable in the OPNSense arena.
-
I don't know the pfSense package but the systems are different. We use Phalcon 3 for MVC with XML-File based models and GUIs. We are not working on something like a Mail proxy at the moment and it is not planned for now. However it is required if you want to scan mails because mails may be sent using a start TLS connection so surricata cannot do the job.
For the reason of the many etc directories (in Linux):
/etc: system configuration (must exist) - usually used for daemon configuration files too
/usr/etc: where user installed packages should store the configuration - usually not used
/usr/local/etc: wher self compiled packages should store the configuration
/opt/.../etc for packages not installed by a standard way - for example if you download a package from a website and click install.
On OPNsense all relevant configuration files are in /etc and /usr/local/etc.
You should find anything you need in the plugins repo:
https://github.com/opnsense/plugins
amavisd with spamassassin would be cool ;)
If you need a package, you would have to ask Franco for it.
PS: look at the packages quagga and haproxy for samples how to implement something. There is also a how to for a sample plugin:
https://docs.opnsense.org/development/examples/helloworld.html
-
Many thanks, I'll take a look at the links suggested, just don't expect anything by tomorrow ;)