OPNsense Forum
English Forums => General Discussion => Topic started by: BenKenobi on July 04, 2018, 12:00:14 pm
-
Has anyone here configured an MTA using OPNSense and packages OS-POSTFIX and OS-RSPAMD ?
How did you deal with the potential for back scatter ?
http://www.postfix.org/BACKSCATTER_README.html (http://www.postfix.org/BACKSCATTER_README.html)
I currently run an old version of PFSense with Postfix internally as an incoming relay for all incoming port 25 traffic, I do not use it for sending and never will. I use header and body checks to detect forged headers where those headers actually contain my domains as the sender (such mails will NEVER come from 'outside').
There are a few things that I'm not seeing in the OPNSense implementation, the principle one being no way to detect forged domain headers (check out the postfix 'backscatter' link).
I still don't see the opportunity anywhere (in what I use now or in the OPNSense implementations) to decline any response whatsoever - basically I don't want my mailserver to respond with any 2xx/4xx/5xx messages if the sender is not legit - I just want an option to drop the message into a black hole so scenarios such as when no valid recipient exists that the system does not respond with a friendly 'unknown user' - in such cases I don't want a response of any kind - this and rate limiting would go a long way to prevent brute force type harvesting since spammers can no longer blanket a server with random names and check the responses (harvesting).
That said my biggest concern is stopping backscatter - any tips on how to achieve this with the OPNSense implementations ?
-
With 18.1.11 there's an option for enforce recipient check, tick this and before that enter all you real recipient adresses in recipients submenu (no matter if ok or reject).
-
I don't do any filtering on valid recipients and have my reasons for doing so.
I'm looking in particular though for a way to identify backscatter that may have come from my boxes - or backscatter that is nothing to do with me. The presence of backscatter is a good way to identify if a user box or even server has been compromised. I know what my server signatures look like so I use this to tell the difference between forged vs genuine - as per the postfix link. Basically if forged backscatter comes in I reject it, if genuine comes in I want to know.
I am looking ultimately to find a way to send no response whatsoever for invalid recipients - I'm quite OK tying up the spammers systems re-trying over and over and wasting time doing so, I don't want to disclose when users do not exist. I'm trying to figure out some sort of catch all - i.e. any address that doesn't exist goes to a black hole queue / inbox, this is fine and my mail server dumps anything to non existent users in a junk box. Problem is that I then want to blacklist the real message source of anything that ends up in the black hole, never quite figured how to get that to work in any MTA though.
-
Hm, this is a very specific need. No idea how to introduce all of them to a user friendly UI.
If it's ok for you, just install postfix via pkg and do this via CLI, it really easy to use just pkgs compared to the pfsense way ...
-
So the os-postfix is just postfix under the hood then ? not a reduced feature set ?
I may be able to make that work if it is just a GUI omission not feature.
-
Everything starting with os-* is a plugin for the UI. The plain postfix3 package is a dependency and gets installed additional. You a free to just install postfix3 and do your own thing via CLI. You can also do this with FRR and do crazy routing stuff not supported via UI.
You can be sure there wont be a break in future, it's the nature of this system 8)
-
Good to know, and another confirmation that OPNSense is the best fit for my needs.