Results 1 to 4 of 4

Thread: [SOLVED] Security best-practices question

  1. #1
    dwmtractor's Avatar
    dwmtractor is offline Moderator
    Join Date
    Jul 2007
    Location
    San Jose, CA
    Posts
    1,027
    Rep Power
    10

    Default [SOLVED] Security best-practices question

    Hey people, I'm looking for opinions on the best practice for configuring my firewalls and/or Zimbra so I can get security notices from the firewalls.

    My firewall is capable of sending out both notices of failed logins, intrusions, etc, and also backup files to an email address I specify. This feature uses a SMTP engine (Exim) built right into the firewall to kick the notices out, and they go out through the WAN IP of the box. If I send them to a nearly-unfiltered account I have elsewhere (not on Zimbra) the messages come thru, even with Fetchmail grabbing them down to a Zimbra account. However, if I direct these same messages to an account on my Zimbra box, they are rejected by Postfix:
    Code:
    Feb 26 11:23:35 mail postfix/smtpd[24845]: NOQUEUE: reject: RCPT from unknown[XXX.XXX.XXX.XXX]: 504 <firewall-hostname>: Helo command rejected: need fully-qualified hostname; fro
    m=<do-not-reply@fw-notify.net> to=<myaddress> proto=ESMTP helo=<firewall-hostname>
    I know WHY this is happening--I have the various MTA restrictions turned on, including:
    • reject_invalid_hostname
    • reject_non_fqdn_hostname
    • reject_non_fqdn_sender
    • reject_unknown_sender_domain
    And guess what, it's following my instructions to the letter! I don't really want to turn these features off because they stop a lot of trash, but I DO want to get my firewall notices. I can see a couple less-than-desirable options:
    1. Add the WAN IP addresses of my "Allowed senders" relay list. My concern with this is that I don't much like to have a relay open to ANY public IPs
    2. Register my WAN IPs in a DNS I control. I don't much like putting the gateways to my networks in a phone book. . .seems kinda like inviting trouble.
    3. There ought to be a way to whitelist the addresses I create, but my first attempts at whitelisting didn't work--it seems Postfix is rejecting the message before SpamAssassin gets a chance to whitelist it.
    Would appreciate any ideas you all might have.

    Cheers,

    Dan

  2. #2
    bdial's Avatar
    bdial is offline Moderator
    Join Date
    Jul 2007
    Location
    Baltimore
    Posts
    1,649
    Rep Power
    11

    Default

    i believe exim just uses whatever your hostname is for the helo. type the command 'hostname'

    hercules:~ # hostname
    hercules

    so you can see it's using just the hostname minus the domain. Try setting your hostname to your fqdn

    hercules:~ # hostname hercules.domain.com
    hercules:~ # hostname
    hercules.domain.com

    then maybe restart exim and see if it works now

    dependds on your distribution as to where you need to set this to be permanent.

  3. #3
    dwmtractor's Avatar
    dwmtractor is offline Moderator
    Join Date
    Jul 2007
    Location
    San Jose, CA
    Posts
    1,027
    Rep Power
    10

    Default

    Well and good, but these are T1s sold to us by AT&T for internet access. They don't have DNS associated with them, and as nearly as I can tell they don't have a FQDN, or if they do I can't figure out what it is. I tried whois on the ip address and no permutation I'm able to come up with works.

    Any more ideas?

  4. #4
    dwmtractor's Avatar
    dwmtractor is offline Moderator
    Join Date
    Jul 2007
    Location
    San Jose, CA
    Posts
    1,027
    Rep Power
    10

    Red face I'm an idiot, forget I posted this!

    I'm truly embarrassed by what I discovered is the problem. I've been putting an address formatted like an email (firewallname@something.net) into the FQDN field of my firewall. Not surprisingly, Postfix sees that as an invalid domain and rejects the email. It had nothing to do with a reverse lookup, and everything to do with me overlooking the blindingly obvious.

    Putting in a FQDN of my own invention that just looks right was good enough.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Best Practices Question
    By msf004 in forum Administrators
    Replies: 2
    Last Post: 09-06-2007, 01:40 PM
  2. DelegateAuth in audit.log
    By Krishopper in forum Administrators
    Replies: 2
    Last Post: 05-17-2007, 05:08 AM
  3. High Performance, Security, Redundancy
    By gjhorne in forum Installation
    Replies: 1
    Last Post: 03-30-2007, 11:29 PM
  4. Multiple Domains Question
    By kristiaan_d in forum Administrators
    Replies: 2
    Last Post: 03-14-2007, 04:38 AM
  5. Certificate Question - Best practices
    By shankwc in forum Administrators
    Replies: 1
    Last Post: 03-04-2006, 11:16 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •