[afnog] Mail servers (was: Natting)

Fri Oct 17 16:29:30 UTC 2008

Hi SM,

Thanks for updating the topic to reflect the slight twist, I agree with you
in most of you points you made. 
My policy for assigning additional public IPs to customers is if for example
they need to have direct email relay or VPN etc, with the rest of the
customers I try to save IPs and will just assign /30 point -to point link
and that is of course until we have fully Migrated to IPV6.
Also if I look at it another way when I usually design my fire wall
solutions using either PIX or ASA I usually use private IPs in the DMZ
Natted to public IPs (Static outside, inside) and this has never given me
any problems. I guess do what you know works best for you, but again this is
a healthy discussion and every day we learn something new or another way of
looking at things and thus we improve.
I hope others can add their views or comments

Cheers
Peter

-----Original Message-----
From: SM [mailto:sm at resistor.net] 
Sent: Friday, October 17, 2008 6:30 PM
To: Peter Nyamukusa
Cc: afnog at afnog.org
Subject: Mail servers (was: Natting)

Hi Peter,
At 05:23 17-10-2008, Peter Nyamukusa wrote:
>I am not sure how your email is system is setup but looking at two
>scenarios, in the first you have possibly several thousand broadband
>customers and we all know these guys are capable of anything and you don
>what them sending email directly or receiving directly from the internet
and
>hence therefore you would need to apply an ACL somewhere in your network
(my
>concept is the closer to the source the better) this will make sure only
the
>servers you permit can only do SMTP in/out and you don't have to spend
every
>day removing blacklisted IPs, thus this the first level of filtering.

That's a different scenario from the one I commented about.  In such 
a case you want to block outgoing TCP 25 closer to the source as you 
mentioned above.  I won't go into the advantages and disadvantages of 
applying such a policy in this region.  I noticed that some ISPs use 
reverse DNS formats which doesn't help SMTP filtering.

If your customers are allowed to run mail servers (incoming SMTP), 
you cannot filter that traffic.  My opinion is that you should not 
even do NAT there (see reasons below).

>Moving on to the second layer of filtering, for the server IPs that you
have
>permitted SMTP from the internet & Local Xchange point you can then even
>apply server level filtering like you were mentioning before i.e. reverse
>dns, RBLS, header & Body checks etc.

That's not possible if you are doing NAT as the mail server won't get 
the actual source IP address then.

>You can even go a step further by setting up your spam/virus filtering
>box/appliance at your upstream provider because in most cases over 80% of
>email received is junk/spam and thus you save your precious international
>bandwidth

That would be better as you saves on (international) bandwidth 
charges then, assuming that the cost is lower.  You could apply 
different levels of filtering where you block the virus and high 
probability spam upstream and filter the rest within your network and 
apply your delivery policies.

The original discussion was about mail servers.  Your comments are 
closer to SMTP filtering policies where we have to look at the issues 
from a different perspective.  As you pointed out, there are 
different constraints that are relevant then such as abuse filtering, 
IP address blacklisting and traffic charges.  It's refreshing to see 
this type of operational content on this mailing list.

Regards,
-sm 