Académique Documents
Professionnel Documents
Culture Documents
3. Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Notification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Firewall Blocks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Reputation Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Compatibility and Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Data Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Integration with LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Default Flow Control Filter Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Settings Edited During Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Sample Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Configuration File Changes Without Reputation Services . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
System Requirements
Flow Control Filter requires the following minimum operating system versions and storage
capacity.
*Additional storage means the amount in addition to the requirements for installing Sendmail Switch.
Additional Documentation
In addition to this Getting Started Guide, refer to the following Flow Control Filter
publications for additional information. They are bundled with your download package.
• Sendmail© Flow Control Filter Administration Guide
• RELEASE-NOTES.txt
The Flow Control Filter installation includes working with the SnortSam firewall agent.
SnortSam documentation can be found at the following URL:
http://www.snortsam.net/documentation.html
Installation Scenarios
You can run the Flow Control installation script to install the following components or
combination of components:
• Flow Control Filter, SnortSam agent and Reputation Server
• Flow Control Filter (standalone)
• SnortSam agent installed as part of the Flow Control Filter installation. In this case,
Flow Control Filter is not used.
• Flow Control Filter and Reputation Server
• SuSE Linux
tar zxvf SFC-200-LNX.tar.gz
• Solaris
uncompress -c SFC-200-SOL8.tar.Z | tar xvf -
5. Run the package installation command:
/download_dir/smflow-2.0.0/installer
This starts the installation script, which automatically installs your package and runs
through your initial configuration.
6. The installation script prompts you for an installation location.
Where do you want to install the software? [/usr/local]
7. The installation script asks if you want to install the Commtouch reputation server.
The reputation server provides feedback on the integrity of incoming IP addresses.
Install Commtouch reputation server? (y/n) [y]
8. The installation script asks if you want to install the SnortSam Firewall Agent. The
agent communicates with your firewall to block or throttle IP addresses as determined
by Flow Control Filter.
Install SnortSam Firewall Agent? (y/n) [y]
9. After checking for a previous installation, the installation script prompts you for the
Sendmail Flow Control Filter License Key.
You should have been provided with a license key when you purchased Flow Control
Filter.
Flow Control Filter license key: [no default] /<your FC license key
here>/
This key is case-sensitive.
10. The installation script prompts you for the Sendmail Flow Control Filter Reputation
License Key.
Note – This prompt will not be displayed if you did not select to install the
Commtouch Reputation Server.
You should have been provided with a license key when you purchased Flow Control
Filter.
Flow Control Filter Reputation license key: [no default]
/<your FC reputation license key here>/
This key is case-sensitive.
11. The installation script prompts you for the Reputation Daemon Port. The daemon
requires an unblocked port to communicate with Flow Control. This port must remain
unblocked while running Flow Control.
Reputation daemon port: [5678]
12. The installation script prompts you for the Flow Control Accept CIDR. The SnortSam
agent uses this IP address for connection purposes.
Flow Control CIDR: [no default]
13. The installation script prompts you for the SnortSam Auth Password. This password
is used to authenticate Flow Control requests sent to SnortSam.
SnortSam Auth Password:
Confirm Password:
14. The installation script prompts you for the Flow Control Firewall Configuration type.
Select the type of firewall that the SnortSam agent will connect to:
1. iptables
2. Check Point
3. Cisco
Depending on your selection, additional prompts are displayed:
Note – The SnortSam agent looks for the iptables binary in the default installation
directory /sbin. If you have installed the iptables binary elsewhere, you should
create a symlink to the new location in /sbin. Do not copy the binary.
15. The installation script prompts you for port SnortSam will use to connect.
SnortSam port: [898]
16. The installation script displays your installation settings for review. Enter a step
number to change a setting, or enter y to accept these settings and install Flow
Control.
During the installation, you should receive notification that the following startup
scripts have been created:
flow-control.sh
snortsam.sh
ctipd.sh
A soft link /etc/init.d/flow-control has also been created to point to the
flow-control.sh startup script.
During the installation, the script checks for an existing configuration file. If none is
found, a default configuration file is generated. See Appendix A for more information
about this configuration file.
Flow Control Filter 2.0 can parse and handle a 1.6.x configuration. It will log the following
warning when it performs a class conversion:
Message/Response in class %s deprecated; converting to Action
In this message, %s is replaced by the class being defined. A message is logged for UserLimit
cases as well.
Notification
Because of the nature of MX records and the fact that multiple mail hosts might handle mail
for a given domain, spammers and abusive senders can reach mailboxes through multiple
vectors. Ideally, if Flow Control applies a restriction to a sending host, for whatever reason,
that mail server’s peers would apply the same restriction to the same SMTP client. In other
words, “If you try to send us too much mail, all of our servers will refuse you.” To ensure that
the mailhosts in an enterprise present a consistent response to external senders, use the Notify
action. Use the following configuration options:
Notify mx1.your-company.com:1234:rs:sam3st0ry
Notify mx2.your-company.com:1234:rs:sam3st0ry
<Action NotifyBlockBadConn>
Notify True
…
</Action>
<Action NotifyDefaultConn>
Notify True
…
</Action>
<Action NotifyDefaultRecpts>
Notify True
…
</Action>
Firewall Blocks
Even if a host has triggered a Flow Control Filter action, whether by attempting a directory
harvest attack or sending too much volume, there is still some overhead involved in blocking
that host. The MTA will still accept a connection, then pass the connection to Flow Control
Filter. When the filter recognizes that this is a blocked host, it directs the MTA to tempfail
commands or close the connection (if 421 is in use).
As a result, the MTA and Flow Control are still receiving connections from an abusive host in
the midst of an attack. Instead, use a firewall block statement to correct this condition as
shown below:
Firewall 127.0.0.1:898:snortsam
<Action NotifyBlockBadConn>
…
Block True
…
</Action>
Reputation Services
Flow Control Filter provides integration with reputation services provided by Commtouch.
This service relies upon similar classification methods employed by Commtouch to identify
spam. The default flow-control.conf file uses reputation values and volume limits as
suggested by Commtouch:
ReputationServer 127.0.0.1:5678
ReputationUnavailable TEMPFAIL
<Reputation moderate>
If ip-class = R7
If ip-class = T3
</Reputation>
<Reputation aggressive>
If ip-class = T4
If ip-class = R8
</Reputation>
<Reputation extreme>
If ip-class = T5
If ip-class = R9
</Reputation>
<Reputation private>
If ip-class = G3
</Reputation>
<Class BadGuys>
…
Reputation extreme
…
</Class>
<Class Aggressive>
…
Reputation aggressive
…
</Class>
<Class Moderate>
…
Reputation moderate
…
</Class>
Data Integrity
You can periodically save the state of the tracked hosts and their limits so that a restart of the
filter does not allow misbehaving hosts to start over with a clean slate. To do so, set these two
options:
StateFile /var/sendmail/flow-control/fc.state
StateInterval 0
LDAP-Query-Address *@your-company.com
LDAP-Search-Template (mailLocalAddress=%a)
LDAP-Unvailable TEMPFAIL
LDAP-URI ldapi:// ldap://localhost ldap://other-replica-server
PlusDetail True
<Class BadGuys>
…
BadSender REJECT
</Class>
<Class Aggressive>
…
BadRecipients 5/1m NotifyDefaultRecpts
BadSender REJECT
</Class>
<Class Moderate>
…
BadRecipients 5/1m NotifyDefaultRecpts
BadSender REJECT
</Class>
<Class Default>
…
BadRecipients 5/1m NotifyDefaultRecpts
BadSender REJECT
</Class>
Setting Definition
fc_firewall_accept Firewall agent address (snortsam, by default).
fc_firewall_port Firewall agent port.
fc_firewall_password Firewall agent password.
reputation_server_addr IP/PORT address of the ctIPd daemon
(127.0.0.1:$ctipd_port by default).
AutoRestart /var/sendmail/flow-control/restart.pid
ControlSocket inet:8898
Firewall 127.0.0.1:898:snortsam
##
## LDAP Settings:
##
## You must edit and uncomment these lines according to your specific
## environment to make Flow Control use the data stored in LDAP.
## Please note that you will also have to uncomment and edit all
## BadRecipient and BadSender definitions stored in this configuration
## file to activate those features.
##
#LDAP-Query-Address *@your-company.com
#LDAP-Search-Template (mailLocalAddress=%a)
#LDAP-Unavailable TEMPFAIL
Log True
MaxTracking 10000
##
## Auto Notify Hosts:
##
## You must add a line for each auto-notify host, including
## hostname, port, and password.
##
## Examples:
##
#Notify mx1.your-company.com:1234:rs:sam3st0ry
#Notify mx2.your-company.com:1234:rs:sam3st0ry
PlusDetail True
ReputationServer 127.0.0.1:5678
ReputationUnavailable TEMPFAIL
StateFile /var/sendmail/flow-control/fc.state
StateInterval 0
WarnAt 80
<Action PartnerConn>
Response ACCEPT
Message Lots of connections
</Action>
<Action ISPConn>
Response TEMPFAIL
Message Too many connections, please try again later
</Action>
<Action NotifyBlockBadConn>
Notify True
Block True
BlockDuration 1200
DisableTime 20m
Message 421 Too many connections, please try again later
Response TEMPFAIL
</Action>
<Action NotifyDefaultConn>
Notify True
Message 421 Too many connections, please try again later
Response TEMPFAIL
DisableTime 15m
</Action>
<Action NotifyDefaultRecpts>
Notify True
Message 421 Too much mail, please try again later
Response TEMPFAIL
DisableTime 15m
</Action>
<Reputation moderate>
If ip-class = R7
If ip-class = T3
</Reputation>
<Reputation aggressive>
If ip-class = T4
If ip-class = R8
</Reputation>
<Reputation extreme>
If ip-class = T5
If ip-class = R9
</Reputation>
<Reputation private>
If ip-class = G3
</Reputation>
<Class Internal>
Host 127.0.0.1
Host localhost
Host *
Reputation private
</Class>
<Class Partners>
Connections 20/1m PartnerConn
MaxConnections 50
Aggregate False
</Class>
<Class ISPs>
Host .google.com
Host .aol.com
Host .hotmail.com
Host .msn.com
Connections 20/1m ISPConn
MaxConnections 15
Aggregate False
</Class>
<Class BadGuys>
Connections 10/1h NotifyBlockBadConn
Recipients 25/1h
Reputation extreme
Host *
MaxConnections 1
Aggregate False
#BadSender REJECT
</Class>
<Class Aggressive>
Connections 10/1m NotifyDefaultConn
Host *
Reputation aggressive
Recipients 20/6m
MaxConnections 10
Aggregate False
#BadRecipients 5/1m NotifyDefaultRecpts
#BadSender REJECT
</Class>
<Class Moderate>
Connections 10/1m NotifyDefaultConn
Host *
Reputation moderate
Recipients 50/6m
MaxConnections 10
Aggregate False
#BadRecipients 5/1m NotifyDefaultRecpts
#BadSender REJECT
</Class>
<Class Default>
Connections 10/1m NotifyDefaultConn
Host *
Recipients 50/6m
MaxConnections 10
Aggregate False
#BadRecipients 5/1m NotifyDefaultRecpts
#BadSender REJECT
</Class>
MaxConnections 10
Aggregate False
#BadRecipients 5/1m NotifyDefaultRecpts
#BadSender REJECT
</Class>
4. For the Default Class, BadSender REJECT is commented out or deleted. The
BadSender and BadRecipients classes are commented out because they rely on
LDAP, which also is commented out by default.
<Class Default>
Connections 10/1m NotifyDefaultConn
Host *
Recipients 50/6m
MaxConnections 10
Aggregate False
#BadRecipients 5/1m NotifyDefaultRecpts
#BadSender REJECT
</Class>