Jun  8 10:56:24 mail dccproc[13204]: continue not asking DCC 78 seconds after 5

Jun  8 10:56:27 mail dccproc[13207]: continue not asking DCC 75 seconds after 5

Jun  8 10:56:37 mail dccproc[13228]: continue not asking DCC 65 seconds after 5

Jun  8 10:56:44 mail dccproc[13247]: continue not asking DCC 58 seconds after 5

Jun  8 10:56:49 mail dccproc[13251]: continue not asking DCC 53 seconds after 5

Jun  8 10:56:49 mail dccproc[13252]: continue not asking DCC 53 seconds after 5

Jun  8 10:56:58 mail dccproc[13272]: continue not asking DCC 44 seconds after 5

Jun  8 10:57:05 mail dccproc[13288]: continue not asking DCC 37 seconds after 5

So, there is something wrong with my dcc process.
After several google, there is only two options.
-Problem with firewall/connection
-Problem with configuration

I know, this is not a problem with firewall/connection, because I did not changed anything and the server have direct connection to the internet.

So, there must be some configuration problems.

I run cdcc info from the console, and notice there problem with the map file.
Do some google again, and find this and this.
And I do exactly what it say.

cdcc -q info map.txt
cdcc “load map.txt”

That’s it, and DCC runs again.

If you are not (yet) use DCC in your spamassassin, than you should consider to install one.

DCC is a free software, as long as you don’t sell the device or the service to to others. Reade the DCC license here.

Installation DCC may be confusing for some people (including me ), but when it installed and configured properly, it will catch more spam that you already catch.

The good point is, if the DCC already installed, than is easy to update it.  You just need to download  the updatedcc script here, and copied it to /usr/local/bin (might be different with your OS ) with the rest of DCC files.

How to update? Just run the updatedcc and the process will run automatically.

After all the process completed, do a simple check to see if your DCC already updated.

dccproc -V

It will show the version of your DCC software.

Even though that MS Exchange and MS Outlook is well integrated with Windows XP/Vista and Active Directory, the cost to installation, maintenance the system  is a nightmare.

Quote

 Within the land of IT, nothing is a bigger pain to own, manage and run than Microsoft Exchange. Everywhere you go customers have horror stories about the installation, maintenance and, above all, uptime of their Microsoft Exchange implementations. And worse yet, they will all tell you they are paying top dollar for the privilege because the expertise needed to successfully run a Microsoft Exchange server is some of the most expensive in the IT labor pool.

and more…

E-mail is considered the most mission-critical, a simple fact that is only going to become more evident once more organizations begin using Exchange as the underpinning of a unified communications architecture that is going to tie voice and video to the Exchange server. And if you think people get upset when they can’t access their e-mail, imagine what will happen when they can’t make a call because the Exchange server is down.

Please read here on Exchange Equals Profits.

Maybe this why, one of my friend is trying to migrate their mail server from MS Exchange to Lotus Domino.

The truth is,  if you going to have only mail server (web/pop/imap server), you better run linux/unix server, The are plenty of open source program that more than stable to run that.

But, if you want more than just mail server, there always be Lotus Domino.

You can find all the resources in AntiSpam Server Configuration

This simply one stop solution  for you to find out how to block spam.

I just want to add onething, which is sendmail .

I’m very surprise, because he uses Exchange with Outlook.

I remember that when he left the company, and move out to a company that used MS Exchange and Outlook, said to me softly – “Well, Outlook not so bad, everyone else using it.”

I said to him, “Yes, outlook is not so bad, many companies using it, so it must be a good software”.

Now, almost a year now, and he called me, asked me where he can buy Lotus Notes software.

He told me that he had more problem with MS Exchange and Outlook more than he expected.

He gave up, and ask for migration the mail server, the choices is OpenSourceOpenSource solutions and Lotus Notes.

So, I gave him my contact person in my IBM Business partner and waiting for the good news.

Another one, hopely, converted to Lotus Notes.

But since the ddos attack on rule semporium, I had severals problem on updating my SARE rulessets.

Since spamassassin version 3.x, spamassassin come with a little script called sa-update. Sa-update actually works like rules_du_jour script, to look for a new rulesets and update it.

As default, sa-update will look for their own update from updates.spamassassin.org (called channel), but we can create a new channels and tell sa-update to look for another rulesets. The most stable and usefull rulesets (beside spamassassin own rulesets) are from rulesemporium (SARE for short).

I will not discuss on how to use sa-update to update your SARE rulesets, because it already available (and a very good one too) in here.

But this is just a simple steps on how I do it.

1. Basically, I disabled to rules_du_jour from cron script and delete all SARE rulesets from /etc/mail/spamassassin (in my CentOS).
2. Create a new channels file and save it in /etc/. I named my channels file as sare-sa-update-channels.txt.
3. Add entry in channels file for my SARE rulesets, and don’t forget to add the default that come from spamassasin.
4. Add another cron job that run daily to run this script

sa-update –channelfile /etc/sare-sa-update-channels.txt –gpgkey 856AA88A

And this my channels file look like, you can copy paste it if you like.

updates.spamassassin.org
70_sare_adult.cf.sare.sa-update.dostech.net
70_sare_stocks.cf.sare.sa-update.dostech.net
70_sare_bayes_poison_nxm.cf.sare.sa-update.dostech.net
70_sare_unsub.cf.sare.sa-update.dostech.net
70_sare_evilnum0.cf.sare.sa-update.dostech.net
70_sare_uri0.cf.sare.sa-update.dostech.net
70_sare_evilnum1.cf.sare.sa-update.dostech.net
70_sare_uri1.cf.sare.sa-update.dostech.net
70_sare_evilnum2.cf.sare.sa-update.dostech.net
70_sare_uri3.cf.sare.sa-update.dostech.net
70_sare_genlsubj0.cf.sare.sa-update.dostech.net
70_sare_whitelist_rcvd.cf.sare.sa-update.dostech.net
70_sare_genlsubj1.cf.sare.sa-update.dostech.net
70_sare_whitelist_spf.cf.sare.sa-update.dostech.net
70_sare_genlsubj2.cf.sare.sa-update.dostech.net
70_sare_genlsubj3.cf.sare.sa-update.dostech.net
72_sare_bml_post25x.cf.sare.sa-update.dostech.net
70_sare_header0.cf.sare.sa-update.dostech.net
99_sare_fraud_post25x.cf.sare.sa-update.dostech.net
70_sare_header1.cf.sare.sa-update.dostech.net
70_sare_header2.cf.sare.sa-update.dostech.net
70_sare_header3.cf.sare.sa-update.dostech.net
70_sare_html0.cf.sare.sa-update.dostech.net
70_sare_html1.cf.sare.sa-update.dostech.net
70_sare_html2.cf.sare.sa-update.dostech.net
70_sare_html3.cf.sare.sa-update.dostech.net
70_sare_obfu.cf.sare.sa-update.dostech.net
70_sare_oem.cf.sare.sa-update.dostech.net
70_sare_random.cf.sare.sa-update.dostech.net
70_sare_specific.cf.sare.sa-update.dostech.net
70_sare_spoof.cf.sare.sa-update.dostech.net

The first line will tell sa-update to look for an updates from it default channels first.

You can learn more about sa-update in here

1. IPCop as default allow all connections to the Internet. This maybe ideal for home users but not corporate users.
2. IPCop as default not support NAT 1:1. Although we can modify the iptables script (/etc/rc.d/rc.firewall.local), but it will nice to have a gui for it similar with port forwarding and external access in Firewall menu.

Other than that, overall IPCop is good firewall, stable and easy enough to manage.

IPCop Addons
IPCop addons is a bit tricky to install. I have install many addons, while most of them install flawlessly, but a few of them cause a big problem.

A Tip
Before you add patch or add an addon, please do it your test machine and see how it’s going. I have spent an entire night to fix it after I installed an addon.

I will only talk about addons that I have a problem when installing.

BlockOut Traffic (BOT).
I have no problem when installed this addon, the installation was easy, and the configuration is very straight forward. BUT after I download and install a modified kernel that support layer7 filtering from http://www.mhaddons.tk/, BOT doesn’t works anymore.
Before the modified kernel, BOT block out any traffic successfully.

But, after the modified kernel installed, nothing is blocked.
Reinstalling BOT doesn’t solved the problem.

It seem that BOT and the modified kernel can’t work together.

Finally I had to remove BOT, and manually modify the iptables to block most of the ports.

Guardian

This one cause a very big problem. I download the latest guardian (v 2.4.9.7) from http://www.mhaddons.tk/, and when installing I receive an error. I’m not sure what kind of error, it says line error or something, but the installations process continue with no further error.
Curiosity, I reinstall the Guardian, and that cause a big problem.
Connection to the IPCop servers is blocked.
When I list the iptables rules with iptables -L command, it give me surprisingly result.

Chain INPUT (policy DROP)
target prot opt source destination

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy DROP)
target prot opt source destination

When I try to manually run the iptables script, it give me errors about segmentation fault.

Panic, I restart the server, still give me errors about iptables segmentation fault.

I realize that IPTables got corrupted.

Then I found out that I still able to change the default policy from DROP to ACCEPT, at least I still can access the server remotely and copy files.

No connections to the net allowed unless though proxy.
Incoming and Outgoing email pending in the mail server.

I’m not sure how can I restore the corrupted IPTables.

After some trying and errors, than I manually copy files from the original iso of IPCop from /lib/iptables and /sbin and then restart.

It solved the problem.

All the iptables rules applied and run, what a relief.

I know that I need the install the new kernel that support layer 7 filtering, but I think that enough for now. I hate another surprises.
Regarding my previous tip, now I’m looking for unused, spare PC to become my test server. I will install all new addon in there first, after successfully installed, then I will installed in the live firewall.
I hope there are no more surprises.

I do now run many addons in my IPCop, and they works wonderfully, but still a test server will be great.

After discussed it throughly, we decided to give software firewall a try. Better to postpone to buy expensive hardware firewall, and first try the software firewall that are more cheaper (or free).

The Choices

There are many software firewalls, but after googling, searching and etc, the choices are down to four.

There are:

• pfsense
• m0n0wall
• ipcop
• smoothwall

Then we choose IPCop.

Why IPCop?

First of all, I need to exclude m0n0wall and pfsense, not because they bad software (from many reviews they are good software firewall), just because I’m not that good in freeBSD.

I know that both software firewall are already design as simply as possible, but I’m affraid soon or later I need to hack on those firewall. That I want to avoid.

I’m much familiar with Linux and also familiar with iptables, so now the choices are down into two.

I choose IPCop, maybe because off the small time frame that I have, I only able to look for several places. On that short time frame, I think (maybe wrong) that IPCop have more addons, more hack available than smoothwall.

But who need addons if the firewall already complete?

I know that IPCop alone is not enough, so beside IPCop I also download many addons for IPCop, there are:

• Cop Filter
• Advance Proxy
• Update Accelerator
• URL Filter
• Calamaris
• BOT (BlockOut Traffic)
• Zerina

With these, I think IPCop will easily beat up most hardware firewall.

Surprisingly, installation for IPCop and those addons are simply enough. I had no problem at all.

Hack to allow NAT 1:1

The first problem that I had (from now) is that IPCop doesn’t support nat 1:1. There are some internals servers that need dedicated public IP such as my mail server. But luckily there are some hack for it.

I know that I already copied the hack from internet, but I forget the link.

We need to modify the /etc/rc.d/rc.firewall.local

#!/bin/sh
# Used for private firewall rules
# See how we were called.

case “$1″ in start)
## add your ’start’ rules here
#Added for zerina start – BEGIN
/usr/local/bin/openvpnctrl –create-chains-and-rules

#Added for zerina start – END
#Added for MY_SERVERS oubound IP assignment – BEGIN
/sbin/iptables -t nat -A CUSTOMPOSTROUTING -s 192.168.51.200 -o eth1 -j SNAT –to-source PUBLICIPADDRESS1
/sbin/iptables -t nat -A CUSTOMPOSTROUTING -s 192.168.51.201 -o eth1 -j SNAT –to-source PUBLICIPADDRESS2
/sbin/iptables -t nat -A CUSTOMPOSTROUTING -s 192.168.51.202 -o eth1 -j SNAT –to-source PUBLICIPADDRESS3
#Added for MY_SERVERS outbound IP assignment – END

;; stop)
## add your ’stop’ rules here
#Added for zerina stop – BEGIN
/usr/local/bin/openvpnctrl –delete-chains-and-rules
#Added for zerina stop – END
#Added for MY_SERVERS outbound IP assignment removal – EGIN
/sbin/iptables -t nat -D CUSTOMPOSTROUTING -s 192.168.51.200 -o eth1 -j SNAT –to-source PUBLICIPADDRESS1
/sbin/iptables -t nat -D CUSTOMPOSTROUTING -s 192.168.51.201 -o eth1 -j SNAT –to-source PUBLICIPADDRESS2
/sbin/iptables -t nat -D CUSTOMPOSTROUTING -s 192.168.51.202 -o eth1 -j SNAT –to-source PUBLICIPADDRESS3
#Added for MY_SERVERS outbound IP assignment removal – END
;;reload)
$0 stop $0 start
## add your ‘reload’ rules here ;; *)
echo “Usage: $0 {start|stop|reload}” ;; esac Rgds Simon. (END)

Where 192.168.51.200 -192.168.51.202 are your servers and eth1 is your red interface.

BlockOut Traffic

IPCop as default will allow all outgoing traffic from Green (Internal Lan) to Red (Internet). I need to limit that, so only a few ports will be allowed for users. This is solved with BOT (BlockOut Traffic).

Advance Proxy, URL Filter, Update Accelerator and Calamaris

Advance Proxy, URL Filter, Update Accelerators and Calamaris are big help in proxy server. Advance Proxy will replace the standard web proxy in IPCop with a new and more advance Proxy. URL filter will block certain web site, Update Accelerators will hold the update for windows like windows update and etc, and lastly Calamaris for Proxy Report.

Nice.

Cop Filter

Cop filter is another excellent addon, it will scan the http, ftp, smtp and pop3 for viruses. It also can detect for spam. But somehow, it slow down my http and pop3 connection. It take extremely a long time for me to download emails from external pop3 server. So I had to disable Cop Filter until I solved the problem.

Zerina

This will add OpenVPN support in IPCop. The installation and configuration is easy enough, even for newbie like me.

IPCop Summary

IPCop is a good firewall, and with addons you can have a complete firewall package. I just tested it for a few days, it still in testing. But so far, it works flawlessly.

If only I can export all the logs to csv files, but maybe I ask too much for a free software .

The choices is:

• Lotus Domino
• MS Exchange
• Appliances
• Open Source (Linux with sendmail, etc)
• Managed Service
• Others

What surprisingly for me is that many voters choose Lotus Domino for their MX server. Out of 48,4% from 153 voters choose Domino and the second place is Open Source with only 19%.

Why? Why use Lotus Domino as MX servers?

I have no ideas. Maybe because they stack with certain policy that they have to use Lotus Domino server as their MX servers? Or they only know about Lotus Domino? Or else?

I voted for Open Source, because I use Linux and MailScanner for my first protection against spam and viruses. Personally I found that Lotus Domino is not a good MX servers because it lack of anti spam features.

But many people will consider that Lotus Domino server license is just too expensive comparing with Open Source one, or using Lotus Domino for just as smtp server simply too much.

I’m not sure about Lotus Domino 8, but the current version (Domino 7) is lack of anti spam features. I hope the best that the new Lotus Domino 8 will have more feature for anti spam including Bayesian engine.

Able to compress attachments into a zip file.

This feature can work on both incoming and outgoing emails.

There are many third party software that sells this kind of features with expensive prices, but MailScanner will do it for free. Now I’m feel sorry for those third party softwares.

Benefits that we can have with this feature.

• For incoming emails, it will save Mail Server harddisk space.
• For outgoing emails, it will save bandwith.

This feature also can be customized.

• You can set it only for incoming emails or only for outgoing emails or both.
• You can compress attachment if the total file size more that e.g 100 kb.
• You can tell MailScanner not to compress already compressed file e.g zip, rar, jpg, mpg, etc.
• This feature can be enable for certain recipients, domains, etc with rule(s) file.

I can’t wait until it reach stable version.