| Previous | Contents | Index |
You can control which users can send to which users, what channels can send to what channels, and use hooks in PMDF to allow for dynamic, load-based rejection decisions.
28.4.5.1 Staticly Controlling e-mail Access
The PORT_ACCESS mapping table can be used to control from
what IP numbers PMDF servers will accept connection attempts; the PMDF
multithreaded SMTP server, POP3 server, IMAP server, and HTTP server
check this table when a connection attempt comes in.
The SEND_ACCESS and similar mapping tables can be used to
control, based on From: address, To: address,
and source and destination channel, what messages PMDF allows to pass
through. See Section 21.2.1 for details on the PORT_ACCESS
mapping table, and see Section 16.1 for details on the
SEND_ACCESS and similar mapping tables.
For instance, consider a PMDF firewall system with postmaster address
postmaster@example.com and with channels and rewrite rules
set up, as described in Section 28.4.1, to segregate internal SMTP
traffic onto a different channel than the tcp_local channel handling
external SMTP traffic. On such a system, minimal
PORT_ACCESS and ORIG_SEND_ACCESS mapping
tables might be along the lines of:
PORT_ACCESS TCP|*|25|*|* $Y TCP|*|*|*|* $N ORIG_SEND_ACCESS tcp_local|*|tcp_local|* $NRouting$ not$ allowed tcp_local|*|*|postmaster@example.com $Y tcp_local|*|l|* $N |
PORT_ACCESS entry shown allows incoming SMTP
connections (i.e., TCP connections to port 25) to PMDF's
multithreaded SMTP server from anywhere. The second
PORT_ACCESS entry shown disallows all other connections,
e.g., connections to the PMDF HTTP server, POP server, or IMAP
server.
The first ORIG_SEND_ACCESS entry shown disallows other
sites from routing SMTP mail by way of your system. (Note that it is
normal and useful to allow explicit routing through your system.
However, if you are worried about external users attempting to forge
e-mail so that it appears to originate from your site, you can want to
disallow the ability for routing through your system from external
sites.) For a more detailed discussion of SMTP relay blocking, and
examples of more sophisticated entries for blocking various
source-routed address variants, see Section 16.1.6. The second
ORIG_SEND_ACCESS entry is very important, as it allows
messages to be sent to your postmaster account. The third
ORIG_SEND_ACCESS entry disallows messages to any other
(than the postmaster) local mailboxes on the PMDF firewall system.
28.4.5.2 Sidelining Messages for Manual Inspection
In some cases, it can be useful to allow in but sideline certain
suspicious incoming messages (such as suspected junk e-mail)---perhaps
messages to suspiciously large numbers of recipients or messages from
particular suspicious sources---rather than simply rejecting them on
either a temporary or permanent basis. The PMDF postmaster can then
manually inspect the messages and determine the proper course:
releasing the messages for delivery processing, bouncing them back to
the original sender, or simply deleting them, if appropriate.
Note that allowing the messages onto the PMDF e-mail firewall allows them to use disk space on the PMDF system, where they will sit until the PMDF postmaster manually intervenes. So sidelining techniques should not be used unless the PMDF postmaster will in fact be checking periodically for the presence of such sidelined messages and taking action on them.
The holdlimit keyword on, for instance, the incoming
TCP/IP channel can be used to automatically sideline messages to
greater than a specified number of envelope recipients. See
Section 2.3.4.16 for details.
Rather than rejecting messages (either permanently or temporarily),
SEND_ACCESS or related mappings can be used to sideline
incoming messages via the $H flag.
28.4.5.3 Dynamically Controlling e-mail Access, and Defending Against Denial of Service Attacks
A denial of service attack is where an attacker tries (intentionally or
inadvertently) to overwhelm your system by flooding you with e-mail.
In some cases, adding a simple static entry to unconditionally reject messages from the problem address or site is a sufficient defense, particularly if you know ahead of time (or can quickly detect) that the attack is occurring; see Section 28.4.5.1 above. In other cases, however, you can either want to automate dynamic detection of message volume upswings sufficient to be considered an attack. Or you can not want to reject all messages from the problem address or site and instead want merely to "turn down the volume", i.e., slow down the flow to a level more easily managed by your users or system. For instance, you can be under a practical or legal mandate to accept certain messages, or good messages can be mixed in with the bad message flow; in such a case turning down the volume to a manageable level allows the good messages a chance to get into your system while preventing the bad messages from overloading your resources.
The PORT_ACCESS and SEND_ACCESS mapping
tables described in Section 28.4.5 above---as well as related mapping
tables discussed in Section 16.1---can be used in more sophisticated
ways than simple unconditional entries to achieve such goals, and can
indeed be hooked into dynamic, heuristic routines to decide
"Yea" or "Nay" on accepting messages, should you
choose to provide such routines.
First, on the most simple level, the PORT_ACCESS,
SEND_ACCESS or related mapping tables can take a random
argument, effectively having PMDF "flip a coin" each time it
needs to decide whether to accept a connection or message,
respectively, or in the case of SEND_ACCESS and related
mapping tables whether to sideline a message; see Section 5.3.2.5 for
details.
For more sophisticated needs, the PORT_ACCESS,
SEND_ACCESS, or related mapping tables can call out to
site-supplied shareable image routines; see Section 5.3.2.10 for details.
Such routines can, if you want, use PMDF API calls to access PMDF
counters information; this can allow for heuristic decisions based on
recent message load, comparing PMDF counters levels at one sampled time
with PMDF counters levels when checked a little later; e.g.,
"lots of messages came in to the tcp_local channel in
the last few minutes, so let us reject additional connection attempts
for the moment" or whatever decision basis you decide to implement.
On OpenVMS, it is also possible to capture a copy of PMDF's
mail.log_current output in a mailbox device; so site
supplied routines can use this information also, which is more detailed
than the PMDF counters information, in making accept or reject
decisions.
The heuristics for making dynamic decisions about accepting or rejecting messages tend to be very site specific, and involve a variety of critical issues. Note also that sites can want to keep the details of their own heuristic algorithms secure. Process Software recommends that sites interested in implementing their own denial of service prevention techniques obtain specialized consulting assistance.
Particularly when implementing dynamic rejection mechanisms, the TCP/IP
channel options ALLOW_TRANSACTIONS_PER_SESSION and
ALLOW_RECIPIENTS_PER_TRANSACTION can be of interest. The
ALLOW_TRANSACTIONS_PER_SESSION option can be used to limit
the number of messages accepted during a particular connection. After
refusing a number of connection attempts from a particular site, once
you do let them connect, they are liable to have a backlog of messages
for your site which they will try to deliver during that connection. If
you are attempting to "slow down" how much mail you accept
from that site, you likely will want to use this option to say, in
effect, "enough for now" after some point in the connection.
Similarly, the ALLOW_RECIPIENTS_PER_TRANSACTION option can
be used to limit the number of recipients allowed for a particular
message; this can be useful in protecting against a denial of service
attack in the form of messages blanketing large numbers of your users.
| Previous | Next | Contents | Index |