vaida bogdan wrote:
A solution I was going to implement was mailsnarf on GW1 but it does snat and mailsnarf still logs mails with the source ip of GW1. Any ideeas on how to overcome this ? (I think a comparison between "logged ip headers'" time and "virii found @ MAIL SERVER" time improper.)
iptables snat rule: SNAT all -- intif/24 anywhere to:extif
All right, this is more complicated than doing "netstat | grep smtp". You could try ClamSMTP as a transparent proxy to filter an entire network's SMTP traffic at the router (or gateway GW1).
http://memberwebs.com/nielsen/software/clamsmtp/
The log from clamsmtpd will show the real address from where the viruses came. The deamon will clean those infected emails so the mail server will only see a connection initiated and then droped. As a side effect all uninfected messages will now also carry the real address where they come from.
I haven't used this "full transparent" proxy mode, but as "semi transparent" proxy clamsmtpd works very well.
--
René Berber
_______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
