Spam Filtering with Port Forwarding and Geo-Location

From MikroTik Wiki
Revision as of 07:59, 26 February 2010 by Herbison (talk | contribs)
Jump to: navigation, search

This page is a work in progress (started on February 25, 2010)

The procedures outlined in this document should work with any mail server software.

For several years I have been running a small ISP. We regularly receive approximately 20,000 legit emails per month. We use several servers running postfix and amavisd-new. We have servers setup for our MX Records which forward to our mail storage server. We have been using greylisting (policyd v1) until recently when I concluded that it's effectiveness had diminished significantly.

We recently moved all of our servers behind a trusty power-router (mikrotik x86) firewall and I was determined to find a way to use it effectively. With all of the servers having an internal address scheme, I now have control over which mail server handles incoming mail. To this end I added a couple of extra MX records to our primary domain to fool spammers.

First off I wanted to load balance the inbound mail. My two inbound MX Records point to the router's IP's of 199.60.237.4 and 199.60.237.6 which point to the respective inbound mail servers which are behind the firewall. So I created the following nat rules:

add action=dst-nat chain=dstnat comment="Port forward for incoming mail" disabled=no dst-address=199.60.237.4 dst-port=25 protocol=tcp src-address=0.0.0.0/1 to-addresses=10.100.100.4 to-ports=25

add action=dst-nat chain=dstnat comment="Port forward for incoming mail" disabled=no dst-address=199.60.237.4 dst-port=25 protocol=tcp src-address=128.0.0.0/1 to-addresses=10.100.100.5 to-ports=25

add action=dst-nat chain=dstnat comment="Port forward for incoming mail" disabled=no dst-address=199.60.237.6 dst-port=25 protocol=tcp src-address=0.0.0.0/1 to-addresses=10.100.100.5 to-ports=25

add action=dst-nat chain=dstnat comment="Port forward for incoming mail" disabled=no dst-address=199.60.237.6 dst-port=25 protocol=tcp src-address=128.0.0.0/1 to-addresses=10.100.100.4 to-ports=25

If you look at the rules you will see that I am directing mail based on the source addresses. If you are in the top half of IPV4 address space then you will hit one server, if you are in the bottom half you will hit the other mail server. This essentially makes both my primary and secondary mx records load balanced, since they are both receiving inbound mail based on the location of the sender. MX Failover continues to work properly in the event that one mail server goes down.

Retrieved from "https://wiki.mikrotik.com/index.php?title=Spam_Filtering_with_Port_Forwarding_and_Geo-Location&oldid=15644"