SMTP Transparent proxy

smtp-gated vel smtp-proxy
[about] [features] [supports] [security] [todo] [downloads] [bugs] [screens] [manuals] [changelog]

About

This software block SMTP sessions used by e-mail worms and viruses on the NA(P)T router. It acts like proxy, intercepting outgoing SMTP connections and scanning session data on-the-fly. When messages is infected, the SMTP session is terminated. It's to be used (mostly) by ISPs, so they can eliminate infected hosts from their network, and (preferably) educate their users.

[back to top]

Features

Features include:
  1. Transparency - is meant to be totally transparent for users, but stone-build for worms ;)
  2. Message data is intercepted on-the-fly, and scanned just before acknowledged to SMTP server
  3. Does not break AUTH, PIPELINING or STARTTLS (TLS without scanning)
  4. Can block messages if AUTH is not used (optionally passing if AUTH is not supported by MSA)
  5. Can insert source IP (pre-NAT) and ident* into message header
  6. Can block any mail from infected hosts for defined time
  7. Logging of MAIL FROM and RCPT TO (plain or as base64-ed MD5)
  8. Logging of HELO/EHLO hostname
  9. Can impose some limits on number of SMTP sessions: total, per IP, per ident*
  10. Can reject connections when load exceeds some limit
  11. Can skip spam-scanning if load is high
  12. Executing user script on certain events
  13. Scanning limited to messages up to configured size
  14. Can be used to build scanning-farm for one or more routers*
  15. Logs all connections via syslog
  16. Has nifty status screen ;)
  17. Message size limit (since 1.4.16-rc1)
  18. Outgoing XCLIENT support (since 1.4.16-rc1)
  19. Conditional content scanning depending on SMTP-AUTH status (since 1.4.16-rc1)
  20. Regular expression (regex) conditions for HELO/MAIL FROM/RCPT TO (since 1.4.16-rc1)
  21. SPF checking (since 1.4.16-rc1)
(*) when used in external mode with patched ident daemon, or with proxy-helper daemon.

[back to top]

Supports

  1. Content scanning:
    1. Clam AntiVirus daemon (clamd)
    2. mksd - daemonised version of mks_vir
    3. SpamAssassin antispam scanning
  2. Access checking:
    1. libpcre for HELO/MAIL FROM/RCPT TO match
    2. libspf2 for SPF (tested with debian libspf2 1.2.1)
  3. Uses various NAT frameworks (for standalone mode), or ident/proxy-helper* for external mode
    1. patched ident daemon
    2. proxy-helper daemon (soon)
    3. netfilter framework of Linux
    4. ipfw on FreeBSD
    5. BSD/pf (packetfilter)
    6. BSD/ipfilter

[back to top]

Security

Please remember to protect proxy listening port or you will get into trouble by providing open-relay service to spammers.
Protection can be easily achieved either by: If you want greater security about proxy code, use Grsecurity patch for linux kernels.

If you want to run proxy as root, this probably means that you should skip this page and rather read some books about Unix administration.
Do not, I repeat, do not run it as root.

[back to top]

TODO

  1. code cleanup
  2. proper netfilter-tproxy support

[back to top]

Downloads

Sources released under GNU License.
See ChangeLog (polish)

If you use this software, please send me an e-mail with comment. Thanks.

Latest version:
[24.01.2008] smtp-gated.1.4.16-rc1.tar.gz

Remember to check for renamed configuration variables! See ChangeLog (polish)

Older versions:
[11.12.2006] smtp-gated-1.4.15.1.tar.gz
[11.12.2006] smtp-gated-1.4.15.tar.gz
[11.05.2006] smtp-gated-1.4.14-rc1.tar.gz
[02.12.2005] smtp-gated-1.4.12-rc9.tar.gz
[27.10.2005] smtp-gated-1.4.12-rc8.tar.gz

Since 1.4.12-rc1 embedded .spec file allows building rpm packages using: If you receive an error during the procedure above:
  1. copy .tar.gz archive to SOURCES subdirectory of RPM tree
  2. extract .spec file from tarball SPECS subdirectory of RPM tree
  3. type rpmbuild -bb SPECS/smtp-gated.spec


[back to top]

Bugs

If something does not work as you expect, please check smtp-gated.conf.5 manual first (especially CAVEATS section).
If you still think there is a bug, please:
  1. make sure, you are using the latest version
  2. attach description of current behaviour, and the correct one (if appropriate)
  3. attach configuration file
  4. attach smtp-gated compile-time configuration, generated by smtp-gated -V
  5. attach logs (with log_level debug)
  6. be more descriptive than "something does not work"!

DescriptionVersionStatus*Temporary fix
Proxy is useless on 64-bit architectures (dump core with "!BUG!" message in log) <= 1.4.16-rc1confirmed-
In pf mode connection fails with Lookup failed: No such file or directory <= 1.4.15.1fixed/confirmedreplace PF_IN with PF_OUT in lookup.c
Proxy dies with "accept error: Software caused connection abort" or similar <= 1.4.14-rc1fixed/confirmed-
user lock not set when spam found <= 1.4.12-rc3fixed/confirmed-
spool not deleted when pipeline is full <= 1.4.12-rc3fixed/confirmed-
compilation problem on gcc-4
(vars.h: syntax error before string constant)		 <= 1.4.12-rc3fixed/confirmeduse gcc-3
FreeBSD ipfw support not detected <= 1.4.12-rc3pendingforce support with
./configure --enable-nat
(stupid) memleak in main loop <= 1.4.12-rc2fixed/confirmed-
compilation problem on gcc-2.95
(unnamed struct/union that defines no instance)		 == 1.4.11fixed/confirmeduse gcc-3
SpamAssassin support may be buggy <= 1.4.9fixed/confirmed-
.pid file created with random rights == 1.4.5fixed/confirmed-
log_level does not work properly <= 1.4.4fixed/confirmedleave default
Problem with process counting <= 1.4.3fixed/confirmed-
Possibly breaks CHUNKING (RFC3030) *pendingleave chunking support disabled (default)
user gets locked, but still can send e-mails
(when proxy running as root)		 *correct behaviourdo not run proxy as root, use set_user
(*) Note: fixed means: [will be] fixed in next release (above 'Version' shown)

[back to top]

Screens

Normal session log (without syslog headers): 
smtp-gated[22739]: NEW (1/1) src=194.*.*.*:17536, ident=********, dst=213.*.*.*:25, id=1110******.22739
smtp-gated[22739]: EHLO host=194.*.*.*, ident=********, helo=*****
smtp-gated[22739]: DATA:REQUEST
smtp-gated[22739]: DATA:GOING
smtp-gated[22739]: DATA:SCANNING size=23302, host=194.*.*.*, ident=*****
smtp-gated[22739]: SCAN:CLEAN size=23302, time=0, host=194.*.*.*, ident=*****
smtp-gated[22739]: SPAM:CLEAN size=23302, time=8, host=194.*.*.*, ident=*****, result=-2.800000
smtp-gated[22739]: DATA:FINISHED [250]
smtp-gated[22739]: CLOSE by=server, rcv=23438/282, trns=1, rcpts=1, time=15, host=194.*.*.*, ident=*****
... and when virus has been caught: 
smtp-gated[21422]: NEW (1/1) src=194.*.*.*:48059, ident=*****, dst=194.*.*.*:25, id=1110******.21422
smtp-gated[21422]: DATA:REQUEST
smtp-gated[21422]: DATA:GOING
smtp-gated[21422]: DATA:SCANNING size=704, host=194.*.*.*, ident=*****
smtp-gated[21422]: SCAN:VIRUS size=704, time=0, host=194.*.*.*, ident=*****, virus=Eicar-Test-Signature
smtp-gated[21422]: SESSION TAKEOVER: host=194.*.*.*, ident=*****, trns=1, reason=Malware found / Znaleziono wirusa (
Eicar-Test-Signature)
smtp-gated[21422]: CLOSE:TAKEN
Status screen 1: 
Start time:   Thu Mar  3 17:06:21 2005
Restart time: Tue Mar 15 14:34:41 2005
Uptime:   11d 21h 28m 22s
Found:    43/0 (viruses/spam)
Children: 1/18 (current/max)
Requests: 25238/113/7506 (total/direct/empty)
Rejects:  0/458/10421/0 (host/ident/lock/other)

slot pid   state    time  source          target          trns   cli_rx   srv_rx    kbps ident
  47 681   data     50:14 194.*.*.*       212.*.*.*          1 42727701      201   110.8 ********

Status screen 2: 
Version:      1.4.15.1
Dump time:    Tue Oct  9 13:26:56 2007
Start time:   Thu Dec 28 13:43:53 2006
Restart time: Thu Feb  1 15:27:06 2007
Uptime:   284d 22h 43m 3s
Resource: 0/0/0/0 (maxrss/ixrss/idrss/isrss)
Children: 2/40 (current/max)
Found:    173/1844/0 (viruses/spam/no-auth)
Requests: 19343876/7034/417031 (total/direct/empty)
Rejects:  297/127989/18576865/10365 (host/ident/lock/other)

slot pid   state    flags time  source          target          trns   cli_rx   srv_rx    kbps ident
  62 4453  data     A     00:04 194.*.*.*       86.*.*.*           1   322761      235   630.4 ********
  63 27409 data     A     00:08 194.*.*.*       217.*.*.*          1   340394      280   332.4 ********
[back to top]

Manuals

All documentation files are distributed within doc/ subdirectory of source package.

You can view (old) documentation online: But: configuration manual above do not necessary reflect all options available.
It can contain options that do not exist anymore, or event do not yet exist in the most recent release.
You can always get all available options by running smtp-gated -t
or even options with possible values by smtp-gated -T

Some examples are in lib/ directory found in source tree. Here are some other examples:
[back to top]


(c) 2005-2008 Bartłomiej Korupczyński
contact