GeoIP
GeoIP qpsmtpd plugin
Description
The GeoIP plugin lets us know where our mail server is receiving mail from. If we're receiving too much spam from a particular location, this will help track it down. We can then use that info to reject connections from that place taking the load off our server.
Download and install
GeoIP plugin
We need the GEOIP package and the perl interface to the program but this isn't installed on SME. We'll have to grab the packages from yum. Yum has access to different public repositories where packages are available. GEOIP is in the EXTRAS repo. We'll enable the repo and install them.
yum --enablerepo=extras install perl-Geo-IP
Yum does the magic and knows to install both the program and the interface.
GeoIP database
We also need the GeoIP database. This database is updated monthly by a company called MaxMind. We'll have to download it every month or pay for their subscription service to be accurate. The database needs to be in a specific location or it won't work. We'll change to that location.
cd / cd /var/lib/GeoIP
Now we'll get the latest database. The database is also in the repositories but it's outdated. We'll grab the most recent directly from MaxMind.
wget http://www.maxmind.com/download/geoip/database/GeoIP.dat.gz
The database is zipped. We'll have to unzip it.
gunzip GeoIP.dat.gz
GeoIP qpstmpd plugin
The email receiving component of SME is called QPSMTPD. It's great because it allows us to turn plugins on or off or create our own when we need. The GEOIP plugin is already in SME but it's turned off. I've created a RPM but it's not in any of the repos, it'attached to a bug in the bug tracker here: http://bugs.contribs.org/attachment.cgi?id=1149
You can download this with your desktop pc and transfer this onto your SME Server with WINSCP. If you don't know what WINSCP is, you can google it.
Now you can install the rpm:
rpm -Uvh smeserver-geoip-1.0.0-b1.noarch.rpm
Testing
Now that the package and database are installed, we can test it.
geoiplookup 216.17.211.37
It should return:
GeoIP Country Edition: US, United States
It gives us the country code (US) and the long name (United States). Let's test it again with a domain name.
geoiplookup contribs.org
Same result. So we know it works with IP ADDRESSES or DOMAIN NAMES. Let's test it again around the world.
geoiplookup gormand.com.au
It should return:
GeoIP Country Edition: AU, Australia
Now again.
geoiplookup e-smith.com
It should return:
GeoIP Country Edition: CA, Canada
One last time:
geoiplookup swerts-knudsen.dk
It should return:
GeoIP Country Edition: DK, Denmark
Usage
Tracking e-mail
GEOIP plugin should now do its work. Check the qpsmtpd logs and you'll see the countries from where mail is sent.
cat /var/log/qpsmtpd/current
We'll use a simple shell script to do the work then we'll run it.
First, create the the script.
vi geoipstats.sh
Insert the following: Code:
#!/bin/sh # Read the qpsmtpd log file. cat /var/log/qpsmtpd/* | \ # Read all of the countries and count them. grep 'GeoIP Country:' | \ sed -e 's/^.*\(..\)$/\1/' | sort | uniq -c | sort -n
Now run the script. It will show the number of messages sent by country code.
sh geoipstats.sh
See where your mail is coming from. Now ask the question, "why am I receiving thousands of email from RU -Russia? I don't even know anyone there." Good point. In addition, your server has to process all that mail, taking resources away from the server. In the next section we'll block the countries that we consider bad.
Blocking email
Add the values to the SME CADNHO db. In our case, Russia & Poland seem to causing issues. You can type in any country codes you wish.
config setprop qpsmtpd BadCountries RU,PL
Signal the email-update event.
signal-event email-update
No more mail from RU or PL. The beauty of this is that the SME Server lookups happen locally on the local database rather than looking up the IP address via dns. This results in very fast responses. In addition, the plugin happens before most other plugins. This means the mail is dropped before the SME Server even has to check to see if it's on a blacklist or if it's spam.