GeoIP

From SME Server
Jump to navigation Jump to search


GeoIP qpsmtpd plugin

Description

GEOIP QPSMTPD PLUGIN

The GEOIP plugin lets us know where our mail server is receiving mail from. If we're receiving too much spam from a particular location, this will help track it down. We can then use that info to reject connections from that place taking the load off our server.

Download & Install GeoIP Plugin

INSTALL THE GEOIP

We need the GEOIP package and the perl interface to the program but this isn't installed on SME. We'll have to grab the packages from yum. Yum has access to different public repositories where packages are available. GEOIP is in the EXTRAS repo. We'll enable the repo and install them.

yum --enablerepo=extras install perl-Geo-IP 

Yum does the magic and knows to install both the program and the interface.

Download & Install GeoIP Database

INSTALL THE GEOIP DATABASE

We also need the GEOIP DATABASE. This database is updated monthly by a company called MaxMind. We'll have to download it every month or pay for their subscription service to be accurate. The database needs to be in a specific location or it won't work. We'll change to that location.

cd / 
cd /var/lib/GeoIP 

Now we'll get the latest database. The database is also in the repositories but it's outdated. We'll grab the most recent directly from MaxMind.

wget http://www.maxmind.com/download/geoip/database/GeoIP.dat.gz 

The database is zipped. We'll have to unzip it.

gunzip GeoIP.dat.gz 

Testing

TEST THE GEOIP

Now that the package and database are installed, we can test it.

geoiplookup 216.17.211.37 

It should return:

GeoIP Country Edition: US, United States

It gives us the country code (US) and the long name (United States). Let's test it again with a domain name.

geoiplookup contribs.org 

Same result. So we know it works with IP ADDRESSES or DOMAIN NAMES. Let's test it again around the world.

geoiplookup gormand.com.au 

It should return:

GeoIP Country Edition: AU, Australia 

Now again.

geoiplookup e-smith.com 

It should return:

GeoIP Country Edition: CA, Canada 

One last time:

geoiplookup swerts-knudsen.dk 

It should return:

GeoIP Country Edition: DK, Denmark

Download & Install the GeoIP qpstmpd plugin

ENABLE THE GEOIP QPSMTPD PLUGIN

The email receiving component of SME is called QPSMTPD. It's great because it allows us to turn plugins on or off or create our own when we need. The GEOIP plugin is already in SME but it's turned off. I've created a RPM but it's not in any of the repos, it'attached to a bug in the bug tracker here: http://bugs.contribs.org/attachment.cgi?id=1149

You can download this with your desktop pc and transfer this onto your SME SERVER with WINSCP. If you don't know what WINSCP is, you can google it.

Now you can install the rpm:

rpm -Uvh smeserver-geoip-1.0.0-b1.noarch.rpm

Use the GeoIP to track

GEOIP plugin should now do its work. Check the qpsmtpd logs and you'll see the countries from where mail is sent.

cat /var/log/qpsmtpd/current 

We'll use a simple shell script to do the work then we'll run it. First change to your working directory.

cd ~

Now create the the script.

vi geoipstats.sh

Insert the following: Code:

  #!/bin/sh 
  # Read the qpsmtpd log file. 
  cat /var/log/qpsmtpd/* | \ 
  # Read all of the countries and count them. 
  grep 'GeoIP Country:' | 
  sed -e 's/^.*\(..\)$/\1/' | 
  sort | uniq -c | sort -n 

Now run the script. It will show the number of messages sent by country code.

sh geoipstats.sh

See where your mail is coming from. Now ask the question, "why am I receiving thousands of email from RU -Russia? I don't even know anyone there." Good point. In addition, your server has to process all that mail, taking resources away from the server. In the next section we'll block the countries that we consider bad.

Use the GeoIP to block

Add the values to the SME CADNHO db. In our case, Russia & Poland seem to causing issues.

config setprop qpsmtpd BadCountries RU,PL

Signal the email-update event.

signal-event email-update

No more mail from RU or PL. The beauty of this is that the SME SERVER lookups happen locally on the local database rather than looking up the IP address via dns. This results in very fast responses. In addition, the plugin happens before most other plugins. This means the mail is dropped before the SME SERVER even has to check to see if it's on a blacklist or if it's spam.