Turnaway

A mini SMTP daemon to tell unwanted connections to "go away"

Turnaway now has two variants. The original still answers on outMX-only hosts, for incoming connections on port 25. That gives an actual connection to hosts that probe all incoming connections to see if the sending host listens on port 25. It should ONLY sit on a host with an MX in DNS pointing to another "host".

The second variant is used with firewall divert rules, to channel abusive bounce-spam hosts, and those sending bogus virus warnings to forged senders when they ATTEMPT to connect to your normal MX host. This requires specialty firewall divert, and NAT rules capable of diverting only that traffic. It does not need to run on the same host as the firewall, nor the same host as the normal MTA whose traffic it is capturing.

Each daemon normally starts as root, allowing binding to reserved port, and write-out of a pid file to a restricted directory, then sheds these privileges when backgrounded. Each logs (as preset) to the standard maillog facility.

Why use the minidaemon? To shed startup costs on forking and threaded main mail daemons, is the main reason. But also it allows for load balancing of unwanted connections to other host(s). It's a good alternative to DENY and UNREACH firewall rules, as it quickly disposes of the connection. In each variant, the mini-daemon does a full low-impact TCP handshake, then sends a go-away message in lieu of the 220 SMTP greeting.

CAVEAT: There are quite a few direct-to-MX spamwares, as well as a few b0rken out-MX daemons that choke on a multi-line greeting, dropping the connection immediately. Of course these daemons drop the connection as soon as sending the banner, so that isn't as big a deal as using a true multi-line 220.

 

LICENSE: Each of these is free for use, in original or modified format but ONLY on hosts operated by individuals/organizations that are fascist about not allowing outgoing spam, including bounce spam (outscatter), and only by those accepting BSD-License style disclaimers of responsibility for author(s), re-distributor(s) and agents. This may be included in CD distributions, on FTP or web sites, provided that the version distributed is reasonably current and a a copy of these terms is included. No support is guaranteed by the author, nor distributors. This is "use at your own risk" ware.

The purpose of both of these programs is to BLOCK the receipt of E-Mail. It is not 100% effective at blocking unwanted mail, nor of allowing through wanted mail. It is similar to a "twist" tcpwrapper directive in hosts.allow (or hosts.deny) except runs as a full-time daemon, rather than inetd launched on-demand daemon.

  • turnawaymail.c v0.1.3 for outMX-only hosts.
    MD5 (turnawaymail.c) = 3cebe6eeb7f7aafe2a8cedbcd29a0ce7 
    Format: turnawaymail '<geolocation>' '<IPv4[:port] name>' ...

        geolocation     displayed "in ..." as below
        IPv4            local IPv4 address in dot notation, and may be 0.0.0.0
                        to bind all available listen addresses on port.
        port            integer port number 1..65535, default 25
        name            name to be used when answering.

The IPv4:port name may be one or a pair of parameters,
and may be repeated up to 0 total to specify additional interfaces.
Program rebuffs connected clients with a message much like the below.
====[sent to connecting clients]====================
421-example.com TurnAway v0.1.3 (not) ready at Mon, 01 Sep 2003 07:30:17 -0600 (MDT);
421-in Somecity, Earth.  Incoming mail services are not
421-available at this IP:port.  Please use proper MX or SRV lookups.
421 Your mail software MAY be broken.  Closing connection.
====================================================
    The reference to SRV lookups is for use of this daemon on non-MSA hosts, port 587.

  • turnawayblocked.c v0.1.6 to catch NAT diversion of unwanted connections aimed at actual MX hosts.
    MD5 (turnawayblocked.c) = 47b888281cab89175585193dd274963a 
    Format: turnawayblocked '<geolocation>' '<IPv4[:port] name>' ...

        geolocation     displayed "in ..." as below
        IPv4            local IPv4 address in dot notation, and may be 0.0.0.0
                        to bind all available listen addresses on port.
        port            integer port number 1..65535, default 25
        name            name to be used when answering.

The IPv4:port name may be one or a pair of parameters,
and may be repeated up to 0 total to specify additional interfaces.
Program rebuffs connected clients with a message much like the below.
====[sent to connecting clients]====================
554-example.com ESMTP TurnAway v0.1.6 at Mon, 01 Sep 2003 07:31:23 -0600 (MDT);
554-in Somecity, Earth.  Your mailserver connection is being denied.  Abusive
554-forwarding of viri and/or bogus virus reports and/or bounces from this host
554-are the reason.  You have been running a common, but broken mail setup.
554-Please do NOT send these to forged addresses.  Rather, reject such
554 while the ACTUAL forger is still connected.  Closing connection.
====================================================

Of course, it is possible to run both turnawayblocked and turnawaymail on the same non-mailhost using nearly the same NAT techniques. The binding for multiple parameters: <IPv4[:port] name> is untested and thought to be broken - incompletely implemented. It's of limited use, as a separate message is generally desirable for different virtual-hosting mailservers, even on the same physical host.

PID file is hard-coded to binaryname.pid in /var/run/ Hence, just making multiple links to the binary with different names solves PID-file collisions. These programs should never be installed SUID-root, but are normally run from rc.d or rc.firewall as root, shedding root privileges after writing PIDfile and binding to reserved port! Normal install point would be /usr/local/sbin/ or /usr/local/libexec/ on well organized *BSD systems, and probably /usr/sbin/ or /etc/ on most Linux hosts. It has not yet been tested on any Linux variant, in either form.

 

TODO: (assistance welcome)

  • Check PID file on launch, rather than just counting on an already bound port to prevent multiple instances with the same PID file.
  • Write manpages for these.
  • Document exits
  • Write guidelines for specialty by-external-origin NAT for various firewalls and routers, or link to existing guidelines.
  • Clone again, turnawayblocked into turnawayspammer with a different message for spamsources and bogons which are permanently blocked.
  • Clone again, turnawayblocked into turnawayabused with a different message for promiscuous proxies, supporting HTTP, too.
  • Clone again, turnawayblocked into turnawayworm with a different message for infected hosts, supporting HTTP, too.
  • Iron out multiple-listen-per-daemon flaws, and use FDSET polling.
  • Add IPv6 support
  • Move release to abuse.SourceForge.net and repurpose project. GNU-jwhois is quite enough to replace the original project, there. Entire site needs to be re-audited for content.
  • Add a .png and .ico icon to this webpage and its eventual mirror at SourceForge. Probably a flaming "T".

Ref: rNAT rules for iptables can be found in the SMTP::Honeypot.  Reverse NAT in IPFirewall is done via divert sockets
and an instance of natd.  Similar facilities are available with pf.