spam prevention - Securing smtp with login
2013-08
Paul Peelen
I have a ispconfig server, and it seems that someone is using it to send spam. I got about 130 "Mail Delivery System" email about declined send email.
This spammer uses my email address as sent from adress, so I get all these email adresses to my mail. I am using Postfix and Courier. I installed my server according to this guide: http://www.howtoforge.com/perfect-server-debian-lenny-ispconfig3-p3 I did this a few months ago.
My question: Can I secure my server to require login to be able to send email, and if so... how?
Thanks!
EDIT Some data from mail.log, these kind of error show up constantly:
Jun 15 17:58:16 bolt postfix/qmgr[10712]: CC7DA1242AE: from=<paul@*****.se>, size=3782, nrcpt=1 (queue active)
Jun 15 17:58:16 bolt postfix/smtp[11337]: CC7DA1242AE: to=<[email protected]>, relay=none, delay=4641, delays=4640/0.01/0.32/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=cmlisboa.pt type=MX: Host not found, try again)
Jun 15 17:58:19 bolt postfix/smtpd[10836]: connect from static-200-105-220-154.acelerate.net[200.105.220.154]
Jun 15 17:58:20 bolt postfix/smtpd[10836]: NOQUEUE: reject: RCPT from static-200-105-220-154.acelerate.net[200.105.220.154]: 550 5.1.1 <advertising@*****.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<[email protected]> to=<advertising@*****.com> proto=ESMTP helo=<static-200-105-220-154.acelerate.net>
Jun 15 17:58:20 bolt postfix/smtpd[10836]: lost connection after DATA (0 bytes) from static-200-105-220-154.acelerate.net[200.105.220.154]
Jun 15 17:58:20 bolt postfix/smtpd[10836]: disconnect from static-200-105-220-154.acelerate.net[200.105.220.154]
Jun 15 17:58:29 bolt postfix/smtpd[10834]: connect from unknown[62.176.172.226]
Jun 15 17:58:32 bolt postfix/smtpd[10834]: 386791241F9: client=unknown[62.176.172.226]
Jun 15 17:58:34 bolt postfix/cleanup[10975]: 386791241F9: message-id=<000701cc2b75$143a39f0$[email protected]>
Jun 15 17:58:34 bolt postfix/qmgr[10712]: 386791241F9: from=<[email protected]>, size=867, nrcpt=1 (queue active)
Jun 15 17:58:35 bolt postfix/smtpd[10834]: disconnect from unknown[62.176.172.226]
Jun 15 17:58:35 bolt amavis[11084]: (11084-17) Blocked SPAM, [62.176.172.226] [62.176.172.226] <[email protected]> -> <*****@*****>, Message-ID: <000701cc2b75$143a39f0$[email protected]>, mail_id: XczovKoMBYNr, Hits: 18.471, size: 867, 833 ms
Jun 15 17:58:35 bolt postfix/smtp[10732]: 386791241F9: to=<*****@*****>, relay=127.0.0.1[127.0.0.1]:10024, delay=3.5, delays=2.7/0/0/0.83, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=11084-17 - SPAM)
Jun 15 17:58:35 bolt postfix/qmgr[10712]: 386791241F9: removed
Jun 15 17:58:43 bolt postfix/smtpd[10836]: warning: 178.121.154.194: address not listed for hostname mm-194-154-121-178.dynamic.pppoe.mgts.by
Jun 15 17:58:43 bolt postfix/smtpd[10836]: connect from unknown[178.121.154.194]
Jun 15 17:58:45 bolt postfix/smtpd[10727]: connect from unknown[180.134.223.86]
EDIT #2 Got some more info from the logs, this is a send request:
mail.info.1:Jun 15 16:41:57 bolt amavis[5399]: (05399-06) Passed CLEAN, [110.139.48.64] [110.139.48.64] <paul@*****.se> -> <[email protected]>, Message-ID: <CHILKAT-MID-7c54ebcf-5501-de9b-f0b1-4f0234290d8d@HP-IRISH>, mail_id: 35l56Ramx6Nc, Hits: -2.941, size: 3329, queued_as: 2485770086, 136 ms
mail.info.1:Jun 15 16:41:57 bolt postfix/smtp[4743]: 375C570082: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=4.8, delays=4.7/0/0/0.14, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=05399-06, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 2485770086)
Which apparently got thrue. Any ideas how to restrict this?
trurl
An smtp-server has to accept mails without authentication, otherwise no one would be able to send you an e-mail, because every smtp-server out there has to know a user/password for your server.
but (!), your server must not accept any mails without authentication when the desired recipient does not belong to your domain(s) (the hosts for which your smtpd should handle/receive mails) (see 'open relay'). When handling mails to recipients outside your domain(s), the sender should be authenticated.
see (/etc/postfix/)main.cf:
smtpd_recipient_restrictions =
[...]
permit_sasl_authenticated,
[...]
reject_unauth_destination,
This means, you permit a delivery when the user is authenticated (here using SASL, thats the easiest way), otherwise, every other mail with a RCPT TO: not belonging to the destinations specified through mydestinations= will be rejected.
Additionally you should disable clear text login. AUTH should be only available when the connection is secure:
smtpd_tls_auth_only = yes
I doubt your postfix is an open relay, because one has to deliberately mess with the configuration to achieve this (nowadays), but you should check!
When a spammer is using your e-mail-address as a from: there's not much you can do :(
Hope this helps.
RD.
I'm looking for a good SMTP host. I need to be able to:
- Send as much as 25000 emails per day.
- Connect to the smtp server from ONLY one IP
Basically, my host has a 500 email per hour limit. And the website I'm working on sends notifications for everything from changing your details, to adding details etc. Also, the site has a mass mail feature for "contacts". So, if you have 500 contacts and you wish to mail all of them, that means all the mails are sent in one go. Now imagine if the site has 500 users. Do you see how quickly my limit of mails "explode". As a solution, instead of getting a dedicated server, I figured I could just pay someone to host the SMTP serve.
Any advice?
Diago
Their corporate plans allow anything from 20,000 emails/hr to 100,000 emails/hr.
8088
MailEnable can handle a pretty huge volume of traffic and is highly configurable. Highly recommended.