SMTP Best practice settings

[AudiAddict]

Someone told me that they had received e-mail coming from my e-mail and mailserver that included spam (which I did not send).

I checked if my mailserver is an openrelay at mxtoolbox.com and it says it's not.

When testing it manualy with telnet I found out that I am able to send mail from my domain to another domain (which I do not manage) and I could include any text in it.

Is this normal behaviour? Can anybody use a mailserver to send spam?
Can I prevent this with SMTP authentication? Should i force this option for all my users/domains ?

Can somebody explain what is best practice for SMTP on a directadmin install?

Also, would you guys suggest using CLAMAV next to spamassassin? I'm seeing allot of fake UPS, VISA phising mails with zip files which include virusses. I'm using the latest custom build, is there an easy way of installing ClamAV + auto update?

 

[nobaloney]

For probably about nine years now, DirectAdmin has not been an open relay unless you make it one. The most overlooked way people turn DirectAdmin based servers into an open relay is to list their own domain in one of the whitelists in the /etc/virtual directory. You must not whitelist your own domain.

Otherwise, to help you further please post in more detail what you mean by with telnet. Are you using telnet from your server, or from your local machine? Either could make it appear your server is an open relay when it isn't.

Check your /var/log/exim/mainlog file to see if the sending user (sending the spam) is authenticated, and if so, how.

Jeff

 

[zEitEr]

When testing it manualy with telnet I found out that I am able to send mail from my domain to another domain (which I do not manage) and I could include any text in it.

There is so called pop-auth-before-smtp used by Directadmin. It means as soon as you login into your POP3 account on Directadmin powered server, your IP is added temporary into a whilelist, which would allow to send emails via SMTP to other domains without need to authenticate.

Is this normal behaviour? Can anybody use a mailserver to send spam?
Can I prevent this with SMTP authentication? Should i force this option for all my users/domains ?

Yes, you might want to force all users to use SMTP authentication, you should disable pop-auth-before-smtp in this case. And set limits for using SMTP it will help you to prevent spam.

 

[AudiAddict]

For probably about nine years now, DirectAdmin has not been an open relay unless you make it one. The most overlooked way people turn DirectAdmin based servers into an open relay is to list their own domain in one of the whitelists in the /etc/virtual directory. You must not whitelist your own domain.

Otherwise, to help you further please post in more detail what you mean by with telnet. Are you using telnet from your server, or from your local machine? Either could make it appear your server is an open relay when it isn't.

Check your /var/log/exim/mainlog file to see if the sending user (sending the spam) is authenticated, and if so, how.

Jeff

The server is not an open relay, all the open relay test websites show that mail is being blocked when trying to relay. Which is good.

What i am able to do is telnet to the mail server and send mail from [email protected] to ANY DOMAIN without authentication. Meaning that anybody could use my e-mail address to send out spam.
Is it possible to block this? So people need to authenticate with my username and pwd before sending a mail from my domain?

Another question: I am seeing about 4000-5000 brute force attempts with dictionary attacks ([email protected] --> [email protected]) on dovecot. I am using CSF Configserver firewall and security. Shouldn't this program automaticaly block these requests? If not.. how do I set it up? I found a guide (faq), but this is for setting up IPtables + ip_brute_force file. But I already have iptables with CSF don't I? What would be the easiest way to use csf to block these brute force attempts?

 

[SeLLeRoNe]

Regarding the authentication i would stronlgy suggest to use exim SpamBlocker 4.1 (search on this forum for it) released from Jeff.

Regarding CSF, search for CSF + BFM, there should be a post of mine which two needed scripts to make them work togheter.

Regards

 

[zEitEr]

Is it possible to block this? So people need to authenticate with my username and pwd before sending a mail from my domain?

http://www.directadmin.com/forum/showthread.php?t=44282&p=225866#post225866

If you think, that everybody can send emails via your server, you'd better double-check it, and give us your IP so we could try it by ourselves. Note, if you don't want to post your server IP in public, send it via PM.

 

[AudiAddict]

http://www.directadmin.com/forum/showthread.php?t=44282&p=225866#post225866

If you think, that everybody can send emails via your server, you'd better double-check it, and give us your IP so we could try it by ourselves. Note, if you don't want to post your server IP in public, send it via PM.

Hi Alex,

Sent you the ip (DNS) in a PM. Would be great if you could test for me.

This last step is optional and should only be used after you've tested the above setup for a while to get comfortable that you're not going to block yourself. The block_ip.sh is only used for an active "click" by the Admin, it does not automate blocking. To automate blocking, create:

Regarding the authentication i would stronlgy suggest to use exim SpamBlocker 4.1 (search on this forum for it) released from Jeff.

Regarding CSF, search for CSF + BFM, there should be a post of mine which two needed scripts to make them work togheter.

Regards

I Tried this:

Code:

/usr/local/directadmin/scripts/custom/brute_force_notice_ip.sh

and in that script, add:

Code:

#!/bin/sh
SCRIPT=/usr/local/directadmin/scripts/custom/block_ip.sh
ip=$value $SCRIPT
exit $?;

and chmod the brute_force_notice_ip.sh to 700.

It doesn't seem to work? Am I missing a step? is this what you mean with your post? Can you give me the link?

 

[zEitEr]

I've got this:

220 webserver.************.** ESMTP Exim 4.73 Sun, 12 Aug 2012 18:09:27 +0200
HELO plugins-da.net
250 webserver.************.** Hello plugins-da.net [213.87.***.***]
MAIL FROM: zeiter@*****.ru
250 OK
RCPT TO: zeiter@*****.ru
550 authentication required
RSET
250 Reset OK

So I guess, you're OK. You might find my session in /var/log/exim/mainlog

 

[AudiAddict]

Correct, but if you change your telnet commands to MAIL FROM: [email protected] and then use RCPT TO: zeiter@***.ru you can send from my domain and pretend to be me.

Can I prevent this?

I am currently seeing my server being hammered by dovecot bruteforce attacks. I am currently manualy adding their IP's to the blacklist in CSF, but it would be nice to get it auto block after 10 attempts etc.

 

[zEitEr]

220 webserver.b***********.** ESMTP Exim 4.73 Sun, 12 Aug 2012 18:21:32 +0200
HELO plugins-da.net
250 webserver.b************.** Hello plugins-da.net [213.87.***.***]
MAIL FROM: admin@b************.**
250 OK
RCPT TO: zeiter@***.ru
550 authentication required
QUIT
221 webserver.b************.** closing connection

That seems to me to be OK.

Make sure, you've got no your IP in these two files:

# cat /etc/virtual/pophosts_user
# cat /etc/virtual/pophosts

If you see your IP, remove it and try telneting again.

Secondly, make sure, you've got no your IP and domain, and email in these files:

/etc/virtual/whitelist_domains
/etc/virtual/whitelist_from
/etc/virtual/whitelist_hosts
/etc/virtual/whitelist_hosts_ip
/etc/virtual/whitelist_senders

 

[SeLLeRoNe]

Hi Alex,

Sent you the ip (DNS) in a PM. Would be great if you could test for me.

This last step is optional and should only be used after you've tested the above setup for a while to get comfortable that you're not going to block yourself. The block_ip.sh is only used for an active "click" by the Admin, it does not automate blocking. To automate blocking, create:



I Tried this:

Code:

/usr/local/directadmin/scripts/custom/brute_force_notice_ip.sh

and in that script, add:

Code:

#!/bin/sh
SCRIPT=/usr/local/directadmin/scripts/custom/block_ip.sh
ip=$value $SCRIPT
exit $?;

and chmod the brute_force_notice_ip.sh to 700.

It doesn't seem to work? Am I missing a step? is this what you mean with your post? Can you give me the link?

Ok, and the /usr/local/directadmin/scripts/custom/block_ip.sh exist?

What in it?

Regards

 

[AudiAddict]

That File doesn't exist. Do I need it when I want to use Config server CSF to do the blocking? I don't want 2x ip tables on my machine..

 

[SeLLeRoNe]

Of course you do need that file.

Create it and put in it this:

#!/bin/sh

/etc/csf/csf.pl -d $ip BFM IP Block

exit 0;

Than chmod 700 and chown diradmin:diradmin (that should be done the same for the other one)

Regards

 

[AudiAddict]

Of course you do need that file.

Create it and put in it this:

#!/bin/sh

/etc/csf/csf.pl -d $ip BFM IP Block

exit 0;

Than chmod 700 and chown diradmin:diradmin (that should be done the same for the other one)

Regards

Thanks, added file. And also did the chown thing on both files.

This script seems to only work when I block manualy through the bruteforce panel? Is it not possible to have CSF automaticly block logs like in this screenshot?

220 webserver.b***********.** ESMTP Exim 4.73 Sun, 12 Aug 2012 18:21:32 +0200
HELO plugins-da.net
250 webserver.b************.** Hello plugins-da.net [213.87.***.***]
MAIL FROM: admin@b************.**
250 OK
RCPT TO: zeiter@***.ru
550 authentication required
QUIT
221 webserver.b************.** closing connection

That seems to me to be OK.

Make sure, you've got no your IP in these two files:

# cat /etc/virtual/pophosts_user
# cat /etc/virtual/pophosts

If you see your IP, remove it and try telneting again.

Secondly, make sure, you've got no your IP and domain, and email in these files:

/etc/virtual/whitelist_domains
/etc/virtual/whitelist_from
/etc/virtual/whitelist_hosts
/etc/virtual/whitelist_hosts_ip
/etc/virtual/whitelist_senders

Ahh! Thanks.. I guess it whitelisted my own ip. So it looked like there was no authentication neccessary from my pc when testing.
Great! This is solved. Now only fix the CSF auto block.

 

[SeLLeRoNe]

Does you receive notifications from BFM? The script get called when a notification is sent.

Regards

 

[AudiAddict]

Yes I receive emails. Will it automaticaly trigger the csf ip ban when a notification email is sent?

I guess I have to wait til next notification to see if it worked.

 

[SeLLeRoNe]

Yep, it get called on notification.

Regards