How do I fix this smtp spammer problem

Discussion in 'Installation/Configuration' started by deeaamon, Dec 18, 2014.

  1. deeaamon

    deeaamon New Member

    Hello everyone,

    I am using ISPConfig3 on a Debian Wheezy Apache Server. I set it up with Postfix and Dovecot. Recently I received an email from our CoLocation Company with a Spam Abuse Complaint.

    It appears someone is sending emails through our server. Yes server1.dhptraining.com is my server. How do I stop this. Our IP has now been blacklisted and there is a chance we can lose the coLocation with all of our websites if we can't solve the problem.

    I really don't know anything about email servers. I've looked through the forums and through search engines to find out how to fix this but everything I find I just don't understand. Can someone please help me get this setup so that people cannot send ffrom my server but we can still access and send our emails from our locations. The server is in phoenix and we are in new mexico.

    Here is the header from the person sending the email:

    Content-Type: message/rfc822
    Content-Disposition: inline

    Return-Path: <[email protected]>
    Received: from [162.213.40.82] by usgo.net (USGO MTA
    v5/:pHdlc3Rlcm51aW9uQG51aW9uLmNvbT48Z3BoQHVzZmFtaWx5Lm5ldD4-) with
    SMTP id <20141218023520002756900015> for <[email protected]>; Thu,
    18
    Dec 2014 02:35:20 -0600 (CST) (envelope-from
    [email protected])
    Received: from localhost (localhost [127.0.0.1]) by
    server1.dhptraining.com
    (Postfix) with ESMTP id 0F49336C3417; Thu, 18 Dec 2014 01:35:19 -0700
    (MST)
    X-Virus-Scanned: Debian amavisd-new at server1.dhptraining.com
    Received: from server1.dhptraining.com ([127.0.0.1]) by localhost
    (server1.dhptraining.com [127.0.0.1]) (amavisd-new, port 10024) with
    ESMTP id
    cLzRD0vMWM_F; Thu, 18 Dec 2014 01:35:09 -0700 (MST)
    Received: from User (unknown [50.7.255.126]) (Authenticated sender:
    [email protected]) by server1.dhptraining.com (Postfix) with ESMTPA id
    D8DE336C347A; Thu, 18 Dec 2014 01:34:59 -0700 (MST)
     
  2. Nap

    Nap Member

    @deeaamon,

    Obviously, the first step is to double check that you've performed all the steps in the 'Perfect' guide you followed; correctly. There is a lot to do, and overlooking something is really easy, and hard to find afterwards.

    Another thing that you should have a look at is setting up your DNS records. Most mail servers aren't setup to rigidly check mail. So everything seems fine until you send mail to gmail, or hotmail, etc. Send too many mails to them and you'll get listed. Fortunately, they will often notify you that your mail couldn't be delivered because it's considered spam. So, in your DNS, you need to have the following records: A, PTR, MX, and SPF.
    Once you've set these up, send a mail to this address to get a 'health' report: '[email protected]'

    On my server, I've forced all my clients to authenticate before they can send mail. This is not how mail servers are normally setup. Usually, you only need to authenticate in order to download/read your mail. I'll leave you to read up why this is so.

    You should get to know what role Postfix plays, what Dovecot does, how Spamassassin works, what amavis can do for you. By understanding the modules, you'll know which part of your system is not configured correctly. There is a lot of information about SMTP setup in the forum here.

    In addition, here are a few useful links that discuss mail server setup and operation:
    http://www.howtoforge.com/hardening-postfix-for-ispconfig-3
    http://www.postfix.org/SMTPD_ACCESS_README.html
    https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy

    I would give serious consideration of whether you want to run your own mail server or use a third party provider. It is a complex subject and a large time sink.

    Hope this helps.

    Cheers,
    Nap

    PS.. You should post your main.cf and master.cf files here. Without that info....
     
  3. deeaamon

    deeaamon New Member

    That is actually what I want is to force all of my users to authenticate before sending. The only users are from my company and we use a third party smtp. This smtp from the server is used only for sending out emails from my php scripts. But someone else is using the smtp.

    Ill read the articles you mentioned below and give it a try.

    Thanks for the help. How did you get your users to have to authenticate?
     
  4. Nap

    Nap Member

    In my main.cf, I've got the following additions/changes:

    Code:
    smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf
    
    smtpd_sender_restrictions = permit_sasl_authenticated, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf
    
    smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
    smtpd_tls_protocols = !SSLv2,!SSLv3
    smtp_tls_protocols = !SSLv2,!SSLv3
    
    In my master.cf, I've got the following additions/changes:
    Code:
    submission inet n       -       -       -       -       smtpd
      -o syslog_name=postfix/submission
      -o smtpd_tls_security_level=encrypt
      -o smtpd_sasl_auth_enable=yes
      -o smtp_enforce_tls=yes
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    smtps     inet  n       -       -       -       -       smtpd
      -o syslog_name=postfix/smtps
      -o smtpd_tls_wrappermode=yes
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    
    cleanup   unix  n       -       -       -       0       cleanup
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    
    I haven't tested my settings against php scripts. You should try to figure out which script is the door they're using and fix it.

    You should validate that your php scripts are generating the mail appropriately; sender address and other header related fields.

    And that they are resistant to SQL Injections and Cross-Site Scripting. That is, all your user input fields ($_GET and $_POST on the server side) should be properly filtered before they are used as input to the php.

    Cheers,
    Nap
     
  5. deeaamon

    deeaamon New Member

    WEll I don't know what I did this time but now I can't receive any emails at all. I followed this article

    http://www.howtoforge.com/hardening-postfix-for-ispconfig-3

    and my idiot self didn't make backups of my files before making the changes. Also when I restart postfix now I get a warning of unused parameter: dovecot_destination_recipient_limit_1

    And no one in my company is getting any emails. It cycles through the emails with no error messages but does't get anything.

    This is what happens when they ask a guy who doesn't know anything about this stuff and is constantly having to wing it.
     
  6. Nap

    Nap Member

    What you can do is:

    Setup a virtual machine using VirtualBox.
    Set the network to use a 'Bridged Network Adaptor'.
    Install the basic Debian Linux.
    Whilst logged into the VM, use the 'ifconfig' command to determine its IP address.
    Once you know its IP, you can use SSH and (S)FTP to access it.

    Then install everything else, as per the 'Perfect' guide.
    You can test the web server by putting an entry in your 'hosts' file that maps an arbitrary domain (I use mydomain.int where 'int' means internal) to the IP of the VM.
    I haven't done this to test emails, but I'm sure you could do that too once you've setup your 'hosts' file and point your mail client to the domain you've setup on the VM.
    (This is how I'm doing it here.)

    Once your VM is running satisfactorily, you can copy the setup files from it and put them up on your live server.
    (Don't forget to incorporate the changes I mentioned in my earlier post.)

    Hope this lets you see the light at the end of the tunnel.

    Cheers,
    Nap
     

Share This Page