Hi , My name is Nacho. im new in your forum and I've worked one year with ispconfig and i am delighted. I am costing me a bit because I come from the Windows world, but forums like this gets a bit easier. i´ve a problem: I am getting emails sent from my own. When looking at the headers see everyone comes from a different ip. I see the emails addresses come from other countries. And each post is a different IP address. It seems to me difficult to block all directions ... one to one How can I do to avoid this problem? As best I can securize my mail server? We use POP and IMAP. We do not have security SMTP. I dont have enable "Authentication required" on our SMTP server... What do you recommend me? Thank you very much in advance. P.D. That is my config: ##### SERVER ##### IP-address (as per hostname): ***.***.***.*** IP-address(es) (as per ifconfig): ***.***.***.*** [INFO] ISPConfig is installed. ##### ISPCONFIG ##### ISPConfig version is 3.0.5.4p8 ##### VERSION CHECK ##### [INFO] php (cli) version is 5.4.39-0+deb7u2 [INFO] php-cgi (used for cgi php in default vhost!) is version 5.4.39-0+deb7u2 ##### PORT CHECK ##### ##### MAIL SERVER CHECK ##### ##### RUNNING SERVER PROCESSES ##### [INFO] I found the following web server(s): Apache 2 (PID 12469) [INFO] I found the following mail server(s): Postfix (PID 22364) [INFO] I found the following pop3 server(s): Dovecot (PID 23746) [INFO] I found the following imap server(s): Dovecot (PID 17182) [INFO] I found the following ftp server(s): PureFTP (PID 2334) ##### LISTENING PORTS ##### (only () Local (Address) [anywhere]:110 (23746/dovecot) [anywhere]:143 (17182/imap-login) [localhost]:783 (5681/spamd.pid) [anywhere]:465 (22364/master) [anywhere]:21 (2334/pure-ftpd) ***.***.***.***:53 (15966/named) [localhost]:53 (15966/named) [anywhere]:22 (5159/sshd) [localhost]:953 (15966/named) [anywhere]:25 (22364/master) [anywhere]:993 (17182/imap-login) [anywhere]:995 (23746/dovecot) [localhost]:10024 (5903/amavisd-new) [localhost]:10025 (22364/master) [localhost]:3306 (22132/mysqld) [anywhere]:587 (22364/master) [localhost]:11211 (5259/memcached) [localhost]10 (23746/dovecot) [localhost]43 (17182/imap-login) *:*:*:*::*:8080 (12469/apache2) *:*:*:*::*:80 (12469/apache2) *:*:*:*::*:8081 (12469/apache2) *:*:*:*::*:465 (22364/master) *:*:*:*::*:21 (2334/pure-ftpd) *:*:*:*::*:53 (15966/named) *:*:*:*::*:22 (5159/sshd) *:*:*:*::*:953 (15966/named) *:*:*:*::*:25 (22364/master) *:*:*:*::*:443 (12469/apache2) *:*:*:*::*:993 (17182/imap-login) *:*:*:*::*:995 (23746/dovecot) *:*:*:*::*:587 (22364/master) ##### IPTABLES ##### Chain INPUT (policy DROP) target prot opt source destination fail2ban-ssh tcp -- [anywhere]/0 [anywhere]/0 multiport dports 22 DROP tcp -- [anywhere]/0 ***.***.***.***/8 ACCEPT all -- [anywhere]/0 [anywhere]/0 state RELATE D,ESTABLISHED ACCEPT all -- [anywhere]/0 [anywhere]/0 DROP all -- ***.***.***.***/4 [anywhere]/0 PUB_IN all -- [anywhere]/0 [anywhere]/0 PUB_IN all -- [anywhere]/0 [anywhere]/0 PUB_IN all -- [anywhere]/0 [anywhere]/0 PUB_IN all -- [anywhere]/0 [anywhere]/0 PUB_IN all -- [anywhere]/0 [anywhere]/0 DROP all -- [anywhere]/0 [anywhere]/0 Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- [anywhere]/0 [anywhere]/0 state RELATE D,ESTABLISHED DROP all -- [anywhere]/0 [anywhere]/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination PUB_OUT all -- [anywhere]/0 [anywhere]/0 PUB_OUT all -- [anywhere]/0 [anywhere]/0 PUB_OUT all -- [anywhere]/0 [anywhere]/0 PUB_OUT all -- [anywhere]/0 [anywhere]/0 PUB_OUT all -- [anywhere]/0 [anywhere]/0 Chain INT_IN (0 references) target prot opt source destination ACCEPT icmp -- [anywhere]/0 [anywhere]/0 DROP all -- [anywhere]/0 [anywhere]/0 Chain INT_OUT (0 references) target prot opt source destination ACCEPT icmp -- [anywhere]/0 [anywhere]/0 ACCEPT all -- [anywhere]/0 [anywhere]/0 Chain PAROLE (16 references) target prot opt source destination ACCEPT all -- [anywhere]/0 [anywhere]/0 Chain PUB_IN (5 references) target prot opt source destination ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 3 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 0 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 11 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 8 PAROLE tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:20 PAROLE tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:21 PAROLE tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:22 PAROLE tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:25 PAROLE tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:53 PAROLE tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:80 PAROLE tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:110 PAROLE tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:143 PAROLE tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:443 PAROLE tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:587 PAROLE tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:993 PAROLE tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:995 PAROLE tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:3306 PAROLE tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:8080 PAROLE tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:8081 PAROLE tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:1000 0 ACCEPT udp -- [anywhere]/0 [anywhere]/0 udp dpt:53 ACCEPT udp -- [anywhere]/0 [anywhere]/0 udp dpt:3306 DROP icmp -- [anywhere]/0 [anywhere]/0 DROP all -- [anywhere]/0 [anywhere]/0 Chain PUB_OUT (5 references) target prot opt source destination ACCEPT all -- [anywhere]/0 [anywhere]/0 Chain fail2ban-ssh (1 references) target prot opt source destination DROP all -- ***.***.***.*** [anywhere]/0 DROP all -- ***.***.***.*** [anywhere]/0 DROP all -- ***.***.***.*** [anywhere]/0 DROP all -- ***.***.***.*** [anywhere]/0 RETURN all -- [anywhere]/0 [anywhere]/0
Which Tutorial did you use to install the server? Please post the complete headers of one of these emails.
Thanks for your answer Till. I´ve a OVH server. And I select Ispconfig + debian, while configure my server. I have not followed any particular manual. I share the header of an email: ************* Return-Path: <info[arroba]mydomain.es> Delivered-To: info[arroba]mydomain.es Received: from localhost (localhost.localdomain [127.0.0.1]) by nsxxxxxx.ip-xxx-xxx-xxx.eu (Postfix) with ESMTP id 187E94C80086 for <info[arroba]mydomain.es>; Tue, 13 Oct 2015 10:08:53 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at nsxxxxxx.ip-xxx-xxx-xxx.eu Received: from nsxxxxxx.ip-xxx-xxx-xxx.eu ([127.0.0.1]) by localhost (nsxxxxxx.ip-xxx-xxx-xxx.eu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I6QVUW7psfsH for <info[arroba]mydomain.es>; Tue, 13 Oct 2015 10:08:53 +0200 (CEST) Received: from [121.54.58.157] (unknown [121.54.58.157]) by nsxxxxxx.ip-xxx-xxx-xxx.eu (Postfix) with ESMTP id 378284C80084 for <info[arroba]mydomain.es>; Tue, 13 Oct 2015 10:08:52 +0200 (CEST) From: <info[arroba]mydomain.es> To: <info[arroba]mydomain.es> Subject: Hola querido! Date: 13 Oct 2015 22:55:47 +0700 Message-ID: <[email protected]> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0025_01D105D1.016FAF0A" X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: Acgecf4qjs8sg36agecf4qjs8sg36a== Content-Language: en x-cr-hashedpuzzle: 2D4= cf4q js8s g36a gecf 4qjs 8sg3 6age cf4q js8s g36a gecf 4qjs 8sg3 6age cf4q;1;js8sg36agecf4qjs8sg36agecf4qjs8sg36agecf4qjs8sg3;Sosha1_v1;7;\{9C5556DB-889F-D805-CCCF-421106419C55\};ZQB3AGUAZgcf4qjs8sg36agecf4qjs8sg36agecf4qjs8sg3;13 Oct 2015 22:55:47 +0700;6agecf4qjs8sg36a x-cr-puzzleid: \{9C5556DB-889F-D805-CCCF-421106419C55\} ************** I have not concealed the IP of the spammer(121.54.58.157). But I have to say, that has changed with respect to other mail. Curiously I get e myself with more time than the acutal late arrival. For example I get some mail at 10:00 PM with time 12: 00pm Thanks in advance.
As far as I can see this mail is not sent from your server. Spammers often use the recipient address as sender address or a faked address of your domain as sender address. So there is no issue with your server configuration, that's just normal spam so the normal methods to prevent and filter spam will help you. 1) Add some real time blacklists under System > Server config > mail. 2) ensure that you selected a spam filter policy for your email domain and / or mailbox in ispconfig. 3) You can also test to lower the spam tag 2 level of the selected policy. 4) Add a DNS spf record for your domain to define the servers that are allowed to send email for your domain.
Thanks Till. I comment you over your four points: POINT 4: I had ruled out this option because I configured the SPF record and validated correctly like you recommend in ***** TXT my[dot]domain[dot]es. v=spf1 a mx ptr ipx:xxx.xxx.xxx.xx ~all ***** And its validation: SPF Record Published Record found SPF Syntax Check The record is valid SPF Multiple Records Less than two records found SPF Record Deprecated No deprecated records found SPF Included Lookups Number of included lookups is OK And i dont understand how they cansend on behalf ofmy domain... IN POINTS 2 AND 3. Ive a Spamfilter. I ve TAG in 2. And the other optiones like this: Tag=2 second Tag=4,5 Kill=50 Cutoff=0,0 In the general config have that: 4 first option´s with YES and the other three NO. In POINT 1. I had no any RBL. Looking for any, i think that two RBL would be nice¿?: cbl[dot]abuseat[dot]org and b[dot].barracudacentral[dot]org I only have to put it on "System > Server config > mail.", or i have to register my mail server in wich one? Or i Must do what Javier Córdoba recommends¿? "hardening-postfix-for-ispconfig-3 dnsbl-dns-based-blacklistblocklist" Thanks a lot for your help!
SPF is a recommendation for spamfilters, not more. so it will help your and other spamfilter to filter out spam emails. A SPF record is not mecahnism to hard block emails. Try to set the tag2 level to 3.5 or 3. Just add the blacklists there that you want to use. You can use that but that setup is really strict and you might find out that legetimate email is not received anymore.
Ok Till. I've made the changes you mention me. You think interesting use authentication and security in shipping SMTP IMAP¿ ?. My setup allows me STARTTLS, port 587 and user authentication ... Is that correct? We prove with these changes, and I'll tell you how it went. Thank you.
If you change your SPF record to a hard fail, ie. ends with "-all" instead of "~all", it will be an outright block for those spam messages in many, though certainly not all, places. It should make your spamassassin score increase as well. If you want to implement rejecting mail for SPF hard fails yourself, follow the instructions in that hardening postfix guide to install postfix-policyd-spf-python or postfix-policyd-spf-perl (ie. the "SPF Check For Postfix" step).
Thanks Jesse. I test that. Since yesterday, the number of spam mails, has decreased, but still have in a few accounts. Thanks for your help!
