Prevent website from sending mail

Discussion in 'Server Operation' started by Tomislav Aurednik, Jul 11, 2022.

  1. Tomislav Aurednik

    Tomislav Aurednik Member HowtoForge Supporter

    Shared hosting (web+mail), one of websites gets hacked. Hackers are sending tons of spam mails, IP gets blacklisted. Mails were sent locally (without authorization), noticed this when /var/mail/web101 file was started to fill with "undelivered mail..."
    Mails were sent with user [email protected].
    How to configure Postfix to prevent websites from sending mail without authorization ?
    Regards, Tomi
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    I'm guessing this is an ISPConfig system and responding as such. You can only authenticate when using SMTP, so what you need to do is both 1) prohibit local users (or at least website users) from being able to inject mail directly into the mail system (eg. by calling sendmail), as well as 2) prohibit smtp mail that is not authenticated (in particular, do not allow mail from localhost without authentication).

    So comments on those points:

    1): If all your websites run php, you could change them all to use php-fpm mode with chroot enabled, then they can't inject mail via sendmail. Don't overlook shell users and cronjobs, you want to ensure those require chroot as well. You will have the issue of the filesystem paths for your website files change from the perspective of php (from /var/www/clients/clientxx/webxx/web/ to just /web), so anywhere that has the old path referenced (eg. in cms databases, or external config files like .htaccess or .user.ini, etc.).

    Using chroot has some additional benefits and complexities, and only applies to php sites; another option would be to configure the postfix authorized_submit_users setting so that only certain system users can submit email (root and maybe others, it would be system dependent).

    2) you would need to remove 'permit_mynetworks' from smtpd_relay_restrictions and smtpd_sender_restrictions in your postfix config, and ensure you are running rspamd, not amavis.

    Another approach entirely would be to install an external mail server for all your email, and which websites can use for legitimate email, and block all outgoing mail from your webserver (ie. block all port 25, only allow port 587 and 465 to your mail server). This will likely end up in your compromised websites filling the mail queue on your web server with the spam, but it will be clear which sites are those are and you limit ip reputation issues while you fix them. This also gets a new ip address for your mail which hopefully isn't blacklisted, so your legitimate mail might start flowing quicker.
  3. Oazis

    Oazis New Member

    Do you have a web server and mail configured on the same server?

Share This Page