Rejecting outbound mail

Is there any way to refuse to send mail outside of the server? Basically I want to keep my mail server turned on so I can receive mail, but I don't want to be able to send mail out from the server. How can I go about doing this?

Time Warner finally sent me a notice in the mail that any more spam sent from my account will result in termination of my account so... yeh. I need to keep the server running, but not send any mail outbound.

 

I've actually had a couple of threads on here trying to figure out why I am spamming people. Through the tests I've done, it's not an open relay, at least according to the couple of sites I used to test my server.

The only contact form I have is on my forums. It requires an e-mail address, image verification, and a message. The form sends all mail to [email protected]. I don't see how they are using that form.

 

Alright. It's now happened again. I can't send any more e-mails out for another 24 hours because I've reached my daily limit of 1000. In other words, people have been using my server again to keep spamming. I removed all contact forms from my pages that allow users to e-mail me. I don't know how else to stop this other than just turning off the SMTP server, but if I do that then my e-mail doesn't work and my primary e-mail address is used on this server.

I'm willing to let one of the "known" people of ISPConfig SSH and look at my computer to see what may be wrong if you would be willing to do so. Like I've said in other posts, all of the relay testing sites say they can't relay from my server so something is up. I don't know what else to do here. Please help.

 

I was able to find this log. This is was caused me to reach my outbound limit. I did a trace of the IP which lead to Italy and it looks like the user is trying to login as "brandon", but was unsuccessful. Postfix is even show that the host is unknown and it's disconnecting, but then all of a sudden after disconnecting it starts sending a ton of e-mails. There are way more than what I've listed, but you get the idea.

Any ideas on how this is possible from an outside host using my server?

Code:

May 17 16:34:19 server postfix/smtpd[2316]: warning: 62.97.56.142: hostname host-56-142.pool.intred.it verification failed: Name or service not known
May 17 16:34:19 server postfix/smtpd[2316]: connect from unknown[62.97.56.142]
May 17 16:34:20 server postfix/smtpd[2316]: 9CB4E49008A: client=unknown[62.97.56.142], sasl_method=LOGIN, sasl_username=brandon
May 17 16:34:28 server postfix/cleanup[2320]: 9CB4E49008A: message-id=<[email protected]>
May 17 16:34:29 server postfix/qmgr[24088]: 9CB4E49008A: from=<[email protected]>, size=15883, nrcpt=50 (queue active)
May 17 16:34:29 server postfix/smtpd[2316]: disconnect from unknown[62.97.56.142]
May 17 16:34:31 server postfix/smtpd[2316]: warning: 62.97.56.142: hostname host-56-142.pool.intred.it verification failed: Name or service not known
May 17 16:34:31 server postfix/smtpd[2316]: connect from unknown[62.97.56.142]
May 17 16:34:32 server postfix/smtpd[2316]: BE85F490092: client=unknown[62.97.56.142], sasl_method=LOGIN, sasl_username=brandon
May 17 16:34:40 server postfix/cleanup[2320]: BE85F490092: message-id=<[email protected]>
May 17 16:34:41 server postfix/qmgr[24088]: BE85F490092: from=<[email protected]>, size=15883, nrcpt=50 (queue active)
May 17 16:34:41 server postfix/smtpd[2316]: disconnect from unknown[62.97.56.142]
May 17 16:34:43 server postfix/smtpd[2316]: warning: 62.97.56.142: hostname host-56-142.pool.intred.it verification failed: Name or service not known
May 17 16:34:43 server postfix/smtpd[2316]: connect from unknown[62.97.56.142]
May 17 16:34:45 server postfix/smtpd[2316]: 021E7490094: client=unknown[62.97.56.142], sasl_method=LOGIN, sasl_username=brandon
May 17 16:34:52 server postfix/cleanup[2320]: 021E7490094: message-id=<[email protected]>
May 17 16:34:53 server postfix/qmgr[24088]: 021E7490094: from=<[email protected]>, size=15883, nrcpt=50 (queue active)
May 17 16:34:53 server postfix/smtpd[2316]: disconnect from unknown[62.97.56.142]
May 17 16:34:54 server postfix/smtpd[2316]: warning: 62.97.56.142: hostname host-56-142.pool.intred.it verification failed: Name or service not known
May 17 16:34:54 server postfix/smtpd[2316]: connect from unknown[62.97.56.142]
May 17 16:34:56 server postfix/smtpd[2316]: 6D07B490095: client=unknown[62.97.56.142], sasl_method=LOGIN, sasl_username=brandon
May 17 16:35:04 server postfix/cleanup[2320]: 6D07B490095: message-id=<[email protected]>
May 17 16:35:05 server postfix/qmgr[24088]: 6D07B490095: from=<[email protected]>, size=15883, nrcpt=50 (queue active)
May 17 16:35:05 server postfix/smtpd[2316]: disconnect from unknown[62.97.56.142]
May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<[email protected]>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<[email protected]>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<[email protected]>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<[email protected]>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<[email protected]>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<[email protected]>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<[email protected]>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<[email protected]>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<[email protected]>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<[email protected]>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<[email protected]>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<[email protected]>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<[email protected]>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<[email protected]>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<[email protected]>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<[email protected]>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<[email protected]>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<[email protected]>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)

 

I did some reading on SASL, which I guess is a way to remote login and user the (my) server as a SMTP relay. In /etc/postfix/main.cf I found smtpd_sasl_auth_enable = yes so I changed it to smtpd_sasl_auth_enable = no. Do you think this will fix my problems?

 

Well, after finding the above part where the user "brandon" was trying to login, I created that login a while ago as a temporatly solution for one of my friends. It was a very simple "brandon/brandon" username/password and I wasn't too worried of anyone guessing it because if they loggen in, they would only have access to that folder (web31) and the only thing to delete would have been my one PHP file I made to redirect to a different page.

Everything in the /etc/passwd file looks normal to me. I deleted "brandon" and it's no longer in the file. I'll try the link you gave me.

So wouldn't that mean only my IP then? If I disable SASL and they can't login remotely, then only my IP should be allowed to send.

 

And I ran rkhunter and everything looks good.

 

Only the IP address(es) that is/are listed in the mynetworks parameter in /etc/postfix/main.cf. Normally this is 127.0.0.1 (localhost).

 

So then no one can login remotely, and mail can't be sent from any IP other than 127.0.0.1. That should make it so no one will send spam from my server since all the relay tests show it impossible to relay from.

 

Well, if there's a vulnerable contact form on your server, it can be abused by spammers, because the mails would then originate from 127.0.0.1...