Rejecting outbound mail

Discussion in 'General' started by tristanlee85, May 12, 2007.

  1. tristanlee85

    tristanlee85 New Member

    Is there any way to refuse to send mail outside of the server? Basically I want to keep my mail server turned on so I can receive mail, but I don't want to be able to send mail out from the server. How can I go about doing this?

    Time Warner finally sent me a notice in the mail that any more spam sent from my account will result in termination of my account so... yeh. I need to keep the server running, but not send any mail outbound.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    I think the more interesting question is, why is your server sending spam emails.

    Have you checked your server, if it is a open relay? Have you checked if someone sends spam through any html contact forms?
     
  3. tristanlee85

    tristanlee85 New Member

    I've actually had a couple of threads on here trying to figure out why I am spamming people. Through the tests I've done, it's not an open relay, at least according to the couple of sites I used to test my server.

    The only contact form I have is on my forums. It requires an e-mail address, image verification, and a message. The form sends all mail to [email protected]. I don't see how they are using that form.
     
  4. tristanlee85

    tristanlee85 New Member

    Alright. It's now happened again. I can't send any more e-mails out for another 24 hours because I've reached my daily limit of 1000. In other words, people have been using my server again to keep spamming. I removed all contact forms from my pages that allow users to e-mail me. I don't know how else to stop this other than just turning off the SMTP server, but if I do that then my e-mail doesn't work and my primary e-mail address is used on this server.

    I'm willing to let one of the "known" people of ISPConfig SSH and look at my computer to see what may be wrong if you would be willing to do so. Like I've said in other posts, all of the relay testing sites say they can't relay from my server so something is up. I don't know what else to do here. Please help.
     
  5. tristanlee85

    tristanlee85 New Member

    I was able to find this log. This is was caused me to reach my outbound limit. I did a trace of the IP which lead to Italy and it looks like the user is trying to login as "brandon", but was unsuccessful. Postfix is even show that the host is unknown and it's disconnecting, but then all of a sudden after disconnecting it starts sending a ton of e-mails. There are way more than what I've listed, but you get the idea.

    Any ideas on how this is possible from an outside host using my server?

    Code:
    May 17 16:34:19 server postfix/smtpd[2316]: warning: 62.97.56.142: hostname host-56-142.pool.intred.it verification failed: Name or service not known
    May 17 16:34:19 server postfix/smtpd[2316]: connect from unknown[62.97.56.142]
    May 17 16:34:20 server postfix/smtpd[2316]: 9CB4E49008A: client=unknown[62.97.56.142], sasl_method=LOGIN, sasl_username=brandon
    May 17 16:34:28 server postfix/cleanup[2320]: 9CB4E49008A: message-id=<[email protected]>
    May 17 16:34:29 server postfix/qmgr[24088]: 9CB4E49008A: from=<[email protected]>, size=15883, nrcpt=50 (queue active)
    May 17 16:34:29 server postfix/smtpd[2316]: disconnect from unknown[62.97.56.142]
    May 17 16:34:31 server postfix/smtpd[2316]: warning: 62.97.56.142: hostname host-56-142.pool.intred.it verification failed: Name or service not known
    May 17 16:34:31 server postfix/smtpd[2316]: connect from unknown[62.97.56.142]
    May 17 16:34:32 server postfix/smtpd[2316]: BE85F490092: client=unknown[62.97.56.142], sasl_method=LOGIN, sasl_username=brandon
    May 17 16:34:40 server postfix/cleanup[2320]: BE85F490092: message-id=<[email protected]>
    May 17 16:34:41 server postfix/qmgr[24088]: BE85F490092: from=<[email protected]>, size=15883, nrcpt=50 (queue active)
    May 17 16:34:41 server postfix/smtpd[2316]: disconnect from unknown[62.97.56.142]
    May 17 16:34:43 server postfix/smtpd[2316]: warning: 62.97.56.142: hostname host-56-142.pool.intred.it verification failed: Name or service not known
    May 17 16:34:43 server postfix/smtpd[2316]: connect from unknown[62.97.56.142]
    May 17 16:34:45 server postfix/smtpd[2316]: 021E7490094: client=unknown[62.97.56.142], sasl_method=LOGIN, sasl_username=brandon
    May 17 16:34:52 server postfix/cleanup[2320]: 021E7490094: message-id=<[email protected]>
    May 17 16:34:53 server postfix/qmgr[24088]: 021E7490094: from=<[email protected]>, size=15883, nrcpt=50 (queue active)
    May 17 16:34:53 server postfix/smtpd[2316]: disconnect from unknown[62.97.56.142]
    May 17 16:34:54 server postfix/smtpd[2316]: warning: 62.97.56.142: hostname host-56-142.pool.intred.it verification failed: Name or service not known
    May 17 16:34:54 server postfix/smtpd[2316]: connect from unknown[62.97.56.142]
    May 17 16:34:56 server postfix/smtpd[2316]: 6D07B490095: client=unknown[62.97.56.142], sasl_method=LOGIN, sasl_username=brandon
    May 17 16:35:04 server postfix/cleanup[2320]: 6D07B490095: message-id=<[email protected]>
    May 17 16:35:05 server postfix/qmgr[24088]: 6D07B490095: from=<[email protected]>, size=15883, nrcpt=50 (queue active)
    May 17 16:35:05 server postfix/smtpd[2316]: disconnect from unknown[62.97.56.142]
    May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<[email protected]>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
    May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<[email protected]>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
    May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<[email protected]>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
    May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<[email protected]>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
    May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<[email protected]>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
    May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<[email protected]>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
    May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<[email protected]>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
    May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<[email protected]>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
    May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<[email protected]>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
    May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<[email protected]>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
    May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<[email protected]>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
    May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<[email protected]>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
    May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<[email protected]>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
    May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<[email protected]>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
    May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<[email protected]>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
    May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<[email protected]>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
    May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<[email protected]>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
    May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<[email protected]>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
     
  6. tristanlee85

    tristanlee85 New Member

    I did some reading on SASL, which I guess is a way to remote login and user the (my) server as a SMTP relay. In /etc/postfix/main.cf I found smtpd_sasl_auth_enable = yes so I changed it to smtpd_sasl_auth_enable = no. Do you think this will fix my problems?
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    I dont think that this will help you. Enabled SASL means that only authenticated users are allowed to send, disabling sasl means no one is allowed to send except that the IP of the sender is within mynetworks.

    Did you have a look at /etc/passwd if there is a user brandon and has this user been created by you or one of your customers? Did you check your server with e.g. rkhunter (http://www.rootkit.nl) for rootkits?
     
  8. tristanlee85

    tristanlee85 New Member

    Well, after finding the above part where the user "brandon" was trying to login, I created that login a while ago as a temporatly solution for one of my friends. It was a very simple "brandon/brandon" username/password and I wasn't too worried of anyone guessing it because if they loggen in, they would only have access to that folder (web31) and the only thing to delete would have been my one PHP file I made to redirect to a different page.

    Everything in the /etc/passwd file looks normal to me. I deleted "brandon" and it's no longer in the file. I'll try the link you gave me.

    So wouldn't that mean only my IP then? If I disable SASL and they can't login remotely, then only my IP should be allowed to send.
     
  9. tristanlee85

    tristanlee85 New Member

    And I ran rkhunter and everything looks good.
     
  10. falko

    falko Super Moderator Howtoforge Staff

    Only the IP address(es) that is/are listed in the mynetworks parameter in /etc/postfix/main.cf. Normally this is 127.0.0.1 (localhost).
     
  11. tristanlee85

    tristanlee85 New Member

    So then no one can login remotely, and mail can't be sent from any IP other than 127.0.0.1. That should make it so no one will send spam from my server since all the relay tests show it impossible to relay from.
     
  12. falko

    falko Super Moderator Howtoforge Staff

    Well, if there's a vulnerable contact form on your server, it can be abused by spammers, because the mails would then originate from 127.0.0.1...
     

Share This Page