After a spam outbreak from a compromised site on one of my Ispconfig servers I set out to prevent outbreaks. One thing I did was to lock down port 25 to mail and mailman groups and disable php mail() function. I also changed the sendmail path in php.ini to use a second postfix instance and installed cluebringer to ratelimit mail on the second postfix instance, so that legitimate mail from php scripts can still pass. The setup looks like this Code: cbpolicy amavisd | | Mail from php script-------> sendmail (postfix instance2 port2525) ---------------->Main postfix --->Mailbox | Clamav main.cf second postfix instance Code: data_directory = /var/lib/postfix-2525 queue_directory = /var/spool/postfix-2525 relayhost = 127.0.0.1:12525 multi_instance_name = postfix-2525 multi_instance_enable = yes smtpd_sender_restrictions = check_policy_service inet:127.0.0.1:10031 master.cf second postfix instance Code: 127.0.0.1:2525 inet n - - - 2 smtpd -o syslog_name=postfix2525 pickup fifo n - - 60 1 pickup cleanup unix n - - - 0 cleanup qmgr fifo n - n 300 1 qmgr #qmgr fifo n - - 300 1 oqmgr tlsmgr unix - - - 1000? 1 tlsmgr rewrite unix - - - - - trivial-rewrite bounce unix - - - - 0 bounce defer unix - - - - 0 bounce trace unix - - - - 0 bounce verify unix - - - - 1 verify flush unix n - - 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - - - - smtp # When relaying mail as backup MX, disable fallback_relay to avoid MX loops relay unix - - - - - smtp -o smtp_fallback_relay= # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - - - - showq error unix - - - - - error retry unix - - - - - error discard unix - - - - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - - - - lmtp anvil unix - - - - 1 anvil scache unix - - - - 1 scache I know both out going and incoming mail is scanned, so in this setup will the mail from the php script be scanned as well or are there some changes that might required? Thanks
One fairly easy way to "control" SMTP que is with Webmin. It has a built in "System and Server Status" monitor that we use to email an alert to our SMS account (on https://www.clicksend.com.) Set the "Mail Queue Size" alert on Webmin for 100 or so and you will get email alert every time some account starts to SPAM. Have that email sent to your SMS provider (Clicksend.) Then disable SPAM account and use the script below to remove all email in the que from the spammer. (Remeber to check "Email SMS Allowed Addresses" on Clicksend settings otherwise you wont get SMS alert.) For additional security we built a relay SMTP server that only sends 100 emails in a minute. ISPconfig has the Webmin alert that pushes the email alert and you will probably only leak a few hundred SPAM mails if you react quickly while the SPAM is queued in the SMTP servers outbound que. For more additional security you can config Postfix main.cf on ISPconfig to send 100 emails per minute and only half of that on the SMTP relay server. That way ISPConfig wont collect the SPAM in it's que but SMTP relay will. Webmin is a lot easier to configure for monitoring and alerts than ZenOSS. Code: root@smtp1:~# spam-que-del.sh #!/usr/bin/perl #Use this script below to remove all email in the que from the spammer. Works with all Debian based systems. #Save this script and change it with command "chmod 755 spam-que-del.sh" (makes the script executable). Now you can run the following command #./spam-que-del.sh MYSPAMDOMAIN.COM which will delete all myspamdomain.com mails from the mailque. #./spam-que-del.sh SPAMUSER which will delete all queued messages that contain the word "spamuser" in the e-mail address. $REGEXP = shift || die "no email-adress given (regexp-style, e.g. bl.*\@gmail.com)!"; @data = qx</usr/sbin/postqueue -p>; for (@data) { if (/^(\w+)(\*|\!)?\s/) { $queue_id = $1; } if($queue_id) { if (/$REGEXP/i) { $Q{$queue_id} = 1; $queue_id = ""; } } } open(POSTSUPER,"|postsuper -d -") || die "couldn't open postsuper" ; foreach (keys %Q) { print POSTSUPER "$_\n"; }; close(POSTSUPER);
