Does "Enable message submission" block Port 25?

[damon]

I've read the docs and searched but I can't find out for sure if checking the box "Enable message submission" in Mail settings will allow clients to send mail using both 25 and 587, or only 587.

Which way does the check box work?

 

[faris]

No, enabling submission simply adds port 587. It has no effect on 25.

 

[damon]

Faris,

Excellent, that's what I was hoping.

I just didn't want to check the box and then find that no one could send mail.

My question came up because of the warning in the plesk admin guide:

4 To protect your server against unauthorized mail relaying or injection of unsolicited bulk mail, select the Enable message submission check box to allow your customers to send e-mail messages through the port 587.

Also notify your customers that they need to specify in their e-mail programs' settings the port 587 for outgoing SMTP connections, and be sure to allow connections to this port in your firewall settings.

 

[faris]

It is alwasy better to be safe than sorry!

What the documentation is trying to say is that in order to use the submission port, your users will need to switch to port 587. They will still be able to use port 25 if they want. Essentially all that happens is that a second instance of the smtp server is started, listening in port 587 and REQUIRING authentication.

Faris.

 

[Cnote]

It is alwasy better to be safe than sorry!

What the documentation is trying to say is that in order to use the submission port, your users will need to switch to port 587. They will still be able to use port 25 if they want. Essentially all that happens is that a second instance of the smtp server is started, listening in port 587 and REQUIRING authentication.

Faris.

If port 25 stays open is my server still vulnerable to unauthorized mail relaying or injection of unsolicited bulk mail?

 

[faris]

Port 25 is the port used to deliver email to your system. If you close it then no email will ever arrive in anybody's mailbox.

But as to being vulnerable to unauthorised mail relay or injection of unsolicited email....opening port 587 makes no difference because your system should not and is unlikely to be vulnerable to start with.

Unless you have deliberately done something that allows people to use your server to send email without authentication, or there is an unknown bug somewhere in the system, your system won't be vulnerable.

Of course someone might guess a username/password for one of your users, or you might have an insecure web form (php or cgi or whatever) on your system, but that's about it.

Or have I misunderstood your question and why you were asking?

Faris.

 

[Cnote]

Yes, that answers my question.... I had a problem this morning, somehow a php file was loaded to a clients folder (writable by apache) and started sending thousands of emails.... Can I somehow set my mail system to only allow a certain number of emails to be sent at a time?

 

[faris]

Slowing down or limiting outgoing email is sometimes known as tarpitting.

There are some patches for qmail that allow this but patching qmail is a nightmare.

I'm not sure if it is easier with postfix (in Plesk 9) or not. I've not really looked into postfix.

What you might want to do as a sensible "inbetween" measure would be to install something that would monitor qmail's queue and alert you if it gets big. That can be an indication something is wrong.

You might also like to increase the security on your system to help prevent malicious uploads.

One way to monitor qmail is using 4PSA's Server Assistant package. (www.4psa.com) [commercial product]

And to increase security, installing ASL would be wise (www.atomicrocketturtle.com) [commercial product]

Faris.