Question Securing Email

[Greg Sims]

We are having problems with email being sent from our server that is considered Spam. I am the only user running on the server which is being used for websites, sending subscription email via mailman and a few other admin emails from Cron and the like. We believe the Spam is a result of a Hack likely via SMTP Auth -- we do not know this for sure.

I am working to secure our server so that only applications running on the server can send email. I have done the following so far:

• All SMTP Ports are Blocked in the Plesk Firewall -- except Port 25
• I believe SMTP Port 25 is needed for the server to receive email
• Relaying is Closed (and I am monitoring changes to /etc/postfix/main.cf to ensure this)
• Fail2Ban is running with Plesk Postfix Jail at MaxRetry = 2

I believe Plesk-Postfix jail is not doing anything. Relaying is Closed so Authentication Failure is not possible -- it is not possible to try to Authenticate via SMTP. This jail is showing no banned IP Addresses.

I'm not sure there is anything else I can do. Any additional ideas would be helpful.

Thanks, Greg

 

[danami]

If you look at the message headers then it should tell you which linux account this is coming from. Use the mailq and the postcat commands:

How can I see the contents of the mail whose ID I get from mailq command?

From there you will know if its coming from scripts in your vhost directory or from an actual mail account.

Some other tips:

1. Limit damage and don't be a target by setting outgoing mail limits in Outgoing Mail Control.
2. Make sure to set the security policy to "Strong" or "Very strong" to enforce good passwords.
3. Audit your existing mail passwords using the command: /usr/local/psa/admin/sbin/mail_auth_view

 

[Greg Sims]

This was very helpful danami -- thank you.

I also noticed that there are a number of access control from Postfix that can help: Postfix SMTP relay and access control .

All the best, Greg