Facebook
TwitterWe have the following situation for a domain on our Plesk Obsidian 18.0.64 for Linux:
- Domain xxx.yyy is setup on the server with mailsettings "disable incoming mail, allow outgoing mail" (mail is at MS365)
- SMTP server is postfix
- Setup the smarthost feature pointing to our Spamexperts setup (cloud)
- In spamexperts a configuration is made that our webserver IP can relay outgoing through the (outgoing) spamfilter because of changing domains on the server
This is working perfectly. All mail send (using sendmail/php) is send through our outgoing spamfilter at spamexperts which helps preventing blacklisting because of poorly configured webforms/sites.
Lately I got several NDR's for a few domains. I thought they had a bad webform or might even be hacked. I went through the Plesk mailfilter and the Spamexperts outgoing filter. Several trange things I found in the mail logs:
Mail was received by our plesk server for [email protected] from SRS0=KbFn=R4=rejorational.com=[email protected]. -> This should not be possible because yyy.com has the "disable incoming mail" configured.
After that the mail is forwarded to the spamexperts filter. -> This should not be possible because now it is relaying and that's not what we want!
I can see the mail being quarantained in the spamexperts outgoing mail log, followed by an "Undeleverd mail returned to sender" mail being quarantined, with the recepient "[email protected]". -> This is where I found a clue what is happening: SRS.
Seems like external mailservers can utilise SRS to send mail to our plesk server for a domain that has no mail active and then the mail is forwarded to the smarthost (spamexperts) which is relaying. The plesk server should have blocked the message with an error because incoming mail is disabled. I understand that when a script sends a mail to [email protected] from a webform for example, it should be possible to send the mail trough the smarthost, but that is mail originating from the server itself, so it's not relaying.
So, setting up a smarthost in combination with a domain with incoming mail disabled and using SRS allows relaying from outside. Am I correct? If so, how can we fix it? If not, what might be the problem then and how does the mail end up in our outgoing mailfilter?
P.S. In the past I had a different approach to block outgoing mail: I had an outgoing DNAT rule in iptables that rewrote outgoing connection on port 25 to the spamexperts smarthost. That seemed to work perfectly except that some wordpress users were complaining that they didn't want their mails going trough a 3rdparty spamfilter without their consent. So I removed it. Not sure how I made it work, has been a few years and I'm a windows guy more than linux
- Domain xxx.yyy is setup on the server with mailsettings "disable incoming mail, allow outgoing mail" (mail is at MS365)
- SMTP server is postfix
- Setup the smarthost feature pointing to our Spamexperts setup (cloud)
- In spamexperts a configuration is made that our webserver IP can relay outgoing through the (outgoing) spamfilter because of changing domains on the server
This is working perfectly. All mail send (using sendmail/php) is send through our outgoing spamfilter at spamexperts which helps preventing blacklisting because of poorly configured webforms/sites.
Lately I got several NDR's for a few domains. I thought they had a bad webform or might even be hacked. I went through the Plesk mailfilter and the Spamexperts outgoing filter. Several trange things I found in the mail logs:
Mail was received by our plesk server for [email protected] from SRS0=KbFn=R4=rejorational.com=[email protected]. -> This should not be possible because yyy.com has the "disable incoming mail" configured.
After that the mail is forwarded to the spamexperts filter. -> This should not be possible because now it is relaying and that's not what we want!
I can see the mail being quarantained in the spamexperts outgoing mail log, followed by an "Undeleverd mail returned to sender" mail being quarantined, with the recepient "[email protected]". -> This is where I found a clue what is happening: SRS.
Seems like external mailservers can utilise SRS to send mail to our plesk server for a domain that has no mail active and then the mail is forwarded to the smarthost (spamexperts) which is relaying. The plesk server should have blocked the message with an error because incoming mail is disabled. I understand that when a script sends a mail to [email protected] from a webform for example, it should be possible to send the mail trough the smarthost, but that is mail originating from the server itself, so it's not relaying.
So, setting up a smarthost in combination with a domain with incoming mail disabled and using SRS allows relaying from outside. Am I correct? If so, how can we fix it? If not, what might be the problem then and how does the mail end up in our outgoing mailfilter?
P.S. In the past I had a different approach to block outgoing mail: I had an outgoing DNAT rule in iptables that rewrote outgoing connection on port 25 to the spamexperts smarthost. That seemed to work perfectly except that some wordpress users were complaining that they didn't want their mails going trough a 3rdparty spamfilter without their consent. So I removed it. Not sure how I made it work, has been a few years and I'm a windows guy more than linux
