Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Developers' Forum

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 3rd March 2009, 20:42
ophthal ophthal is offline
Junior Member
 
Join Date: Mar 2009
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default ISPCONFIG3 rc1 postfix question

How do i stop a local mail user from accessing the SMTP queue?
I set Postfix = n in the database and IMAP / POp checked
but they still have access?

True newbie here,

Ray

Last edited by ophthal; 5th March 2009 at 18:27.
Reply With Quote
Sponsored Links
  #2  
Old 4th March 2009, 02:35
ophthal ophthal is offline
Junior Member
 
Join Date: Mar 2009
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default

A little more info:
I have Roundcube installed with ISPconfig3 with a sign-up interface for new users. Well, the folks with US$20,000,000 dollars from Nigeria showed up and went nuts...

I have all the fun stuff on the spam side installed but a valid user... Well there are some holes I need to plug.

With ISPconfig3, I set the offender to Postfix no, IMAP & POP checked. In the database, Postfix=n, access=n, disableimap=1, disablepop3=1

These users can still send mail. In postconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
body_checks = regexp:/etc/postfix/body_checks
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = amavis:[127.0.0.1]:10024
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks
home_mailbox = Maildir/
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
inet_protocols = all
invalid_hostname_reject_code = 554
mailbox_command = /usr/bin/maildrop
mailbox_size_limit = 50485760
message_size_limit = 10000000
mime_header_checks = regexp:/etc/postfix/mime_header_checks
multi_recipient_bounce_reject_code = 554
mydestination = mail.mymail.com, localhost, localhost.localdomain
myhostname = mail.t-mail.com
mynetworks = 127.0.0.0/8
myorigin = /etc/mailname
nested_header_checks = regexp:/etc/postfix/nested_header_checks
non_fqdn_reject_code = 554
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
readme_directory = /usr/share/doc/postfix
receive_override_options = no_address_mappings
recipient_delimiter = +
relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_domains_reject_code = 554
relayhost =
smtp_destination_recipient_limit = 25
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf,
smtpd_error_sleep_time = 5s
smtpd_hard_error_limit = 20
smtpd_helo_required = yes
smtpd_recipient_limit = 5
smtpd_recipient_restrictions = reject_invalid_hostname, reject_unknown_recipient_domain, reject_unauth_pipelining,permit_sasl_authenticated ,reject_unauth_destination,reject_rbl_client multi.uribl.com,reject_rbl_client zen.spamhaus.org,reject_rbl_client dnsbl.njabl.org,reject_rbl_client whois.rfc-ignorant.org,reject_rbl_client combined.rbl.msrbl.net,check_policy_service inet:127.0.0.1:60000,reject_rhsbl_sender dsn.rfc-ignorant.org,permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_sender_login_maps = mysql:/etc/postfix/mysql-virtual_sender_ban.cf
smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf,
smtpd_soft_error_limit = 10
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_transport = maildrop
virtual_uid_maps = static:5000


and /etc/postfix/mysql-virtual_sender_ban.cf

user = XXXXXX
password = XXXXXX
dbname = dbispconfig
table = mail_user
select_field = email
where_field = email
additional_conditions = and postfix ='n'
hosts = 127.0.0.1

Thanks for your help.

Ray

Last edited by ophthal; 5th March 2009 at 18:26. Reason: remove domains
Reply With Quote
  #3  
Old 4th March 2009, 10:07
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,187
Thanks: 829
Thanked 5,417 Times in 4,259 Posts
Default

First you should update your installation to the latest ispconfig 3 release.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #4  
Old 4th March 2009, 14:24
ophthal ophthal is offline
Junior Member
 
Join Date: Mar 2009
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Sorry 'bout that. It is 3.0.0.9 RC2.


Ray
Reply With Quote
  #5  
Old 5th March 2009, 18:00
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,741 Times in 2,575 Posts
Default

Do you maybe have vulnerable web applications on your server that can be abused by spammers?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #6  
Old 5th March 2009, 18:22
ophthal ophthal is offline
Junior Member
 
Join Date: Mar 2009
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Roundcube webmail linked to ISPconfig. Roundcube login depends on IMAP. With IMAP disabled through ISPconfig, the user authenticates OK but then the session disconnects.

telnet mymail.com 143
Trying 10.10.10.10...
Connected to mymail.com.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2008 Double Precision, Inc. See COPYING for distribution information.
. login user1@mymail.com XXXXXX
. OK LOGIN Ok.
* BYE IMAP access disabled for this account.
Connection closed by foreign host.

User is in though and can send e-mail. If disableimap stopped OK login, then user would not authenticate. Does this makes sense?
Something like the following in postfix/main.cf would block sending mail I think:

smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, check_sender_access mysql:/etc/postfix/mysql-virtual_sender_ban.cf

where mysql:/etc/postfix/mysql-virtual_sender.cf blocks blacklisted spamfilters from ISPconfig and
/etc/postfix/mysql-virtual_sender_ban.cf contains:

user = XXXXX
password = XXXXX
dbname = dbispconfig
table = mail_user
select_field = email
where_field = email
additional_conditions = and (postfix ='n' OR disableimap ='1')
hosts = 127.0.0.1

Should this block an ISPconfig user from sending? Does it makes sense?

I will investigate Roundcube and try to find out why the user is allowed access but from a pure ISPconfig point, is there a way to shut them out so setting postfix ='n' or disableimap='1' results in:

telnet mymail.com 143
Trying 10.10.10.10...
Connected to mymail.com.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2008 Double Precision, Inc. See COPYING for distribution information.
. login user1@mymail.com XXXXXX
. NO Login failed.
* BYE IMAP access disabled for this account.
Connection closed by foreign host.

Thanks again for your patience and for not jumping all over me for my ignorance. I have found these forums very useful and appreciate your willingness to help us, the dimmer bulbs in the chandelier.

Ray
Reply With Quote
  #7  
Old 6th March 2009, 14:01
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,741 Times in 2,575 Posts
 
Default

Quote:
Originally Posted by ophthal View Post
but from a pure ISPconfig point, is there a way to shut them out so setting postfix ='n' or disableimap='1' results in:

telnet mymail.com 143
Trying 10.10.10.10...
Connected to mymail.com.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2008 Double Precision, Inc. See COPYING for distribution information.
. login user1@mymail.com XXXXXX
. NO Login failed.
* BYE IMAP access disabled for this account.
Connection closed by foreign host.
I'm not sure if this is possible...
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Undelivered Mail Returned to Sender Error202 General 5 7th May 2009 11:14
localhost postfix/master: fatal: bind 127.0.0.1 port 125: Permission denied g18c Installation/Configuration 4 24th March 2009 17:39
CentoS doesn't send the emails vaio1 Installation/Configuration 18 5th November 2008 17:51
Centos 4.4 32bit Hangs, High Server load 3cwired_com Server Operation 11 16th November 2006 15:47
Verify email setup meekish Installation/Configuration 28 27th October 2006 15:36


All times are GMT +2. The time now is 14:58.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.