Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 12th May 2007, 21:51
tristanlee85 tristanlee85 is offline
Senior Member
 
Join Date: Apr 2006
Posts: 199
Thanks: 3
Thanked 2 Times in 2 Posts
Default Rejecting outbound mail

Is there any way to refuse to send mail outside of the server? Basically I want to keep my mail server turned on so I can receive mail, but I don't want to be able to send mail out from the server. How can I go about doing this?

Time Warner finally sent me a notice in the mail that any more spam sent from my account will result in termination of my account so... yeh. I need to keep the server running, but not send any mail outbound.
Reply With Quote
Sponsored Links
  #2  
Old 13th May 2007, 13:19
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,769
Thanks: 840
Thanked 5,609 Times in 4,420 Posts
Default

I think the more interesting question is, why is your server sending spam emails.

Have you checked your server, if it is a open relay? Have you checked if someone sends spam through any html contact forms?
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 13th May 2007, 19:11
tristanlee85 tristanlee85 is offline
Senior Member
 
Join Date: Apr 2006
Posts: 199
Thanks: 3
Thanked 2 Times in 2 Posts
Default

I've actually had a couple of threads on here trying to figure out why I am spamming people. Through the tests I've done, it's not an open relay, at least according to the couple of sites I used to test my server.

The only contact form I have is on my forums. It requires an e-mail address, image verification, and a message. The form sends all mail to phpbb@plastikracing.net. I don't see how they are using that form.
Reply With Quote
The Following User Says Thank You to tristanlee85 For This Useful Post:
AbannyvabVask (10th December 2013)
  #4  
Old 18th May 2007, 06:52
tristanlee85 tristanlee85 is offline
Senior Member
 
Join Date: Apr 2006
Posts: 199
Thanks: 3
Thanked 2 Times in 2 Posts
Default

Alright. It's now happened again. I can't send any more e-mails out for another 24 hours because I've reached my daily limit of 1000. In other words, people have been using my server again to keep spamming. I removed all contact forms from my pages that allow users to e-mail me. I don't know how else to stop this other than just turning off the SMTP server, but if I do that then my e-mail doesn't work and my primary e-mail address is used on this server.

I'm willing to let one of the "known" people of ISPConfig SSH and look at my computer to see what may be wrong if you would be willing to do so. Like I've said in other posts, all of the relay testing sites say they can't relay from my server so something is up. I don't know what else to do here. Please help.
Reply With Quote
  #5  
Old 18th May 2007, 09:14
tristanlee85 tristanlee85 is offline
Senior Member
 
Join Date: Apr 2006
Posts: 199
Thanks: 3
Thanked 2 Times in 2 Posts
Default

I was able to find this log. This is was caused me to reach my outbound limit. I did a trace of the IP which lead to Italy and it looks like the user is trying to login as "brandon", but was unsuccessful. Postfix is even show that the host is unknown and it's disconnecting, but then all of a sudden after disconnecting it starts sending a ton of e-mails. There are way more than what I've listed, but you get the idea.

Any ideas on how this is possible from an outside host using my server?

Code:
May 17 16:34:19 server postfix/smtpd[2316]: warning: 62.97.56.142: hostname host-56-142.pool.intred.it verification failed: Name or service not known
May 17 16:34:19 server postfix/smtpd[2316]: connect from unknown[62.97.56.142]
May 17 16:34:20 server postfix/smtpd[2316]: 9CB4E49008A: client=unknown[62.97.56.142], sasl_method=LOGIN, sasl_username=brandon
May 17 16:34:28 server postfix/cleanup[2320]: 9CB4E49008A: message-id=<20070517203420.9CB4E49008A@server.vasceria.com>
May 17 16:34:29 server postfix/qmgr[24088]: 9CB4E49008A: from=<aw-member@ebay.com>, size=15883, nrcpt=50 (queue active)
May 17 16:34:29 server postfix/smtpd[2316]: disconnect from unknown[62.97.56.142]
May 17 16:34:31 server postfix/smtpd[2316]: warning: 62.97.56.142: hostname host-56-142.pool.intred.it verification failed: Name or service not known
May 17 16:34:31 server postfix/smtpd[2316]: connect from unknown[62.97.56.142]
May 17 16:34:32 server postfix/smtpd[2316]: BE85F490092: client=unknown[62.97.56.142], sasl_method=LOGIN, sasl_username=brandon
May 17 16:34:40 server postfix/cleanup[2320]: BE85F490092: message-id=<20070517203432.BE85F490092@server.vasceria.com>
May 17 16:34:41 server postfix/qmgr[24088]: BE85F490092: from=<aw-member@ebay.com>, size=15883, nrcpt=50 (queue active)
May 17 16:34:41 server postfix/smtpd[2316]: disconnect from unknown[62.97.56.142]
May 17 16:34:43 server postfix/smtpd[2316]: warning: 62.97.56.142: hostname host-56-142.pool.intred.it verification failed: Name or service not known
May 17 16:34:43 server postfix/smtpd[2316]: connect from unknown[62.97.56.142]
May 17 16:34:45 server postfix/smtpd[2316]: 021E7490094: client=unknown[62.97.56.142], sasl_method=LOGIN, sasl_username=brandon
May 17 16:34:52 server postfix/cleanup[2320]: 021E7490094: message-id=<20070517203445.021E7490094@server.vasceria.com>
May 17 16:34:53 server postfix/qmgr[24088]: 021E7490094: from=<aw-member@ebay.com>, size=15883, nrcpt=50 (queue active)
May 17 16:34:53 server postfix/smtpd[2316]: disconnect from unknown[62.97.56.142]
May 17 16:34:54 server postfix/smtpd[2316]: warning: 62.97.56.142: hostname host-56-142.pool.intred.it verification failed: Name or service not known
May 17 16:34:54 server postfix/smtpd[2316]: connect from unknown[62.97.56.142]
May 17 16:34:56 server postfix/smtpd[2316]: 6D07B490095: client=unknown[62.97.56.142], sasl_method=LOGIN, sasl_username=brandon
May 17 16:35:04 server postfix/cleanup[2320]: 6D07B490095: message-id=<20070517203456.6D07B490095@server.vasceria.com>
May 17 16:35:05 server postfix/qmgr[24088]: 6D07B490095: from=<aw-member@ebay.com>, size=15883, nrcpt=50 (queue active)
May 17 16:35:05 server postfix/smtpd[2316]: disconnect from unknown[62.97.56.142]
May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<aa361@163.com>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<aa19194@a.cni.org>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<aaameetings@aaanet.org>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<aa5693@acc.msmc.edu>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<aaarlington@actadv.com>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<aa4hq@arrl.net>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<aa1gw@arrl.org>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<aaamail@bdcom.com>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<aaam@bellsouth.net>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<aaappliance@bluebonnet.net>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<aaappraisals@cfu.net>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<aaapke@chilton.com>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<aa223aay@chollian.com>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<aa622@cleveland.freenet.edu>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<aa726@cleveland.freenet.edu>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<aa69@cornell.edu>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<aaarne@cox.net>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
May 17 16:35:05 server postfix/smtp[2348]: 021E7490094: to=<aaaquiltsup@d-web.com>, relay=smtp-server.columbus.rr.com[65.24.7.60], delay=21, status=sent (250 2.0.0 l4HKM4f0000173 Message accepted for delivery)
Reply With Quote
  #6  
Old 18th May 2007, 09:25
tristanlee85 tristanlee85 is offline
Senior Member
 
Join Date: Apr 2006
Posts: 199
Thanks: 3
Thanked 2 Times in 2 Posts
Default

I did some reading on SASL, which I guess is a way to remote login and user the (my) server as a SMTP relay. In /etc/postfix/main.cf I found smtpd_sasl_auth_enable = yes so I changed it to smtpd_sasl_auth_enable = no. Do you think this will fix my problems?
Reply With Quote
  #7  
Old 18th May 2007, 10:20
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,769
Thanks: 840
Thanked 5,609 Times in 4,420 Posts
Default

Quote:
Originally Posted by tristanlee85
I did some reading on SASL, which I guess is a way to remote login and user the (my) server as a SMTP relay. In /etc/postfix/main.cf I found smtpd_sasl_auth_enable = yes so I changed it to smtpd_sasl_auth_enable = no. Do you think this will fix my problems?
I dont think that this will help you. Enabled SASL means that only authenticated users are allowed to send, disabling sasl means no one is allowed to send except that the IP of the sender is within mynetworks.

Did you have a look at /etc/passwd if there is a user brandon and has this user been created by you or one of your customers? Did you check your server with e.g. rkhunter (http://www.rootkit.nl) for rootkits?
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #8  
Old 18th May 2007, 20:18
tristanlee85 tristanlee85 is offline
Senior Member
 
Join Date: Apr 2006
Posts: 199
Thanks: 3
Thanked 2 Times in 2 Posts
Default

Well, after finding the above part where the user "brandon" was trying to login, I created that login a while ago as a temporatly solution for one of my friends. It was a very simple "brandon/brandon" username/password and I wasn't too worried of anyone guessing it because if they loggen in, they would only have access to that folder (web31) and the only thing to delete would have been my one PHP file I made to redirect to a different page.

Everything in the /etc/passwd file looks normal to me. I deleted "brandon" and it's no longer in the file. I'll try the link you gave me.

Quote:
disabling sasl means no one is allowed to send except that the IP of the sender is within mynetworks.
So wouldn't that mean only my IP then? If I disable SASL and they can't login remotely, then only my IP should be allowed to send.
Reply With Quote
  #9  
Old 18th May 2007, 20:28
tristanlee85 tristanlee85 is offline
Senior Member
 
Join Date: Apr 2006
Posts: 199
Thanks: 3
Thanked 2 Times in 2 Posts
Default

And I ran rkhunter and everything looks good.
Reply With Quote
  #10  
Old 19th May 2007, 15:22
falko falko is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,747 Times in 2,578 Posts
 
Default

Quote:
Originally Posted by tristanlee85
So wouldn't that mean only my IP then?
Only the IP address(es) that is/are listed in the mynetworks parameter in /etc/postfix/main.cf. Normally this is 127.0.0.1 (localhost).
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Postfix & mail forwarding loop varnik Server Operation 21 9th December 2008 16:13
Postfix reject connections gabrix Server Operation 27 25th January 2007 09:37
postfix-tls sasl2 mysql courier-authmysql gabrix Server Operation 4 12th January 2007 23:09
Core 4: Error Messages on Fresh Install re CTX/SSL jjw Installation/Configuration 30 6th September 2006 13:16
Virtual Users And Domains With Postfix, Courier And MySQL (+ SMTP-AUTH, Quota, SpamAs ebbay Installation/Configuration 9 4th March 2006 12:47


All times are GMT +2. The time now is 10:18.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.