disable php mail for site, blok "unexisting" sender

Discussion in 'Installation/Configuration' started by matej, Aug 19, 2011.

  1. matej

    matej New Member

    I have ispconfig3 on centos 5.6 server. One of sites was "hacked" and producing lot of spam mail. I fix this... but for prevent similar things in future I have 2 question:

    1. Is it possible to disable php mail function for sime site? Usualy its possible to disable php functions in php.ini ( disable_functions = mail ) - is it possible this in ispconfig3 just for some sites?

    2. Is it possible to configure postfix that it wont allow sending email for nonexisting email aliases?
    I want to prevent that local postfix send mails when I have in header: [email protected]_domain
    (that postfix will check also alias not just relay domains)
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, see custom php.ini field on the options tab of the website settings.
  3. matej

    matej New Member

    And another question on same topic.

    Is it possible to configure postfix for sending with smtp auth only? So that postfix will deny sending (local) mails through php mail functions without user authentication?
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Remove the from mynetworks setting in postfix main.cf.
  5. osterhase

    osterhase New Member

    Sorry for the respawn but removing from mynetworks in the main.cf did not fix this. We have pretty much the same problem: Hacked Wordpress-Instance sending out a lot of spam. So that postfix will deny sending (local) mails through php mail functions without user authentication?

    postconf -n, Output:
    alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    anvil_rate_time_unit = 60s
    anvil_status_update_time = 600s
    append_dot_mydomain = no
    body_checks = regexp:/etc/postfix/body_checks
    broken_sasl_auth_clients = yes
    command_directory = /usr/sbin
    config_directory = /etc/postfix
    content_filter = amavis:[]:10024
    daemon_directory = /usr/lib/postfix
    data_directory = /var/lib/postfix
    default_privs = vmail
    delay_warning_time = 4h
    header_checks = regexp:/etc/postfix/header_checks
    inet_interfaces = all
    inet_protocols = all
    local_recipient_maps = proxy:unix:passwd.byname $alias_maps
    mail_owner = postfix
    mailbox_size_limit = 0
    message_size_limit = 0
    mime_header_checks = regexp:/etc/postfix/mime_header_checks
    mydestination = ######, localhost
    mydomain = ######
    myhostname = #####
    mynetworks =
    myorigin = /etc/mailname
    nested_header_checks = regexp:/etc/postfix/nested_header_checks
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
    queue_directory = /var/spool/postfix
    readme_directory = /usr/share/doc/postfix
    receive_override_options = no_address_mappings
    relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
    relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
    relayhost =
    smtp_enforce_tls = yes
    smtp_sasl_auth_enable = yes
    smtp_sasl_password_maps = hash:/etc/postfix/smtp_auth
    smtp_sasl_security_options = noanonymous
    smtp_sasl_type = cyrus
    smtp_tls_cert_file = /etc/postfix/mail.cert
    smtp_tls_enforce_peername = no
    smtp_tls_key_file = /etc/postfix/mail.key
    smtp_tls_security_level = may
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    smtp_use_tls = yes
    smtpd_banner = $myhostname ESMTP Mailserver
    smtpd_client_connection_count_limit = 2
    smtpd_client_connection_rate_limit = 10
    smtpd_client_message_rate_limit = 10
    smtpd_client_new_tls_session_rate_limit = 10
    smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
    smtpd_data_restrictions = reject_unauth_pipelining
    smtpd_delay_reject = yes
    smtpd_recipient_restrictions = permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_authenticated_header = no
    smtpd_sasl_path = private/auth_dovecot
    smtpd_sasl_type = dovecot
    smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf
    smtpd_tls_auth_only = no
    smtpd_tls_cert_file = /etc/postfix/mail.cert
    smtpd_tls_key_file = /etc/postfix/mail.key
    smtpd_tls_security_level = may
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtpd_use_tls = no
    transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
    unknown_local_recipient_reject_code = 550
    virtual_alias_domains =
    virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf, hash:/var/lib/mailman/data/virtual-mailman
    virtual_gid_maps = static:5000
    virtual_mailbox_base = /var/vmail
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
    virtual_mailbox_limit = 0
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
    virtual_transport = dovecot
    virtual_uid_maps = static:5000
    To test this is set up a new domain (using suPHP) and inserted the following php-Script :
    <?php $to = [email protected]'; $subject = 'Test email using PHP'; $message = 'This is a test email message'; $headers = 'From: [email protected]' . "\r\n" . 'Reply-To: [email protected]' . "\r\n" . 'X-Mailer: PHP/' . phpversion(); mail($to, $subject, $message, $headers, [email protected]'); ?>
    The mail was succesfully send to the recipient @gmx.

    What is wrong with the configuration here? Why does this mail get send?
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    The mail gets passed to the mailque directly on the commandline. You can e.g. try to set:

    add the mail function to disable_functions in php.ini.
  7. osterhase

    osterhase New Member

    Thanks for your fast reply. It is possible to add this parameter to php.ini - but the custom php.ini (suPHP) is controlled by our reseller not by us directly. Furthermore we don't want to set this option for every customer.

    So there is basically no way to stop this on postfix level?

Share This Page