Linux web hosting and server support tips

Tag: Spam

How to block Outgoing Port 25 for all VPS/Containers of SolusVM

How to block Outgoing Port 25 for all VPS/Containers of SolusVM(Both OpenVZ/KVM)

Sometimes,when providing VPS service, it is necessary to block mailing service for VPS. Otherwise your IP ranges will be blocked by RBLs and other common mail providers like Gmail, Hotmail, AOL, etc. It is recommended to open ports by case by case for your customers, after establishing trust with your client.

Normally we block the port using the “OUTPUT” chain. However, SolusVM uses the chain “FORWARD” for routing traffic from containers/VPSs.

So by adding following rules, you can block all outgoing mails ports completely for all VPSs.

iptables -I FORWARD -d 0.0.0.0/0 -p tcp -m tcp --dport 25 -j DROP
iptables -I FORWARD -d 0.0.0.0/0 -p tcp -m tcp --dport 465 -j DROP
iptables -I FORWARD -d 0.0.0.0/0 -p tcp -m tcp --dport 587 -j DROP

Then save the iptables by running

service iptables save

Disable/suspend email service for one domain – cPanel

Disable/suspend email service for one domain

From version 56, cPanel provides API support to disable email service for domain or email accounts. Please note this limit cannot be override by the user from their cPanel. This can be very helpful if there is any spamming activity and you just want to disable the email service feature for the domain for the time being.

You can run the below commands through SSH console

To suspend email service for a the cPanel user “aacenyor”

whmapi1 suspend_outgoing_email user=aacenyor

For unsuspending the account, please run the below command:

whmapi1 unsuspend_outgoing_email user=aacenyor

If you are not comfortable with SSH, you can also call these through browser XML.

Example:

To suspend
https://hostname.example.com:2087/cpsess##########/xml-api/suspend_outgoing_email?api.version=1&user=aacenyor

where replace hostname.example.com with your hostname
replace cpsess########## with WHM session id.

To un suspend
https://hostname.example.com:2087/cpsess##########/xml-api/unsuspend_outgoing_email?api.version=1&user=aacenyor

For older versions cPanel, you may refer to this below forum from cPanel. There is a workaround

https://forums.cpanel.net/threads/how-do-i-block-one-domain-from-sending-email-from-my-server.223731/#post920912

Email sending limits and throttling – iRedmail free edition

iRedMail is:
1. A ZERO COST, fully fledged, full-featured mail server solution. All components are free and open source software
2. It support unlimited domains and email accounts.
2. SpamAssassin, ClamAV, SPF, DKIM, greylisting, whitelisting, blacklisting.
3. Stores mail accounts in your favorite backend: OpenLDAP, MySQL, MariaDB, PostgreSQL.
4. Supports major Linux distros

Throttling

iRedmail supports following level of throttling for email limits.
Global, per-domain and per-user throttling based on: max size of single message, number of max inbound/outbound messages per time unit.

iRedmail uses a component named iredpad for this. With iRedmail Pro version, you can configure these settings through GUI(iRedadmin panel). However they are not available through GUI for free version. The feature is enabled though we will have to modify them through database directly.

So the database is “iredapd” and table is “throttle”.

Here are some examples

1. Allow user `user@domain.com` to send 50 mails in 5 minutes (period=300):

INSERT INTO throttle (account, kind, priority, period, msg_size, max_msgs, max_quota) VALUES (‘user@domain.com’,’outbound’,100,300,0,50,0);

2. Set global limit of 500 mails per day and a maximum single mail size of 55MB

INSERT INTO throttle (account, kind, priority, period, msg_size, max_msgs, max_quota) VALUES (‘@.’,’outbound’,0,86400,57671680,500,0);

57671680 bytes = 55MB
86400 – 1 Day

# Technical details of throttle plugin
# ————-
#
# Currently you may throttle based on:
#
# – amount of mails sent over a given period of time
# – accumulated mail size sent over a given period of time
# – size of singe message
#
# Eg: You can enforce that user@domain.com does not send more than 1000 mails
# or 1GB of mail (whichever limit is hit first) in 5 minute.
#
# Possible throttling address:
#
# *) Full email address: user@domain.com
# *) Domain name (with a prefixed ‘@’): @domain.com
# *) Sub-domain name (with a prefixed ‘@.’): @.domain.com
# *) IP address: 192.168.1.1
# *) IP network: 192.168.1.*
# *) Catch-all for email address: ‘@.’ (note, the dot is required)
# *) Catch-all for IP address: ‘@ip’
#
# Priorities of different thorttle address (larger digital number has higher priority):
#
# *) email: 100 # e.g. ‘user@domain.com’. Highest priority
# *) wildcard_addr: 90 # e.g. `user@*`. used in plugin `amavisd_wblist`
# # as wildcard sender. e.g. ‘user@*`
# *) ip: 80 # e.g. 173.254.22.21
# *) wildcard_ip: 70 # e.g. 173.254.22.*
# *) cidr: 70 # e.g. 173.254.22.0/24
# *) domain: 60 # e.g. @domain.com
# *) subdomain: 50 # e.g. @.domain.com
# *) top_level_domain: 40 # e.g. @com, @org
# *) catchall: 0 # ‘@.’. Lowest priority

Please note that priority for global setting is 0 and priority of a single user is 100.

Reject outgoing Spam – iRedmail server

iRedMail is:
1. A ZERO COST, fully fledged, full-featured mail server solution. All components are free and open source software
2. It support unlimited domains and email accounts.
2. SpamAssassin, ClamAV, SPF, DKIM, greylisting, whitelisting, blacklisting.
3. Stores mail accounts in your favourte backend: OpenLDAP, MySQL, MariaDB, PostgreSQL.
4. Supports major Linux distros

You know how difficult is to configure a fully fledged email service you have tried. iRedmail do this heavy part for you. I would recommend this piece of software to everyone. I used to configure email server manually using Postfix, Postfixadmin, MySQL, SpamAssassin, etc. Even though I have done this several times, it needs 2-3 hours for setup. But iRedmail can do all of this and MORE in few minutes, thus saves lot of time.

Reject outgoing Spam

iRedmail comes with Amavis, Spamassasin and Clamd. By default iRedmail will not block Outgoing spam message. However you can tweak Amavis configurations to reject such mails.

/etc/amavisd/amavisd.conf

Add following to $policy_bank{‘ORIGINATING’}

final_virus_destiny => D_DISCARD,
final_banned_destiny => D_REJECT,
final_spam_destiny => D_REJECT,
final_bad_header_destiny => D_REJECT,

Then restart amavis /etc/init.d/amavisd restart

This will reject all outgoing spam mails above the score

Of course tweak the spam score accordingly.

Blocking spoofed outgoing mails from your cPanel server

Spoofing is where the mail headers are manipulated to appear as if the mail comes from some other domain. When emails are set to be from an email address on your domain and bounce, they are sent to our servers, attempting to deliver themselves to that mailbox. Generally, you will never see these emails; however, if the email spoofer happens to configure the “From:” header to be a real email box, the bounce will come back to your mailbox and you will receive the email. There is a high chance that a very large number of spam message already sent from server. This can cause high load in the server and sometimes leads to the blacklist of your mail server IP address.

There are two ways in which a spoofed mail can be created.

1. Exploiting vulnerable form to mail scripts to send out spoofed mails through local mail agent.
2. Using stolen mail account login details to send spoofed mails through SMTP authentication.
Let’s look at a solution on how spoofing can be prevented in Exim mail servers commonly implemented in cPanel/WHM servers.

I. Blocking all un-authenticated spoofed outbound emails
1. Login to WHM >> EXIM CONFIGURATION MANAGER >> ADVANCED EDITOR

2. Add the following entry in the top using Add additional configuration setting:

domainlist remote_domains = lsearch;/etc/remotedomains

3. Add the following code under acl_not_smtp :

deny
condition = ${if ! match_domain{${domain:${address:$h_From:}}}{
+local_domains : +remote_domains}}
message = Sorry, you don’t have\
permission to send email from this server with a header that\
states the email is from ${lc:${domain:${address:$h_from:}}}.
accept

Here, the ACL will check for the presence of domain name part of the from address in either of the files – /etc/localdomains or /etc/remotedomains. If there is a mismatch, server will reject the email.

 

II. Blocking all authenticated spoofed outbound emails
1. WHM >> EXIM CONFIGURATION MANAGER >> ADVANCED EXIM EDITOR

2. Search for acl_smtp_data and add the following lines under it:

deny
authenticated = *
condition = ${if or {{ !eqi{$authenticated_id} {$sender_address} }\
{ !eqi{$authenticated_id} {${address:$header_From:}} }\
}\
}
message = Your FROM address ( $sender_address , $header_From )
must match your authenticated email user ( $authenticated_id ).
Treating this as a spoofed email.
Here, for all authenticated users, the rule will check whether the authenticated userid matches with the from address. If it matches, it will allow the email. Else, it will display the message “Your FROM must match your authenticated email user. Treating this as spoofed email”

 

PS: If the acl_smtp_data is mentioned as something else(like acl_smtp_data = check_message), locate check_message and add the above lines just under it.
IMPORTANT points to keep in mind
a. POP before SMTP won’t work with this setting. You will have to ask your customers to use the option – “My Server Requires Authentication” in the SMTP settings of their email client.
b. Username in the format user+domain.com will not work. They have to use user@domain.com instead.

Also your customer cannot change the from field to something other than original authentcated user. People use this method in Website Contact forms.

 

Setting SPF records

Another way to prevent spoofing is using SPF records. You must specify valid spf records for your domain, so that only the intended people or server can send mails on behalf of your domain name.

Powered by WordPress & Theme by Anders Norén