-4

I have Ubuntu Server set up on a machine.

I have Virtualmin installed to manage my websites.

The idea is that 2-3 of them use open source platforms like Wordpress and I didn't had time to update them and so on and they got infected and now they are sending spam.

Is there anyway to make sure that no emails can be sent from my server without SMTP Authentification. I mean I want to make sure there is no way to use PHP mail function or postfix sending function or anything else without explicit auth.

Is there anyway to do this. Because I tried to do this from Virtual Min by disabling Mail server for each account, but this is not a good idea since it disables entire email function for that domain name.

I tried to find a way by Googling it to prevent scripts sending emails without auth but I can't find anything. I managed to limit the hourly limit for emails for 200 emails / hour and when I check postfix queue I see about 300000 emails in there. I made a cron job to flush them but thats not the perfect thing so blocking scripts to send email without auth would be a perfect thing until I get my websites fixed.

I will kindly appreciate any info.

LATER EDIT: MY SERVER IS NOT COMPROMISED, SO MY QUESTION IS VERY DIFFERENT FROM ANY OTHER DUPLICATES.

Adrian George
  • 97

2 Answers2

2

First you need to block all script that using mail() to send the email to postfix. To do that, you have many options.

You can use authorized_submit_users parameter from postfix to limit sendmail command for user root only. Put below line to main.cf

authorized_submit_users = root

You can use disable_functions feature from PHP to disable mail function. Put below line to php.ini

disable_functions = mail

Second, you can simplify your smtpd_*_restriction to use only

smtpd_relay_restriction = permit_sasl_authenticated, permit_auth_destination, reject

With this setup, you only permit: authenticated sender or email who intended to your domain

Note:

  • Above methods don't prevent the evil script to send email directly (telnet port 25) to the remote server thus bypassing postfix.
  • If a website compromised, then evil script will also have permission to read credential stored in your wordpress configuration.
masegaloeh
  • 18,498
0

You could block all unestablished outgoing packets on all ports but the one port to the one destination you permit mail google:587 for example. That would stop spam and force authentication.

A less good solution is to permit only non encrypted email via any IP enforced with deep packet inspection, but most people want encryption.

Most ISPs block port 25 and sometimes other ports (19, 25, 53, 123, 465, 475, 587, 2525) and simply disconnect users who get really bad infections.

So the best solution is clean your system, but if you can't do that then firewall it, until your users start behaving, or you can fix it.

If you have your own postfix install that all the mail is routed through then you can tighten that up to only permit DMARC email.

user1133275
  • 294