3

I have set up an SMTP server for personal use, and I used Postfix for that. However, Postfix has a lot of different options for how to configure it, and I'm guessing by configuring it incorrectly you can open it up to a lot of security problems, like unauthorized people sending spam mail. I followed the Ubuntu official guide mostly, but I had to step outside a little of them to get it work the way I want it.

So I want to make sure that my changes did not open up the SMTP server to some nasty security problem. What I'm looking for is a way to verify that, maybe some program designed to test that.

How do I know that my SMTP is secure?

Peter Mortensen
  • 877
  • 5
  • 10
Icy Creature
  • 183
  • 1
  • 5
  • 4
    You could post your url on hacker forums and offer an attractive cash prize to anyone that successfully hacks it. If no one succeeds, you're probably in good shape. ;) – TTT May 31 '16 at 19:57
  • http://security.stackexchange.com/q/58857/971, http://security.stackexchange.com/q/17961/971, http://security.stackexchange.com/a/37144/971 – D.W. May 31 '16 at 22:38

3 Answers3

4

There are free services that test for remote relay availability (just google for smtp relay test to turn up several) which are going to do the same thing attackers do (attempt to relay mail, watch the result, report back). If you perform a few of these, get their results and can match it up with your log file (to identify why the relay did/didn't work) you can pretty easily tell if you are going to unleash a spam zombie or not, and what other config issues there might be. Postfix has a lot of configuration options, but is pretty mature so they have streamlined basic setup (believe it or not) vs what it was 15 years ago.

Jeff Meden
  • 3,966
  • 13
  • 16
  • Note that some of these are prone to false positives, particularly if the result they're watching for is a rejection during the SMTP conversation. Some servers and configurations will respond to a relay attempt by accepting the mail, then discarding it locally, rather than rejecting it outright. – Mark May 31 '16 at 19:56
4

Bruce brings up some good general advice. I'll address the specifics.

The biggest risk you face for SMTP is largely "open relay". That is, someone discovering your server and using it to relay SPAM.

It's been a while since I've configured postfix, but in general there's a setting that controls what hosts in your network are allowed to relay email. You can do your own research about how this works, but ultimately you should just test it yourself by connecting to port 25 from an external internet host, and try to send mail to an unauthorized domain.

This is relatively simple, and a good exercise for someone setting up their own server since it teaches you how SMTP works.

Steve Sether
  • 21,480
  • 8
  • 50
  • 76
3

I'm going to take a careful viewpoint and say that you can't know that in general, and specifically you can't know that for something as complicated as an SMTP setup.

The situation is analogous to that of bugs and testing. As Edsger W. Dijkstra once wrote: "Program testing can be used to show the presence of bugs, but never to show their absence!"

More recently, Microsoft researcher Cormac Herley published a paper that explores your theme exhaustively. In fact, he wrote it in the first sentence of the abstract: "There is an inherent asymmetry in computer security: things can be declared insecure by observation, but not the reverse."

That said, it sounds like you've take precautions. If you monitor your setup carefully for a while (2 or 3 weeks), and then continue to check in on it periodically, all the while keeping it updated, you're doing way more than most people do. I applaud your efforts.

Bruce Ediger
  • 4,552
  • 2
  • 25
  • 26