1

I'm the technical assistant at a small-town public library where we run our own e-mail. If it matters, it's Postfix on an Ubuntu 18.04 box. Gateway / firewall is a 16.04 box with port forwarding set up through a script that runs at boot, issuing a long sequence of iptables commands.

Today our IP address got onto two Spamhaus block lists, first the SBL and then also the XBL. Last week, after we had an outgoing message bounce, I saw we were on the SBL list. I went through the process to remove it and it was removed. But the problem came roaring back this afternoon, and the web server at Spamhaus pretended to accept my requests to remove the IP, but it stayed on the list and after a few runs it also turned up on the XBL.

I called our internet provider and their network engineer went through the removal steps and actually got it removed. (Or perhaps my first request took that long to process.)

Where should I go from here? I am only a novice systems administrator and what I don't know could fill a... library. To prevent this from happening again, I need to find out what, if anything, is sending spam. I've tried tcpdump on the external NIC for the gateway watching port 25 but I didn't see anything suspicious (to me) during the time I looked (after the fact, and it wasn't long before I moved on to something else, I admit). But I don't even know what's going in and what's going out, and I'm in way over my head. I installed Wireshark on the gateway but soon removed it because it seemed to require a graphical desktop to use. I looked at /var/log/mail.log but I don't see anything that looks like bulk mail going out (but what would that look like?).

Am running sudo tcpdump -i enp3s0 port 25 | tee feb26-27-overnight.log overnight (on the gateway, monitoring the external-facing NIC) in hopes of finding something to glom onto. But it would be nice if there were a straightforward way to find out what's going on without requiring a cyberforensic investigation just to be able to send e-mail to people.

Sequel! How do I ensure that only my e-mail server is sending e-mail through my network?

Will Matheson
  • 151
  • 1
  • 8
  • blacklisting services often provide not only removal tools but information why they listed your IPs too – poige Feb 27 '20 at 01:47
  • Yeah, if it happens again I will chase them down for any information they could possibly give me: https://www.spamhaus.org/sbl/delistingprocedure/ "Normally each SBL record also contains evidence in the form of a sample of a spam message received or a link to a web site advertised in a spam, or contains DNS Trace Evidence showing the results of DNS analysis on the domain or IP range and/or Whois records." I was panicking, there were like six different lists, and there wasn't just like a link I could click. – Will Matheson Feb 27 '20 at 01:50
  • w/o this information you're left with speculations and advices to leave it to paid services. Try to find it, it might still be possible, probably. – poige Feb 27 '20 at 01:54
  • Ok, I will do that – Will Matheson Feb 27 '20 at 02:06
  • I've tried and tried and can't find anything. I guess the information is only active when you're still on the blacklist. But the information I did see was vague! It didn't help me at all. – Will Matheson Feb 27 '20 at 17:31

2 Answers2

5
Where should I go from here?

I'm not trying to be glib or dismissive, but you ought to move your email to a professionally hosted service. Office 365. GSuite. Whatever. There's no good reason your organization should be hosting your email in house in 2020. You can't provide the level of availability, scalability, and reliability that these services can... not too mention your current email reputation problem, which you won't have with these services.

The only valid reasons I can think of for your continuing to do this yourself are either budgetary issues or legal issues which would prevent you from moving your email "out of house".

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • Fair point, and it hasn't escaped me. Let's pretend we're in a world where those aren't options... – Will Matheson Feb 27 '20 at 01:44
  • Privacy/data-protection is the main reason for "in house" hosting of email services. I doubt it is important (enough) for "a small town public library". As usual it is not "one size fits all" but "the trend" is behind joeqwerty words. – AnFi Feb 27 '20 at 04:48
  • 1
    Well, we take privacy very seriously. But it could be argued that it's not necessarily better for privacy that we do everything ourselves, as our resources and technical knowledge are limited. The do-everything-ourselves ethos was in place before I came on the scene and it still reigns supreme. – Will Matheson Feb 27 '20 at 06:17
  • Well if you are there and aware of the situation that's a good start. Revolutions may scare, but I suggest you to write down a plan to get rid of the do-everything-ourselves. – Marco Feb 27 '20 at 07:30
2

What I've done so far is get everything set up for SPF, DKIM, and finally DMARC. Implementation details are going to vary by network and by platform, so I won't give a blow-by-blow of absolutely everything I did. But having done it all seems to have greatly improved the acceptance of my mail.

SPF: Pretty low-hanging fruit. All you have to do is set up a DNS record saying who's allowed to send mail for you, and there are lots of resources to help you compose it, e.g. SPF Wizard.

DKIM: Relatively complex. You have to deal with keys and a bunch of other server-side stuff, then set up a corresponding DNS record. I followed these instructions for Ubuntu (using Postfix and Dovecot) on LinuxBabe. This allows e-mails to be checked for authenticity, that the sender wasn't just spoofing the origin to pretend to be from you.

DMARC: Simple, but you need to have at least one of SPF and DKIM set up first. Similar to SPF, you're just making a DNS record that tells third parties what to do with your mail if it doesn't pass SPF and/or DKIM. General wisdom is to start with "p:none" and read reports for a while until you're satisfied that all your outgoing mail (which might be from more than one source - e.g., we also use Sendgrid), is passing. (You can get daily digests from Gmail, for example.) Then you can ratchet your recommendation up to "p:quarantine" or "p:reject". Some basic info here.

Oh, and a quick do-not-do: Don't use virtual domain aliases or whatever they're called for forwarding purposes. They're not only awkward to use (I had to to spell them out for every single alias a user might have, although there might be another way), but also I think they forward messages before they go through any of your own spam-filtering rules. We got blocked by Outlook almost immediately after forwarding one of our staff's email to their Hotmail account. Instead, since in our setup server users = mail users, we can just set up a .forward file in the user's home directory, with contents like so: externalaccount@externalsite.com, \localusername. This is far more elegant and kicks in only after a message actually reaches a mailbox.

Will Matheson
  • 151
  • 1
  • 8