-4

I have Ubuntu Server set up on a machine.

I have Virtualmin installed to manage my websites.

The idea is that 2-3 of them use open source platforms like Wordpress and I didn't had time to update them and so on and they got infected and now they are sending spam.

Is there anyway to make sure that no emails can be sent from my server without SMTP Authentification. I mean I want to make sure there is no way to use PHP mail function or postfix sending function or anything else without explicit auth.

Is there anyway to do this. Because I tried to do this from Virtual Min by disabling Mail server for each account, but this is not a good idea since it disables entire email function for that domain name.

I tried to find a way by Googling it to prevent scripts sending emails without auth but I can't find anything. I managed to limit the hourly limit for emails for 200 emails / hour and when I check postfix queue I see about 300000 emails in there. I made a cron job to flush them but thats not the perfect thing so blocking scripts to send email without auth would be a perfect thing until I get my websites fixed.

I will kindly appreciate any info.

LATER EDIT: MY SERVER IS NOT COMPROMISED, SO MY QUESTION IS VERY DIFFERENT FROM ANY OTHER DUPLICATES.

Adrian George
  • 97
  • 5
  • 2
    possible duplicate of [How do I deal with a compromised server?](http://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server) – EEAA May 12 '15 at 16:48
  • 1
    As the dupe linked question notes, you should shut down the server and re-build from scratch. Have you considered just shutting down postfix and creating a few iptables rules to block outbound mail? – EEAA May 12 '15 at 16:49
  • re-build from scratch what....I don't have problems with security of the server. It's only Wordpress websites which cause this problem. – Adrian George May 12 '15 at 16:49
  • That is the only responsible thing to do with a compromised server, as there is no way to know how widespread the damage is. – EEAA May 12 '15 at 16:54
  • It seems that you don't understand my question. I just want to be able to say: No, don't send emails if you are not authenticated with an existing email user. Server is fine. The server is not compromised. – Adrian George May 12 '15 at 17:30
  • the idea is that I don't want the scripts or any other software to use mail function without being authenticated using smtp. For example: mail function from php. Does it makes sense? – Adrian George May 12 '15 at 17:36
  • 1
    @AdrianGeorge - EEAA understands you perfectly but doesn't agree with you. I think he's right fwiw. – Rob Moir May 12 '15 at 17:42
  • 1
    @RobM Ok. I had an image of the server with initial config and everything, before uploading any files. I just restored it. its clear. Now how can I restrict any script/file/user for sending emails without being authenticated? – Adrian George May 12 '15 at 17:57

2 Answers2

2

First you need to block all script that using mail() to send the email to postfix. To do that, you have many options.

You can use authorized_submit_users parameter from postfix to limit sendmail command for user root only. Put below line to main.cf

authorized_submit_users = root

You can use disable_functions feature from PHP to disable mail function. Put below line to php.ini

disable_functions = mail

Second, you can simplify your smtpd_*_restriction to use only

smtpd_relay_restriction = permit_sasl_authenticated, permit_auth_destination, reject

With this setup, you only permit: authenticated sender or email who intended to your domain

Note:

  • Above methods don't prevent the evil script to send email directly (telnet port 25) to the remote server thus bypassing postfix.
  • If a website compromised, then evil script will also have permission to read credential stored in your wordpress configuration.
masegaloeh
  • 17,978
  • 9
  • 56
  • 104
0

You could block all unestablished outgoing packets on all ports but the one port to the one destination you permit mail google:587 for example. That would stop spam and force authentication.

A less good solution is to permit only non encrypted email via any IP enforced with deep packet inspection, but most people want encryption.

Most ISPs block port 25 and sometimes other ports (19, 25, 53, 123, 465, 475, 587, 2525) and simply disconnect users who get really bad infections.

So the best solution is clean your system, but if you can't do that then firewall it, until your users start behaving, or you can fix it.

If you have your own postfix install that all the mail is routed through then you can tighten that up to only permit DMARC email.

user1133275
  • 195
  • 1
  • 11