0

We use postfix as a null client to send out mail from a php webserver via sendmail. We host our incoming mail servers elsewhere and use a SPF record to authorise the server to send emails from our domain. This all works.

Now I would like to harden postfix, specifically against exploited PHP scripts which are sending mail spam. But the problem is that I want to allow emails to be sent to any valid address since I have customer web forms who need to be able to receive confirmation emails. I realise this is damage limitation and there is only so much that is possible.

What things do people suggest for detecting/preventing this? or should I focus my efforts elsewhere.

Things I have thought of but not tried yet are:

  1. To stop any emails being sent as FROM: domains I am not authorized to send from. I found how to configure this using smtpd_recipient_restrictions = check_sender_access Will this work with localhost sendmail? Is it even worth it if the attacker knows mails only get sent with the correct FROM address?

  2. To detect that a flood of emails is being sent by localhost and to shut it down and alert me via email. No idea how to do this or whether it's even possible.

Phil
  • 157
  • 7
  • 2
    Perhaps, using SMTP instead PHP `mail()` command will reduce attack vector and you can tune the restriction via `smtpd_*_restrictions`. See also: [Postfix + Php Mail() VS Postfix + SMTP](http://serverfault.com/questions/639622/postfix-php-mail-vs-postfix-smtp/649159#649159) – masegaloeh Jun 28 '15 at 04:56

1 Answers1

1

I suggest you move the mail server to a different machine and prevent the actual web server from communicating on port 25 with anything other than your mail server. That means even a custom spambot (which doesn't rely on any mail function and uses plain sockets) won't work.

On your mail server, create (virtual) user accounts for each one of your hosting customers so you can uniquely identify them, apply rate-limits and block them if they spam without blocking other users on the same server.

Finally install PolicyD and apply both per-customer rate-limits and spam checking of outgoing mail, to slow down the potential spammer and alert you if outgoing mail looks spammy.

Nothing is perfect of course but this set up will at the very least alert you if outbound mail looks like spam and will keep the spamming relatively slow due to rate limits until you investigate and (hopefully) nuke the entire hosting account.

André Borie
  • 749
  • 1
  • 7
  • 21
  • +1 for the suggestion. I would however not create local accounts on the smtp server. Postifx has support for virtual users in databases or directories. – natxo asenjo Aug 15 '15 at 08:38
  • 1
    @natxoasenjo of course, no actual local accounts. Virtual accounts are the way to go, and they can be backed by databases to integrate seamlessly with existing web hosting control panel/infrastructure. – André Borie Aug 15 '15 at 08:40