Beefing up security on mail server

Hello Virtualmin Fans!

I just started migrating my clients to Linode/Virtualmin last year through 2 freelancing server admins. Each client has their own set-up; I’m not operating as an ISP. My challenge is that I cannot always reach my server admins and e-mail issues repeat themselves. With the exception of moving clients to GSuite, I would love your advice so that I can put in place proper procedures.

  1. Problem: Breach from someone clicking on a spam email and then sending everyone an email from that email address.
    Nothing is bulletproof, but I would like suggestions on preventative measures.

After paying for expedited de-listing a backscatterer blacklist, I checked out and I like the idea of #2. I sent it to my server admins. Both ignored the idea, but one used a different method (blocking IP addresses) which blocked legit IP’s from sending email (ug).

Are the ideas on the UCE Protect link valid? If so, can I hire someone to write the script (idea #2) that I can apply/modify for each client’s server?

  1. Problem: All clients experience more incoming spam since migrating from a managed shared server to their new cloud server.
    Am I doing everything I can do to filter out spam? See server specs at the bottom of this message.

a. Greylisting is not enabled; I’m concerned that it will cause more problems to whitelist legit users. ---------
b. As of today, my server admin set a mail rate limit of 50/hr, which is handled on a domain level. This seems low to me, so I changed it to 300. 5 employees use that domain. I hope the idea of #1 replaces this solution.

  1. Problem: When I need to put a bandaid on a security problem, where can I find the following information? I checked the documentation and did not find it there.
    a. How do I access the logs for email when a breach happens? ---------------
    b. What kind of language am I looking for in the log that will indicate the cause of the problem? --------------
    c. Where do I go to blacklist an IP Address from using the server?

Operating system Ubuntu Linux 16.04.5---------------
Perl version 5.022001 ---------------
Path to Perl /usr/bin/perl ---------------
BIND version 9.10 ---------------
Postfix version 3.1.0 ---------------
Mail injection command /usr/lib/sendmail -t ---------------
Apache version 2.4.18 ---------------
PHP versions 7.0.33, 7.1.32, 7.2.22, 7.3.9 ---------------
Webalizer version 2.23-08 ---------------
Logrotate version 3.8.7 ---------------
MySQL version 5.7.27 ---------------
ProFTPD version 1.35 ---------------
SpamAssassin version 3.4.2 ---------------
ClamAV version 0.100.3 ---------------

We have DKIM, SPF and DMARC in place. The free version of MXToolbox is monitoring but it’s usually too late when MXToolbox reports a problem.

Thank you for your time! This post is a mouthful!