Fighting Spam & Malware with Virtualmin

Before this a private DNS was needed to be able to take advantage of tools to eliminate spam & unauthorized attempts.

Any virtualmin installation now is able to fight spam & malware with new DNS Service from DNS0 dns0.eu — El DNS público europeo que hace tu Internet más seguro which allows for recursive dns querying.

So now you can use it to eliminate most spam & prevent most malware:

You can use Postfix to block spam mail from blacklisted domains or IPs.

Also Fail2Ban can be used to block protect from brute force attacks.

This is just a guide and may not work for everyone. Tested with Rocky Linux 8/9.

Just using the new DNS will block bad URLs avoiding malware:
Webmin, networking, network configuration, hostname and DNS client, set DNS Servers:
193.110.81.0
185.253.5.0
2a0f:fc80::
2a0f:fc81::

Reboot server or restart network

STOPPING SPAM WITH POSTFIX:

/etc/postfix/main.cf

Using postscreen it stops spam just before entering Postfix. So no log will appear with those IP/mail blocked:

postscreen_access_list = permit_mynetworks
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = smtp.dnsbl.sorbs.net*3,
mail.bl.blocklist.de*3,
list.dnswl.org=127.[0..255].[0..255].0*-2,
list.dnswl.org=127.[0..255].[0..255].1*-4,
list.dnswl.org=127.[0..255].[0..255].[2..3]*-6

Below changes block spam and a log will be written to maillog.log (CentOS/Rocky Linux). See below how-to check it.

smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_rbl_client dnsbl-1.uceprotect.net,
reject_rbl_client spam.spamrats.com,
reject_rbl_client bl.worst.nosolicitado.org,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client psbl.surriel.com,
reject_rbl_client truncate.gbudb.net,
reject_rbl_client bl.spamcop.net,
reject_rbl_client noptr.spamrats.com,
reject_rbl_client dyna.spamrats.com,
reject_rbl_client b.barracudacentral.org,
reject_rbl_client preempt.dnsbl.sorbs.net,
reject_rbl_client relays.dnsbl.sorbs.net,
reject_rbl_client fresh30.spameatingmonkey.net,
reject_rbl_client bl.mailspike.net,
reject_rbl_client dnsbl.dronebl.org,
reject_rhsbl_reverse_client dbl.spamhaus.org,
reject_rhsbl_helo dbl.spamhaus.org,
reject_rhsbl_sender dbl.spamhaus.org,
reject_rhsbl_sender rhsbl.sorbs.net,
reject_rhsbl_sender fresh30.spameatingmonkey.net,
reject_rhsbl_client fresh30.spameatingmonkey.net,
reject_rhsbl_sender uribl.spameatingmonkey.net,
reject_rhsbl_client uribl.spameatingmonkey.net,
reject_rhsbl_sender urired.spameatingmonkey.net,
reject_rhsbl_client urired.spameatingmonkey.net,
reject_rhsbl_reverse_client rhsbl.scientificspam.net,
reject_rhsbl_sender rhsbl.scientificspam.net,
permit

smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_sender_domain, permit

/etc/postfix/master.cf
Modify submission line to be like this:

submission inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes
-o smtpd_tls_security_level=may
-o smtpd_delay_reject=no -o {smtpd_client_restrictions = reject_rbl_client auth.spamrats.com=127.0.0.43, permit}
-o {smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject}
-o syslog_name=postfix/submission

/etc/postfix/dnsbl_reply
secret.smtp.dnsbl.sorbs.net smtp.dnsbl.sorbs.net
secret.mail.bl.blocklist.de mail.bl.blocklist.de
secret.noptr.spamrats.com noptr.spamrats.com

STOPING BRUTE FORCE ATTACKS WITH FAIL2BAN:

(adjust the time to seconds or minutes while you get your best configuration)

/etc/fail2ban/jail.local
[DEFAULT]

ignoreip = yourip another.ip

[sshd]

enabled = true
port = ssh
bantime = 1d
maxretry = 1

[webmin-auth]

enabled = true
port = 10000
logpath = %(syslog_authpriv)s
backend = %(syslog_backend)s
bantime = 15m

[proftpd]

enabled = true
port = ftp,ftp-data,ftps,ftps-data

[postfix]

enabled = true
mode = aggressive
port = smtp,465,submission
bantime = 10m
logpath = /var/log/maillog
maxretry = 10
findtime = 6h

[dovecot]

enabled = true
port = pop3,pop3s,imap,imaps,submission,465,sieve
bantime = 14m
#logpath = /var/log/maillog
logpath = %(dovecot_log)s
backend = %(dovecot_backend)s
mode = aggressive
maxretry = 10
findtime = 10h
bantime = 10m

[postfix-sasl]

filter = postfix[mode=auth]
enabled = true
port = smtp,465,submission,imap,imaps,pop3,pop3s
bantime = 3h
logpath = %(postfix_log)s
backend = %(postfix_backend)s
maxretry = 20
findtime = 10h

[postfix-rbl]

enabled = true
port = smtp,465,submission
filter = postfix[mode=rbl]
logpath = /var/log/maillog
bantime = 15m
findtime = 3h

Removing blocked IP:
In case any of your client IPs is blocked you can remove it from banned ips:

sudo fail2ban-client set dovecot unbanip 8.8.8.8
sudo fail2ban-client set postfix unbanip 8.8.8.8

Also it is possible to add a safe ip in fail2ban (see above):
ignoreip = 127.0.0.1 8.8.8.8

To see blocked emails:
cat /var/log/maillog | grep -i -E “reject:”

Virtualmin pro shall have similar setup right away.

While a good thought, using a public resolver usually won’t work well with DNS blacklists.
Also, that’s way too many blacklists added and will for sure provide false positives.

Edit: regarding dnswl.org, these are also weighted in a standard spamassassin setup, so there is little value added to having them in Postfix.

I would prefer to see the Ip address as I can then use that address in block lists then just harden fail2ban …

1. Just switched from my own private DNS server to this new services and it is working great!
2. It is correct, there are too many black lists included, however they have been tested and the best have been manually picked.
   However you can start with these and add the rest if needed:
   reject_rbl_client dnsbl-1.uceprotect.net,
   reject_rbl_client spam.spamrats.com,
   reject_rhsbl_sender uribl.spameatingmonkey.net,
   reject_rhsbl_sender urired.spameatingmonkey.net,
3. The beauty of this is that you do not need spamassassin to stop most spam

The provided setup with postscreen block bad mail servers and a false positive would be very hard to find.
It really helps to free resources in your server as Postfix don’t have to deal with mail that is most sure spam.
But as you said, if you do want to see what is blocking, you can omit the postscreen lines.

1: It might work for a while, especially since this particular service is very new, but if only a few more people use it your queries will go unanswered and the mail will just go through like any other mail. You are also violating the ToS of said blacklists.
You can not use blacklists with public open resolvers.

2: Those are actually the ones you should remove. Uceprotect are a bunch of extortionists with tons of FP. Spamrats also have lots of FP and very unstable servers, meaning again your queries go without a reply. Start with zen.spamhaus.org and bl.spamcop.net.

3: Sorry, but that’s not how it works. Simply blocking IPs are good for the odd spammer, but it doesn’t block spam coming from the major networks (think Hotmail, Gmail, AWS SES). Spamfighting methods need to work in tandem. It’s a sad reality, but it is how it is these days.

Another way is to simply not host email at all. Google and Microsoft have this down pat…and frankly it’s a ton of work for very little reward. Squarespace doesn’t host email at all…and i think this will be a trend that is coming. I actually have disabled dovecot, postfix, spamassasin…etc etc etc. I also made the maildir for postfix read only by root so the websites cannot put files in there. There’s a minimal install variant that i will deploy on my next install but i will still have to disable postfix and read only the main maildir. It’s been a godsend…makes hosting actually worthwhile…and you won’t risk getting booted from your DC for sending out waves of spam (which is a constant battle if you host email). Nothing against Virt…this isn’t a virt issue…it’s just how things are now IMO.

1. Most DNS Servers do not allow recursive querying needed to use the black lists. DNS0 does. I was aware of free DNS (Google 8.8.8.8 or CloudFare 1.1.1.1) not allowing recursive querying in ToS but I’m not aware of any blacklist that restrict you to private DNS Server, if you can provide something more precise it would be helpful.

2. UCE-Protect 1 is blocking spam the right way. That’s why I have listed it as #1 (because of their results, and not by my opinion) Have you tested it? UCE-Protect Level 2 & 3 have for sure a lot of false positive due the method used, that’s why I do not use it on most servers. I agree that good start is with zen.spamhaus.org and bl.spamcop.net.

3. You’re correct, unfortunately this method does not block spam from Hotmail or Gmail servers but hey it can block perhaps more than 98% and to me that number is great! and this avoid you to have running spamassasin which some servers don’t have enough power to do it. Besides that if you do not use a DNS Server that allow recursive querying like DNS0, Spamassasin do not stop anything (tested that too).

I generally recommend you not do RBL blocking in Postfix, at least not at this scale. It is very efficient, but it is a hammer. There are no shades of grey when letting Postfix make the choice. If you trust the list(s) you’re using will never have false positives, I guess it’s OK. But, I wouldn’t have more than one or two configured there, and would be careful about how well-maintained they are. Configuring dozens feels crazy to me. You’re going to block some legitimate mail.

I use SpamAssassin to make those decisions, where it can be a weight rather than pass/fail.

Spamhaus has an awesome program that allows you to query their servers for free if you are unable to setup a private recursive DNS server.

Create an account to get a free key for your personal email server

Setup SpamAssassin to integrate the spamhaus key
https://docs.spamhaus.com/datasets/docs/source/40-real-world-usage/SpamAssassin/000-intro.html

This takes a major load off your postfix and allows you to take advantage of one of the many uses Spamassassin was intended for.

If you don’t prefer Spamassassin? You can set this up directly in Postfix using Postscreen
https://docs.spamhaus.com/datasets/docs/source/40-real-world-usage/PublicMirrors/MTAs/020-Postfix.html

Postfix has instructions on how to setup Postscreen for other uses but do at your own descretion.
https://www.postfix.org/POSTSCREEN_README.html

I prefer using Postscreen to inforce greet to keep bots from spamming my logs.

postscreen_access_list = permit_mynetworks
postscreen_greet_action = enforce

If you go this route you can remove all those
reject_rbl_client
reject_rhsbl_client

You do not need to overwhelm your Postfix with so many rbl queries. That’s one way to bog down your server for sure.

I started blocking spam with Postfix because it was not possible to setup Virtualmin with Spamassasin in my CentOS 7 Server. It required to enable ClamAV and it slow down the server making impossible to use until ClamAV is disabled you may remember the issue.
So it was either use Postfix to block spam or let spam fill the inbox.
The solution is not perfect (some bl blocks fb or newsletters) but it removes most spam and has been working for more than 6 months.
Above all it removes most malware delivered by email.

Great service from Spamhaus key for personal use.

The solution using DNS0 seem to be able to be used also for commercial purposes. Setting up the server with this DNS will work for Postfix or Spamassasin and also check that ips/urls used by the server are malware-free.

I did try postscreen wtih greet_action but did not work for me not sure why but it was removed.

As @toreskev has pointed out:

Did you setup postscreen properly? You have to activate it in /etc/postfix/master.cf

#smtp	inet	n	-	y	-	-	smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_tls_security_level=may
smtp      inet  n       -       y       -       1       postscreen
smtpd     pass  -       -       y       -       -       smtpd
dnsblog   unix  -       -       y       -       0       dnsblog
tlsproxy  unix  -       -       y       -       0       tlsproxy

In /etc/postfix/main.cf:

postscreen_access_list = permit_mynetworks
postscreen_greet_action = enforce	
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org*2 bl.spamcop.net*1

You can even create your own access list

sudo vi /etc/postfix/postscreen_access.cidr

Add your server IP and others you want to bypass the postscreen:

#Access IP addresses
#example:
#8.8.8.8     permit
your.server.ip.here    permit
other.server.ip.here   permit

In /etc/postfix/main.cf: change the following line to add

postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr

don’t forget to restart your postfix:

sudo systemctl restart postfix

No, you don’t have to enable ClamAV to use SpamAssassin. That’s never been the case. I haven’t used ClamAV on any system in over a decade, including on CentOS 7, and I always use SpamAssassin.

So…I don’t remember the issue, but whatever was happening, ClamAV was definitely not needed to use SpamAssassin and never has been.

You’re missing the point, it’s the blacklists that will rate limit you if doing more than X amount of queries per day. This will happen to DNS0 also, it has nothing to do with them allowing you to.
Secondly, DNS0 while good, it will block malicious sites, porn, stuff like that but it doesn’t really share a lot of bad mailing IPs with common blacklists so it will not do much good in this regard. But you do you, just don’t share bad advice.

Again, you do you. Uceprotect has a history of fraud and is generally considered to be the shittiest list of them all, along with sorbs, except sorbs has somehow pleasant people to deal with.

Personally I use some blacklists with reject in Postfix on a weighted scale, so it must find the bad IP in multiple blacklists before blocking it outright. If only found on one list it will be given a set spamscore and then further weighted by Spamassassin.

https://www.spamhaus.org/faq/section/DNSBL%20Usage#365

uceprotect is frequently called a scam, i’d never use that one… just search around the net, you’ll find lots of reasons why…

since most spam originate from gmail/outlook/hotmail/yahoo, doesn’t make much sense not using antispam… i’ve moved to rspamd and very happy with it… (along with postscreen + postwhite + clamav).

huh? postscreen logs ip addresses regurarly in maillog… and you can use fail2ban filters for that. been using it that way for the couple last of years already…

and example part of postscreen configuration with a few rbls :

postscreen_dnsbl_ttl = 5m
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = 
        zen.spamhaus.org=127.0.0.[2..11]*3
        b.barracudacentral.org=127.0.0.[2..11]*3
        bl.spameatingmonkey.net*2
        bl.spamcop.net
        dnsbl.sorbs.net
        psbl.surriel.com
        bl.mailspike.net
        swl.spamhaus.org*-4
        list.dnswl.org=127.[0..255].[0..255].0*-2
        list.dnswl.org=127.[0..255].[0..255].1*-3
        list.dnswl.org=127.[0..255].[0..255].[2..254]*-4
        list.dnswl.org=127.0.0.255
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_whitelist_threshold = -1

Years ago, well maybe more like 2 decades, they were set up to allow you to do a local mirror. Maybe refresh every 24 hours? When my partner went to cPanel I became mostly brain dead on this stuff. Does it show?

Hehe, nah, quite a lot of them still allows you to do a sync every now and then, which of course is an ideal solution if you’re running huge (and/or multiple) servers.