Had to disable email for one of my servers

Virtualmin
1
SYSTEM INFORMATION
OS type and version Ubuntu 22.04
Webmin version The most recent
Virtualmin version The most recent
Related packages SUGGESTED

Hey team

I had to disable email to one of my servers because it was being used to spam the world. I went through this forum and read the suggested guides on proper etiquette for having a mail server. I ensured SASL is required, I configured grey listing… Is there something else I can do or that I’m missing?

I have attached a small snippet of my most recent mail.log -

Jan 21 22:20:25 domainname postfix/smtpd[2344]: disconnect from unknown[80.94.95.170] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Jan 21 22:20:30 domainname postfix/smtpd[2316]: connect from unknown[80.94.95.170]
Jan 21 22:20:36 domainname postfix/smtpd[2316]: warning: unknown[80.94.95.170]: SASL LOGIN authentication failed: authentication failure
Jan 21 22:20:37 domainname postfix/smtpd[2316]: disconnect from unknown[80.94.95.170] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Jan 21 22:20:40 domainname postfix/smtpd[2184]: connect from unknown[103.187.83.131]
Jan 21 22:20:43 domainname postfix/smtpd[2184]: warning: SASL authentication failure: Password verification failed

Jan 21 22:25:22 domainname postfix/smtpd[2184]: NOQUEUE: reject: RCPT from mail-am0eur02hn2228.outbound.protection.outlook.com[52.100.202.228]: 454 4.7.1 spam@hostname.ca: Relay access denied; from=<> to=spam@hostname.ca proto=ESMTP helo=<EUR02-AM0-obe.outbound.protection.outlook.com>
Jan 21 22:25:22 domainname postfix/smtpd[2184]: disconnect from mail-am0eur02hn2228.outbound.protection.outlook.com[52.100.202.228] ehlo=2 starttls=1 mail=1 rcpt=0/1 quit=1 commands=5/6
Jan 21 22:25:22 domainname dovecot: imap-login: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=michael@hostname.farm, method=PLAIN, rip=2605:b100:b28:a76f:e4bf:61d6:ca23:b2c8, lip=2607:5300:60:8289::1, TLS, session=<vRu3FH8PqoEmBbEACyinb+S/YdbKI7LI>
Jan 21 22:25:24 domainname postfix/smtpd[2316]: connect from mail-vi1eur05olkn20801.outbound.protection.outlook.com[2a01:111:f403:2e13::801]
Jan 21 22:25:25 domainname postfix/smtpd[2316]: NOQUEUE: reject: RCPT from mail-vi1eur05olkn20801.outbound.protection.outlook.com[2a01:111:f403:2e13::801]: 454 4.7.1 spam@hostname.ca: Relay access denied; from=<> to=spam@hostname.ca proto=ESMTP helo=<EUR05-VI1-obe.outbound.protection.outlook.com>

2

I can’t see a connection as it says

and

Have you turned on Fail2Ban Intrusion Detector?
These connection should get denied due to the failures.

3

I saw the connect from unknown and then warning, I’m relatively new to looking at these types of logs so I thought I’d bring it to the experts :wink:

I do have Fail2ban installed, maybe I need to increase the settings a bit because my log files are just blowing up with attempts. That is what I will do, thank you for your guidance :pray:

4

If its on are using seeing bans

image
image1798×439 44.8 KB

Also the logs don’t show anyone using your server, what make you think someone is using your server to spam?

5

I got an email from my network host saying it was happening, I investigated and they were correct there were 82k in the outbound at time of cutoff. … there’s usually much, much less than that lol

I read a few tutorials on how to properly configure Fail2Ban, I did make a few changes that should hopefully help; I will report back and appreciate your help

6

I don’t think fail2ban can help if a email account is sending out its inbound failed connection but will block fail password connections. did you clear the mail queue?

image
image1470×742 88.8 KB

Your IP may be on some blacklists now as well, I use mxtools to check them.

image
image763×260 12.4 KB

7

I don’t think Fail2ban will stop an account from sending spam mail. The tool @stefan1959 sugested, Diagnostics, will tell you if your email address is an open relay and other useful things about it.

Turning on Fail2ban [recidive] jail with reduced matches and increased jail times is a good idea.

I add file /var/log/fail2ban.log to System Logs Viewer for convenience. If I see a few Found IPs from the same subnet I look it up and if it is from a country I don’t want or need traffic from I set a permanent larger subnet drop rule in FirewallID. It keeps the chatter down.

When you restart and go to view the fail2ban.log you see a list of all the banned IPs in numerical order re-establishing the ban if you find that useful.

Some info here:
Are the default Fail2ban settings enough what are the reccomendations

8

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.