Locking down/Securing SMTP/Postfix

Hopefully this is in the right spot and someone can help. I apologize if it is in any way not Kosher. Unfortunately securing mail services on my own has always been a bane and usually I have broken down to using something like hMail on windows.

As I understand it from the searching I have been doing, Virtualmin should have SMTP set up for required authentication from the get-go. Unfortunately it seems ever since I have added an alias domain to my server, I am getting a lot of strange bounceback/delivery notification errors off of messages not sent by me. In fact this server is relatively new with no other users on it but my own, a single email address as a catch-all with myself being the only person who knows the credentials, and one domain, an alias domain for it, and 2 subdomains set up as sub-servers.

I set up the sole email address in Thunderbird and seem to recall it warned something about a lack of SMTP authentication which makes me wonder. A second wonder is the settings for using it as a relay server and locking those down if not already done.

Right now for the time being I have PostFix turned off until I can sort this. I don’t have anything at the moment which needs it so I can leave it this way for as long as necessary.


I am not sure I can help, but…

  1. Catch-alls are bad news. I recommend you avoid them if at all possible. And that’s because of (2)

  2. Domain spoofing: This can cause problems for anyone. Having an SPF record can help. You’re not alone: http://mail.google.com/support/bin/answer.py?answer=50200

If you’re worried your server is compromised, then the email headers are your friend: They show the true route path.

Sorry for the delayed reply and thanks for yours. I totally forgot about the spoofing bit and it never crossed my mind. It very well makes sense as I go in and look at these bounce messages and other settings more clearly. My guess is considering my new domain alias is a short 4 letter domain it is easily getting into Spambots’ list of domains to spoof.

I did recheck Thunderbird and it is saying SMTP is set to password auth, though insecurely which kinda bothers me. I’m going to do some investigating on my own, but is there an obvious option in virtualmin I am missing to turn on either ssl or starttls on Postfix?

Also as far as the catch-all: Yeah, that is merely temporary while I wrap my head around Virtualmin and determine how it operates in the email area. Once I get a good grasp on it, that will certainly go away!

Thanks again!