Postfix mail configuration

SYSTEM INFORMATION
|—|—|
OS type and version: Debian 10
Webmin version: 1.981
Virtualmin version: 6.17-3
Related products version: Postfix 3.4.14

We are currently hosting 40+ “light use” websites/ aliases of which 4 have mail services running.
There was a recent issue where one of the websites was hacked (unpatched wordpress!!) and we had a large spike in bandwidth usage before we took the site offline. This was also at the same time we moved one of our mail domains on to the virtualmin system.

There’s a bit of an issue now with spam blacklisting which we’re working to resolve but we are struggling to work out if we are getting fallout from the website breach or if it’s a bad machine/compromised account in the mail domain we’ve moved across to the server.

At the moment, all network traffic and services are pinned to eth0 which is pinned to one of our external IP’s. All web and mail traffic is going through that but I want to split the mail traffic off from the web. I’m looking to configure the postfix so that I can move the mail domains 1 at a time across to eth1 which is pinned to a different external IP and see if the spam problem moves.

I’ve seen an answer here - linux - postfix virtual domain on specific IP address - Unix & Linux Stack Exchange
that talks about changing the master.cf but am wanting to query the actual syntax/settings

Currently the master.cf has
smtp inet n - y - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_tls_security_level=may

smtps inet n - y - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_tls_security_level=may -o smtpd_tls_wrappermode=yes

The link above is advising something along the lines of

domain1 unix -       -       n       -       -       smtp
      -o syslog_name=postfix-mail.example.com
      -o smtp_helo_name=mail.example.com
      -o smtp_bind_address=1.1.1.1

domain2 unix -       -       n       -       -       smtp
      -o syslog_name=postfix-mail.abc.com     
      -o smtp_helo_name=mail.abc.com
      -o smtp_bind_address=2.2.2.2

My query is over the differences

1. the original settings are “private” = n and “chroot” = y. As this is virtualmin and multidomain, do I need to keep the same options instead of the “-” and “n” ?

2. I’m assuming the command + args needs to be smtpd + the various -o options currently set?

3. At the minute there is a smtp and smtps setting in master.cf. If I break it down into domain1, 2, … do I need to remove the current smtp setting and what about the smtps?

Also is there any logging or setting I can tweak to try and ID where all these emails are coming from?

Regardless of how many times you change the IP address on your email server, the spam artist will always find you by your email server host name.

Your best option is to egrep your mail log for the domains that is receiving this spam. Find the offending IP and drop it at the firewall. Depending what you use for a firewall you may even want to see if ipset is compatible with it so you can create a list to start dropping them.

Hope this helps a bit…

AH UH

It is a bad habit to change IP adress after this is on blacklist / spamlist.

You should solve the cause of this, and not bother others that are maybe get that ( black listed) ip after you.
I am sure you also don’t want a ip that is blacklisted because someone before you … ?

Solve the cause, and also ask for delisting if possible, for some lists this is automatic if spamming from ip has stopped.

Sorry if you think i am harsh. I do mean it well.

I also understand you only change switch ip’s you have yourself, but take care the more ip’s are blacklisted (from that box) the more damage for trust , also websites …

For mailforms on websites a workarround to test could be using ( if phpmailer) set to smtp with a other external mailaccount from BIG ones as gmail and co.

If not to many websites with contact / mailforms on it you could try that to clear those forms being the cause. ( temp solution but less risk then switching on other ip from that same box)

I don’t remember all but had this before with a “Custommer” on BOX id did help out with free domain and mail , i pointed was in (error) logs lot of bounces from those mailaccount. He did however reverse the solution while not satisfied, then again server on black list, so i removed that form, and also send a notice then hmm we are no friends anymore ( he did also use a mailform and then combination with forwarding , where automatic mail forward you probably better shouldn’t use for such things)

Also you can change mx record for domain you find out is problem to handle mail on other box or external mail service , if problem stay, so with that you isolate without risk a problem domain mailspammer.

@cyberndt at the minute, I’m trying to dig the info out of the logs but it’s difficult as I’m not sure if it’s coming from one of the web sites or one of the mail domains. All I’m really seeing is the bounces/notifications in the mail queue with no clue as to the originator

@jotst These are static IP’s I’m working with, part of a /28 subnet. I’m looking at moving 4 mail domains across one at a time to try ID if it’s a mail domain (and which domain) or a website causing the spam. 4 mail domains being moved is 4 mx records to change compared with moving the websites to the new IP which would be around 90+ dns changes

So less risk for more IP’s comming on spam list is to change mx for thos 4 domains to another box and handle mail over other box or other external mail service , you can use for example gmail and point mx records to that, than also very important for also your solution they have to change smtp / mail / contact forms on those sites using the settings conform the other mx records.

Often a mail / contact form is using host as mail if not configured in right way , so then problem stays on hostname / mailserver ip

I do myself no longer experiments with own ip’s if known spam problem is there, for custommers on boxes.

With mx changes you need spf, dkim, dmarc done right to!

The mailform contact pages need a config that is done right so if example from… adress and more

PLEASE USE SPF, DMARC,DKIM strict for those problem ones , then in dmarc report you could also see if mail is comming from real or other spamserver , lot of failed then it is not your box itself ( if config settings are ok), then only strict SPF, DMARC,DKIM , dnssec and tlsa could help

For hacked account better not using that domainurl for mailservices anymore , while spamming stay’s for years then better to use new maildomain name or external mailservices , and switch off mail for domain you can do with a mx setting. I don’t know by head 0 mx or so

SAVES HEADACHes while abusing stays otherwise!

You can also make a extra subdomain / virtualserver only for the mail for those domains , ye sor no on same box , if abused in stead of using external mailservices if they don’t like that. Then the spf, dmarc, dkim, mx according that. Other ip …

I had a client , where one of the desktop local windows and outlook was comprimesed , the rate limit was a kind of warning and rescue to not …
There the rate limit warning i did see the box for that emailadress must ne hacked so i did know it before the client knows one of the hundreds…

That specific emailadress is still abusing after 5 years , but couldn’t hurt anymore while deleted and more strict settings so receivers that are blocking on spf,dmarc,dkim …

In webmin you can check running processes under system to find out if a php script is burning more than usual resources. You have the PID and USER tabs on top of page that will lead you directly to the culprit.
You would be able to stop the process and delete the infected php script.

jotst couldn’t have said it any better… Lots of good advice…

Changing the ip would only make things worse by black listing those as well.

Looks like it’s one of the websites, a drupal site that hadn’t been patched and had smtp, mailer and newsletter plugins.

I’ve had the website admin remove the problem plugins in the short term and told them to get the site fixed and updated otherwise it will get turned off!

EXAMPLE for who is reading here and problems hacked mailaccounts

Yup take care of rate limit.

Is a very BIG BIG beginners error to do not, and a city government hacked mailaccount in Holland YUP in 6 Hours over 43.000 phishingmails send out with fake websitelink.

So wrong!

EDE in Gelderland https://ede.nl in Dutch pff https://www.gelderlander.nl/ede/hackers-achterhalen-inloggegevens-edese-ambtenaar-en-versturen-grote-hoeveelheden-phishingmails~ab857a0c/

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.