[SOLVED] How to reject ftp users from sending mail
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Is there a way to reject ProFTP users from sending mail through sendmail? All ftp users have /bin/ftponly set as their shell and are all in seperate groups. There are thousands of ftp users on the server. There are also thousands of mail users which have /bin/mailonly set as their shell and are also in seperate groups.
Can users with a certain shell being blocked within the sendmail configuration? Or is it an option to use iptables for this?
The thing is as I mentioned in my previous post that there a thousands of ftp users on the server, all in their own group. The only thing that unites the ftp users is their shell /bin/ftponly.
Can someone please point me to an other solution? I've been searching if this can be done using the sendmail configuration. Yes I can reject users from sending by adding a REJECT rule in /etc/mail/access. But this is not what I want with thousands of users.
Are you really running Sendmail or are you running another application like Postfix that provides a Sendmail compatible front end? I ask because this affects how you approach the problem and using a more advanced SMTP application, like Postfix, may give you more flexibility.
It looks like you need to add some form of authentication and adjust your relay access parameters. Often times the default is that any mail that originates on the system will be accepted and this seems to be the problem with your FTP users. This document may have some benefit for you: http://www.sendmail.org/~ca/email/auth.html#authrelay In particular, look for the "TRUST_AUTH_MECH(`list of mechanisms')" sections as there may be a way to adjust who is allowed to send mail. My suspicion is that you will need to use a white list approach and allow certain "groups" while denying everything else and this may require some tweaking to get right.
Thank you for your reply. Yes we're using just sendmail. But the plan has changed because some users are using their ftp credentials on their websites in php forms to send mail. So blocking all the ftp user accounts from sending mail will cause problems.
The plan now is to check and log on users who autheticate against SMTP with their ftp credentials using the iptables -m string module. On several occurances they will be blocked by ip address by the fail2ban mechanism.
If only I could use regex with the iptables string module.....
If only I could use regex with the iptables string module.....
You may want to consider using Postfix, which does provide Sendmail compatibility for use with PHP forms and what not. Postfix supports regex hashes and you could simply add a permit list containing your regex strings.
Thank you both for your tips. But the servers I'm talking about are all in production and there are a significant amount of those servers. So I can't switch from sendmail to postfix and from proftpd to vsftpd without a lot of work
I maybe have found another solution for my challenge, I'm going to log the FTP spammers as follows:
! --string "relay=localhost" # inverse match on relaying against localhost beacuse PHP forms mail like this.
--string "authid=" # match on authid
--string "$HOSTNAME" # match on hostname server because FTP spammers are authenticating authid=ftpuser@$HOSTNAME
geoip ! --src-cc NL,BE,DE,US,CA # if matching ip is not from one of these countries
And now fail2ban will check on occurrences of SPAM FTP-USER: in log and will block ip. That's the theory
The entry above is the way ftpusers authenticate to send mail. The normal mail users authenticate without @hostingserver in our setup. relay[localhost] is ignored because of some users who use a PHP-form on their website to send mail.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.