LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-18-2010, 08:36 AM   #1
bper
Member
 
Registered: Oct 2003
Posts: 64

Rep: Reputation: 15
Is My Postfix-Dovecot Mail Server Secure Enough?


Hello,

I have set up a postfix-dovecot server with smtp-auth using sasl on Ubuntu 10.04 by following this link: https://help.ubuntu.com/10.04/server...C/postfix.html

It seems to be working OK. The only thing is that when I view my logs, I see a lot of 'relaying denied', 'noqueue reject', 'too many errors after rcpt', and 'disconnect' messages from a lot of unknown domain names and ip addresses.

I'm hoping that this means that the server is secure and doing its job bouncing mail from unauthorized requests.

*** Is that true?

Even if it was true, it has to be slowing down the server receiving so many unauthorized requests.

*** Is there a way to avoid this or is this just a function of life in the world of email spam? Would a spam filter like Spamassasin help this type of issue?

Thanks!

Last edited by bper; 09-18-2010 at 08:37 AM. Reason: Adding Platform info
 
Old 09-18-2010, 01:11 PM   #2
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Unfortunately, this type of mal-traffic is par for the course. A large percentage of spam is created and transmitted by machines that have been infected with malware applications and through open relays. Since you configured Postfix to require authentication before transmitting any mail, you are not an open relay. Of course, the spammers and script kiddies will see that you have an active SMTP port and attempt to see if they can brute force their way into access, to perform whatever dirty deeds they desire in your good name.

In my personal opinion, one of the best things you can do is ensure that your authentication takes place over a secure connection. Fortunately, that is what that how-to does, through the configuration of TLS. This means that when you transmit your authentication credentials, that they are done so over an encrypted connection and can't be sniffed by someone with a wire tap.

There are a couple of things you can do to help reduce this traffic. First, you can make note of the IP address of the offenders and if you discover that you have a perpetual or repeat offender simply ban them with iptables. The second thing you can do is use a program such as fail2ban which will analyze your logs and see the invalid attempts and apply a temporary ban to them. This has two effects, one it limits the number of attempts that they can make and getting blocked, even temporarily is usually enough to make them go elsewhere.

Spamassassin, and its cousins, such as amavis will help reduce the amount of spam that you receive once your system has been up and running for a while. You can use them in conjunction with other filters including anti-virus programs to detect infected emails and junk and keep it from getting to your inbox. To this end, one program that I personally found to be highly effective is Postgrey which performs grey listing, where an unknown sender will get a temporary reject code the first time they try to send you a message. Fortunately, most spam bots aren't standards compliant systems and simply spew their stuff once and go away so this prevents a lot of it from even being received.
 
1 members found this post helpful.
Old 09-18-2010, 02:32 PM   #3
bper
Member
 
Registered: Oct 2003
Posts: 64

Original Poster
Rep: Reputation: 15
Thanks for your reply, info, and suggestions. I feel a little relieved that at least the guard dog is on duty. I will monitor, as you suggested, what I can do to reduce the traffic.

What are the red flags that I should look for? I would guess that I should look for the status='sent', or connections by unknown users.

Thanks again for the support.
 
Old 09-19-2010, 06:00 AM   #4
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
One of the biggest red flags would be finding out that you have become listed on spamcop or a similar RBL

Seriously, the fact that you realize the importance of examining the logs and watching for things out of the ordinary puts you ahead of the game. There are a couple of things I would think to watch for. Periodically you should scan your logs and looking for "sent" is good. Just make sure that you recognize the sender and that it isn't some strange thing you have never heard of. Also look at the recipient, as this could indicate that someone has cracked your account password and is using it. The second thing would be to look for lines like this:
Code:
Sep 12 10:11:41 server postfix/smtpd[11876]: NOQUEUE: reject: RCPT from 118-160-208-234.dynamic.hinet.net[118.160.208.234]: 554 5.7.1 <zz@mail2000.com.tw>: Relay access denied; from=<hi7188s.pp5975@msa.hinet.net> to=<zz@mail2000.com.tw> proto=SMTP helo=<96.10.215.214>
I received that one two days ago. The big thing to note is the relay access denied, which means that your authorization is doing what it is supposed to. Unfortunately, you are going to get plenty of this kind of crap. Fail2ban uses regular expressions to match the reject and 554 response code and trigger on that to block the IP.

You may also get a lot of connect from, received disconnect from, etc in a short period. Sometimes the attempt is to confuse or overload your server in an attempt to soften up the security. Postfix will respond to this by throttling back at hard and soft limits.

Other things to consider doing, make sure you have a valid MX and SPF record in your domain's DNS. Other servers can use these to help verify your credentials and it is an indication that you are a valid mail server.

One of the biggest threats you may face is someone using your domain, not as a spam relay, but as a spoof at the bottom of the header chain to make it look like you WERE the spam relay. Wietse Venema (the creator of Postfix) had a really good white paper on how he configures his server to help identify that the mail didn't originate from his server. I don't recall all the details, but one thing he does is make sure that the server identifies it self with a subdomain name, like mail.postfix.org rather than postfix.org. You may want to look at some of those things.

Lastly, receiving spam will become something of an annoyance. The longer your domain and address are out there the worse it will become. Learn to use the tools like spamassassin, scan your mails for viruses (which won't effect you, but you have a responsibility not to propagate them), etc.

If you install a web mail client, like Squirrelmail or Roundcube, I suggest that you only put it on an HTTPS page to help ensure that passwords and accounts can't be sniffed. Same thing goes if you use postfixconfig.php, PHPMyadmin, or anything like that, which need extra security (I recommend making them LAN IP accessible only if possible, and requiring certificates and passwords).

Enjoy running your own production mail server. It is definitely a rewarding experience.
 
1 members found this post helpful.
Old 09-19-2010, 06:19 AM   #5
bper
Member
 
Registered: Oct 2003
Posts: 64

Original Poster
Rep: Reputation: 15
Great post, very helpful. Thank you again.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Dovecot/Postfix server - some mail not arriving technomeister Linux - General 4 12-28-2012 02:05 PM
Mail server issues (Postfix, MySQL, Dovecot) manijeee Linux - Server 0 08-03-2009 02:38 AM
Postfix/Dovecot Mail Server Redundancy haariseshu Linux - Server 2 05-29-2009 05:55 AM
Setup Mail Server with Postfix/Dovecot/SquirrelMail olddocks Linux - Server 2 03-24-2009 01:34 AM
LXer: Debian Mail Server Setup with Postfix + Dovecot + SASL + Squirrel Mail LXer Syndicated Linux News 0 03-12-2008 10:50 PM


All times are GMT -5. The time now is 02:53 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration