At the moment all my outgoing ports on VPN server are open if someone connects to it.
How can I prevent users accessing it for spam smtp?

The VPN network is 10.8.0.0/24 and 172.16.0.0/24

Can I simply do this:
iptables -A FORWARD -p tcp --dport 25 -s 10.8.0.0/24 -j DROP
iptables -A FORWARD -p tcp --dport 25 -s 172.16.0.0/24 -j DROP

Are there other ports I should block?

How can I make the client send smtp from there own IP address whilst have all other traffic routed through the VPN?

any ideas?

I am not sure I fully understand your problem or question. Part of the disconnect is that I don't see the relationship between a VPN and a spamming issue on your SMTP server. A VPN allow remote connections to your your system and assigns a virtual network adapter on the client side a local IP address. Consequently, all traffic bound for a VPN resource is routed over this virtual tunnel. Whether or not you run an SMTP server on this same system is a different situation entirely, with one possible exception. If your SMTP server is setup to "permit my networks" without secondary authentication, then a VPN user may be able to send email through this server. Even in this case, to connect to the VPN the user will have to authenticate and you should not be having a outbound spam problem with them. If you are, I think you should address this issue directly.

If you really don't want VPN users to be able to use your SMTP server, while you can block this traffic with the firewall, the better approach would be to configure the email system to not accept these users and then use the firewall as a backup. Inbound SMTP connections will be on port 25 and your rules should do the trick, except I think you would want to put the rules in the INPUT chain rather than the FORWARD chain.

I just assumed someone could connect to the VPN and then send out spam emails but because they are connected via VPN, it would look as though the emails were coming from my server even though I don't have an smtp server on it/

Unless it's a trick question, just dropping traffic on the VPN where the destination port = 25 should suffice for the majority of spam.

However, there are other submission ports you may want to add like 465 & 587. There are probably others that are non standard. One of my clients has MTA's listening on 2525 for example.

I'd probably log - then drop - offending packets btw.

How can I log and detect smtp?
I considered it but wasn't sure how to identify port 25 on the VPN.
Do I just block output or does it have tp be for the VPN network 10.8.0.0/24?

Just drop the output for port 25: What do you mean by log and detect? If you have no SMTP servers, nothing will be sending out. If you keep port 25, and other submission ports, on your gateway output closed, then any zombie applications won't be able to spam out on those ports.
If you want to look to see if any applications are running that are listening on port 25 you can use netsat (as root: netstat -pane | grep 25)

What about smtp servers on the VPN client?
If the port is open then they can do what they want and my server will get blacklisted?

Exactly - I know where you are coming from on this and it shows you are on the ball thinking and planning for it. VPN users could use your VPN to submit large amounts of spam leaving your exit IP address blacklisted with many of the DNSBL's and providers. Worse still, your provider could even terminate your service.

What would I do? Drop 25, 465 & 587 as a starting point. Most people using VPN's to send spam will typically go direct to MX thus meaning they will have to use port 25. The more switched on spammers will often make use of bulk/compromised freemailer accounts and third party servers that use authentication - typically on one of the submission ports (587 and the non-compliant 465).

Logging dropped packets with IPTables is straightforward:






....but you may also like to consider NOT dropping the packets, but instead rate limiting them so potential abusers are limited to a given number of connections to port 25 etc in a given time window. For rate control something like this (not tested on the output chain as was written for the input - may not work so apologies if this is the case):
If you run Postfix anywhere you can test this with the SMTP-SOURCE program that comes with it firing off a command like this a few times:

Hopefully you can pick over the bones of this post and find something useful in it that will fit your scenario. I'm certainly no expert in any field so listen to others with better advice than me :-)

In addition to SMTP, I think I would also look at what you can do to limit abuse by port scanning script kiddies ;-) That may prove interesting to deal with!

I use sendmail at the moment to send my own emails from the server so that's why I was wondering if I could block output from the VPN network somehow.

Extend the rule so src != 127.0.0.1 ??

An ounce of prevention is definitely worth a pound of cure, as the saying goes, however, I still question this exercise. Firstly, lets clarify what you mean by VPN and VPN user. A VPN connection is NOT the same thing as allowing someone shell access on your server. A VPN connection is really equivalent to plugging a system into your local LAN. Secondly, if you are concerned about others abusing your server in this fashion, then you need to deal with the user. The third thing you need to do is properly configure your Sendmail so that it properly authenticates clients so that this is not a problem. Your concern, which is to protect against what is considered to be an open relay is very valid but the firewall is not the proper place to address this. Lastly, after the above, then you should focus on configuring your firewall as an ADDED layer of protection against unintended actions. I re-iterate that if you are relying on a firewall to protect against errant data from within your network, you will ultimately not succeed, because they will get around it.

In regards to blocking traffic, your VPN should have a specified range of IP addresses associated with it. You could use your firewall to block traffic from this range. Similarly, you could configure your email application to not accept traffic from this range. As leslie_jones pointed out, you can block all but locahost traffic, which will also prevent you from receiving mail, if you do, though it doesn't sound like it.

iptables -A OUTPUT -p tcp --dport 25 -j -s 127.0.0.1 ALLOW
iptables -A OUTPUT -p tcp --dport 25 -j LOGDROP

?

Sure - the phrase 'VPN' is often misused, but that's life. I think I've read numerous uses of it over the years from various vendors, mixed with further definitions held in high esteem by disciples of the 'The Church of The Sacred Plonking Socially Inept Pedantic Troll'

In this instance I understand the OP as meaning he/she provides a service for customers where for X $£ they effectively 'appear' to come from his IP. Typically used for a number of reasons - sometimes grey/nefarious, sometimes to avoid geographical restrictions, sometimes just for privacy of a kind. If my understanding of the OP's instance is incorrect then I sincerely apologise.

Perhaps that is not the classic definition of VPN/VPN user and it may confuse those with some kind of autism - but I'll leave that kind of OT garbage for those that like to fight for scraps. I'm not really interested in the politics of it, just helping to answer the question. Anything else is rather pointless, don't you think?

What happens if you try it? Does your sendmail work? Does it kill any attempts to tunnel through your IP with SMTP?