LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   email server queue always full (https://www.linuxquestions.org/questions/linux-server-73/email-server-queue-always-full-4175533165/)

dereut 02-05-2015 10:34 AM
email server queue always full
 
hello all,

I have a server with Debain 7 on it and a email server using courier-imap, postfix and mysql for virtual domain/users
there is also some other relevant pieces of software like clamv ...

I have set this up following https://www.howtoforge.com/virtual-u...-debian-wheezy

in principle, this means that noody can send email if not using username/password for SMTP

however, I found every 2 days my postfix queue full on unsend emails (more than 8000) all failed because for some raison I cannot send to external addresses

what bugs me, is that they all try to send using fakename@mydomain.com (mydomain.com to replace with my real domain name)

it means that if my sending system was not broken, those parasites would have spam the world (8000 of them) with emails using my system

this means that my system is not secure, my stupid smtp is still trying to send or relay emails from users that are not in the Database

anyone would know how to stop smtp doing that ? or a good serious howto to set a secure email serveur ?

I know that it is a very vast question, due to different server and different settings, but what I hope is to find someone with enough knowledge to point at the right path

thanks a lot in advance

reup

chrism01 02-06-2015 03:54 AM
Use the Report button to ask the Mods to move this to the security forum and in any case read the Sticky posts there.
HTH
:)

dereut 02-06-2015 04:07 AM
done, thank you Chrism01

Rawcous 02-06-2015 07:53 AM
Hello Dereut,

I'm not exactly an expert but there are a couple of standard checks that I would perform.

1. Check the contents of the /var/log/maillog file.
2. Check the contents of the /var/log/secure file.

The above 2 may provide an idea as to how your system was compromised - for example has your server been compromised and thus the script is being executed internally from your server i.e. using an ssh account etc?

3. You may need to reconfigure your /etc/mail/access database so that relaying mail through your server from an external network is not permitted - I believe postfix uses the access file in the same manner thus see this link: http://www.sendmail.co.uk/sm/open_so...anti_spam.html

4. Use an external mail server integrity / security checker such as the one I have seen recommended previously on this forum. I personally use it to test the security of my mail server. It will indicate whether or not any attacker is able to relay mail from an external source: http://www.emailsecuritygrader.com/ and other potential holes in your mail server setup.

Hope the above helps.

Regards,

Rawcous!

dereut 02-06-2015 10:18 AM
rawcous,

thanks for your help.

for what I read, it seems that I need to make sure I can send email only from this server, so no relay what so ever.

I see that there is a lot of possible relay, I have to find how to disable all relay from postfix. I have a webmail client install on the server and want to be able to send only from this client.

I am using webmin to manage postfix and I can see it is a bad practice as I do not know how the files are modified.
you tick a box "Allow connections from this system" but if someone ask you "did you change this setting" you have no idea what was changed actually

reup

dereut 02-07-2015 06:29 AM
so far no luck, it seems that if people add my domains in the return address, postfix will accept them

I am trying to make it that only people registered as my users in the database will be able to send emails, and as we all use a webmail client running on the same server as postfix, it should be only email send from this server IP

I have to admit that there is so many options and so much to read that I will accept any help to solve my issue.

I will learn, but right now I am in a hurry

reup

dereut 02-07-2015 06:52 AM
digging more, it seems that all those emails are send through my apache server.

if I stop postfix and courier-imap, the queue keeps growing but as soon as I stop apache, and flush the queue, it stop completely

I must have some serious bug in my wordpress system to allow so many people to send emails.

reup

Rawcous 02-07-2015 06:55 AM
Hello Dereut,

Hope I haven't misunderstood this but do all "valid" users who relay mail via your server do so on the local network? If yes then could set up an iptables rule to that affect - this would block all external users from hitting your smtp port i.e port 25. This is what I do with my Sendmail SMTP server.

Regards,

Rawcous!

dereut 02-07-2015 07:06 AM
well it seems that some wordpress plugins are using my apache server to send those email https://www.howtoforge.com/community...pamming.60573/

I am checking right now, but if it is the case, I dont know how to stop that except finding the offending plugins or stopping apache

if I stop apache, the queue stop growing (I have 400 new email in the queue every 10mn right now). if I stop postfix or courier-imap, I still get new email in the queue

reup

dereut 02-07-2015 07:18 AM
for now, I have addess in php.ini disable_functions = "mail"

restarted apache

will see if it works

dereut 02-07-2015 04:03 PM
well, it worked, I remove all relay from the system and stop php mail function.

now my system does not send junk mail any more

thanks for the hint and information links, this has help a lot

reup


All times are GMT -5. The time now is 09:09 AM.