Hi Again Dan.
Sorry for my getting back to You but regarding Your thought 3 - I think
You must have a different setup from mine - my submission port 587
requires auth from the 'sender' (from field) - meaning he/she has to be
a known qmail user - hence REQUIRE_AUTH=1.
I may be totally wrong (properly) or more likely missed Your point or
using an obsolete client ?
As I see it, the catch is if someone changes the submission port to the
smtp port in their mailclient - removes authentication - then there's an
issue.
Regards,
Finn
Den 01-02-2016 kl. 20:07 skrev Dan McAllister:
Greetings all
I was reading some earlier posts from Raj, Jim, & Eric with regards to
detecting WHO is abusing your server, so I thought I'd share some of my
thoughts & solutions:
Thought 1: I force all RELAY traffic to occur on port 587 (with or
without TLS)
- I do this using *spamdyke *-- using _different rules_ for port 25
and port 587. Under MY rules:
- port 25 DOES NOT ALLOW authentication, and thus will not RELAY at all
- port 587 REQUIRES authentication, and also supports TLS (SSL)
NOTE: You can do this in the RUN parts inside your submission folders
That is:
1) in the folder //etc/spamdyke/, copy your existing
*spamdyke.conf* to *submission.conf*
and to avoid confusion, I personally also make a copy
called *smtp.conf*
2) Edit the *submission.conf* file to say
/*smtp-auth-level=always*/ (actually, I set it to /*always-encrypted
*/== but that requires a valid SSL certificate, which goes beyond this note)
3) Edit the *smtp.conf *file to say /*smtp-auth-level=none*/
(this DISALLOWS smtp authentication, even if QMail is configured to
allow it!)
4) In the folder //var/qmail/supervise/smtp /edit the file
named *run
* Assuming you previously installed and configured
*spamdyke*, you'll have entries that look like:
/* SPAMDYKE=/usr/local/bin/spamdyke*//*
*//* SPAMDYKEFLAGS=' -f /etc/spamdyke/spamdyke.conf'
*/Change the SPAMDYKEFLAGS value to point to your new smtp.conf - in
other words, use the line:
/* SPAMDYKEFLAGS=' -f /etc/spamdyke/smtp.conf'
*/ 5) In the folder //var/qmail/supervise/submission /edit the
file named *run
* Again, assuming you previously installed and configured
*spamdyke*, you'll have entries that look like:
/* SPAMDYKE=/usr/local/bin/spamdyke*//*
*//* SPAMDYKEFLAGS=' -f /etc/spamdyke/spamdyke.conf'
*/Change the SPAMDYKEFLAGS value to point to your new submission.conf -
in other words, use the line:
/* SPAMDYKEFLAGS=' -f /etc/spamdyke/submission.conf'
*/ 6) NOTE: If you are using the smtp-ssl mod (that is, you're
also listening on port 465), you will need to repeat the above steps for
your 3rd SMTP listening daemon
/**/7) Restart your toaster with the command '_*qmailctl restart*_'
Now you have limited port 25 to NO AUTH, and you've set port 587 to
require AUTH (possibly with encryption), and you may have set port 465
to require auth (typically only with encryption)
Thought 2: I use the qmlog program (originally by Fabio Olaechea, but
translated to English & enhanced by our own Eric Shubert)
My search for the source on the Internet met with failure (it used
to be part of the qtp suite of add-ons), so I have a copy located at
/*http://www.it4soho.com/qmlog
*/If you download it from there, save it to /usr/bin or /usr/sbin
(either should work)
What's special about qmlog? It's a single program that can be used
to fetch QMail logs for any of the services, AND it automatically
converts the timestamp into Human-Readable form!
/*
*/Thought 3: One of the most common abuses of Qmail is the ability to
send AS ANYONE once you've been authenticated.
What I mean by that is:
- suppose you have 3 accounts on your QMT server ([email protected];
[email protected]; & [email protected])
- suppose you configure your mail client to connect to the
SUBMISSION port on your mail server with the auth credentials of
[email protected].
Once you're connected and authenticated, you can send mail as
[email protected], or [email protected], or [email protected], or even
[email protected]
- This is all well and good when Suzy in Sales sends mail from the
[email protected] account instead of her own
- This is a little problematic when Suzy in Sales sends mail from
[email protected], who happens to be a coworker she doesn't have
authorization to send mail for
- This is VERY problematic when Suzy in Sales sends mail from
[email protected] or any other outside domain
The server will ALLOW all of these -- so you need to periodically
CATCH them!
*
*So, assuming you have the qmlog program mentioned above, put it in your
path, then use the attached checkmailfraud.sh script.
NOTE: The script is DESIGNED to send you a TEXT MESSAGE when the
number of suspected fraudulent entries PER USER exceeds a threshhold.
YOU CANNOT USE THE SCRIPT WITHOUT EDITING IT and placing your own TO:
(SMS email interface) and FROM: (local email address) entries at the top.
The Threshhold value (also at the top) is adjustable, and SMS
messages should only go out if fraud has indeed been protected.
Finally, I have NOT YET coded the exclusion so that you only get one
text message per user that exceeds your thresshold.
Thought 4: The second most common abuse of QMAIL is that we do not
rate-limit senders .. at all.
You can use the attached script (built very similarly to the
checkmailfraud.sh) called checkmailabuse.sh to check for users who are
just plain sending too much mail!
Again, you will need to set your own variables at the top -- where you
send the SMS (or email) message; what address you're sending it from;
and at what threshhold will you send the alert.
I hope you find these scripts helpful - they are a central part of how I
administer so many servers with so many users!
Good Luck!
Dan McAllister
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
