Hi,

How do I enable authentication for outgoing/sending mail with our server?

In the default config/install anyone can connect to our server and send mail to all users/domains on the server.
The smtpd authentication only stops relaying to addresses outside the server.

I want to restrict sending mail with our server to ONLY authenticated users, and I think Postfix has a option called:
smtp_sasl_auth_enable

But I can´t find where and how to configure in Webmin/Virtualmin. If there is no option for this in Webmin/Virtualmin could someone point me in the right direction on how to set this up and enable it.

Regards,
Leif

Hey Leif,

How do you plan to accept mail for your users if you require SMTP auth to relay for them? I suspect you don't really want to do that--no one (literally no one) will be able to send mail to your users except other users on your server. SMTP is how everyone sends mail to your users--you can't require authentication for that, unless you only want users to be able to talk amongst themselves.

But, I certainly do suggest SMTP auth for allowing your users to send mail to other servers (otherwise they won't be allowed to send through your box). SMTP auth is configured by the installer, by default these days, but there's also a FAQ about it here, if your system was installed before this was setup by default:

http://www.virtualmin.com/faq/one-faq?faq_id=1511#33021

BTW-This is not a security issue. Accepting mail addressed to your users is what SMTP is for.

Hi Joe,

Yes I understand that, and SMTP auth works fine so no relaying can be done from unauthenticated users.

So the process of receiving mail is the same as sending mail with the server, I didn't know that receiving and seding was the same thing.

So I can make an fake account in my mail-client with what-so-ever information besides the SMTP domain, if i there enter mail.somedomain.tld, then I can use this account to send mails to all users connect/handled by that mailserver? Is that right?

What is the difference of these options?
smtp_sasl_auth_enable
smtpd_sasl_auth_enable

Regards,
Leif

Hey Leif,

So I can make an fake account in my mail-client with what-so-ever information besides the SMTP domain, if i there enter mail.somedomain.tld, then I can use this account to send mails to all users connect/handled by that mailserver? Is that right?

Yep, it's pretty widely regarded as a mistake...but kinda like democracy, it's the best idea we've got so far. ;-)

Mail servers can be configured to authenticate betwixt themselves...but this is only useful in situations where you know which mail servers you're going to be talking to. This isn't possible with current mail infrastructure (because there are millions of mail servers out there and they change constantly).

The difference between the options you've listed is which side is doing the authenticating. The smtp (client) or smtpd (server) side. So, if you had an upstream MTA at your service provider and needed to route all of your mail through it, you could configure Postfix to authenticate to it. But, realistically, for most users the smtp_sasl_auth_enable option is not useful. That said, as spam filtering gets more aggressive we may find that us "single server" mail users might have to start routing through our hosting providers server in order to get some legitimacy in the eyes of the spam filter heuristics. But, of course, spammers would just route through them, too. ;-)

Hi,

All these questions is a result of the increasing or should we say exploding amounts of spam mails the past 2-4 month. And we started to receive 2-4 infected mails to most of the users/domains each day.

I have Spamassassin configured rather strict, I have many Header and Body Tests(I think I add a couple each week) so I think Spamassassin is rather ok.

I have now added a MIME header check to take care of all the infected .exe files, I use this Regular expression:
/name=[[^>]]*.(bat|com|exe|dll|vbs)/ REJECT
It looks like it works fine, no more infected .exe files :-)

So now I´m thinkin of adding a few lines to my Postfix main.cf file, but I´m not shure if it´s doing me any good.
I really would appreciate if you could take a quick look and tell me if I should or shouldn´t use them. Or if you have any other suggestions on how to tighten up Postfix and hopefully minimize the amount of spam.

This is the bottom part of main.cf as it looks now:
readme_directory = /usr/share/doc/postfix-2.2.2/README_FILES
virtual_alias_maps = hash:/etc/postfix/virtual
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
home_mailbox = Maildir/
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
message_size_limit = 25600000
header_checks = regexp:/etc/postfix/mime_header_checks

And these are the lines I´m thinking of using:
readme_directory = /usr/share/doc/postfix-2.2.2/README_FILES
virtual_alias_maps = hash:/etc/postfix/virtual
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
home_mailbox = Maildir/
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks reject_invalid_hostname permit
smtpd_sender_restrictions = permit_sasl_authenticated permit_mynetworks reject_non_fqdn_sender reject_unknown_sender_domain permit
smtpd_recipient_restrictions = reject_unauth_pipelining reject_non_fqdn_recipient reject_unknown_recipient_domain permit_mynetworks permit_sasl_authenticated reject_unauth_destination
message_size_limit = 25600000
header_checks = regexp:/etc/postfix/mime_header_checks

Regards,
Leif

Hey Leif,

Sounds like ClamAV isn't working, if you're having to block .exe to avoid viruses. Have a look at your maillog while sending a message to the box, and see what it says about clam. There's also a test file that you can send that should always be blocked...it just insures that ClamAV is scanning and is able to delete infected files in your current configuration. Just download this file:

http://www.eicar.org/download/eicar.com

And mail it to your server. It's not actually a virus, but every virus scanner will detect it as one, so you might have to go to extra lengths to download it and/or send it, if you have a virus scanner on your PC or on your outgoing mail server. If that proves too difficult, you can do it all locally:

wget http://www.eicar.org/download/eicar.com

cat eicar.com | uuencode eicar.com | mail root -s "Testing"

But you'll need to install the sharutils package first, if you don't already have them (it might be called something else on platforms other than the Red Hat based ones...but whatever it's called, you need the uuencode command).

Hi Joe,

I have been suspecting something is wrong with ClamAV for some time now. You can see this in:
http://www.virtualmin.com/forums/message-view?message_id=84388
Please read the whole thread

I installed sharutils, downloaded eicar testvirus, mailed root, and checked my mail and received a "virus" mail. In other words, ClamAV is NOT working as it should, as I have suspected for some time. Here is the maillog:
Feb 3 02:05:37 server postfix/pickup[[30880]]: A0CD91108001: uid=0 from=< root]
Feb 3 02:05:37 server postfix/cleanup[[31448]]: A0CD91108001: message-id=< 20070203010537.A0CD91108001@server.indecta.se]
Feb 3 02:05:37 server postfix/qmgr[[30881]]: A0CD91108001: from=< root@server.indecta.se], size=429, nrcpt=1 (queue active)
Feb 3 02:05:44 server postfix/local[[31449]]: A0CD91108001: to=< server.indecta@server.indecta.se], orig_to=< root], relay=local, delay=7, status=sent (delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME)
Feb 3 02:05:44 server postfix/qmgr[[30881]]: A0CD91108001: removed

So, any ideas what to do?

And do you have any suggestions about the added options to Postfix main.cf?

Regards,
Leif

Hi Joe,

ClamAV is obviously not working!
Where do I start looking for the problem?

Regards,
Leif

Hey Leif,

Ok, ClamAV isn't working. Let's figure out why:

Does clamscan work? cd to the dir where you downloaded eicar.com (or download it now).

# clamscan eicar.com

You should get something like this:

eicar.com: Eicar-Test-Signature FOUND

----------- SCAN SUMMARY -----------
Known viruses: 80498
Engine version: 0.88.7
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Time: 1.435 sec (0 m 1 s)


You may also get a warning about the virus database age, if freshclam isn't running.

If that works, then we'll need to get some logs to find out what's going wrong:

Turn on procmail logging by adding the following to the top of your /etc/procmailrc:


LOGFILE=/var/log/procmail.log
VERBOSE=yes
LOGABSTRACT=all
LOG="Mail is to $LOGNAME "


Then watch /var/log/procmail.log while sending mail to your system. This might turn up something.

If it doesn't...I'll be happy to drop in on the box and troubleshoot it.