This forum uses cookies
This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk. Cookies on this forum also track the specific topics you have read and when you last read them. Please confirm whether you accept or reject these cookies being set.

A cookie will be stored in your browser regardless of choice to prevent you being asked this question again. You will be able to change your cookie settings at any time using the link in the footer.

PostFix Not 100% Secure on ZPanel/Sentora
#1
PostFix Not 100% Secure on ZPanel/Sentora
I came under a DDOS attack a few days ago and learned the hard way that the default config in Sentora/Zpanel is not completely secure from relay attacks. Although the config is well written, you do need to make some changes if you want to completely prevent attacks in the future from happening. Since I spent so much time figuring this out, I figured I would post it for anyone else who has this issue or wants to make sure they don't get relay-hacked.

The 1st thing you need to do is edit the config and put relay protection in place. The default config is still open to attacks by someone who is very knowledgeable on Postfix. This is what you do to secure your box. PLEASE MAKE A BACKUP OF ALL FILES MODIFIED AND SYSTEM BEFORE DOING THIS. I RUN UBUNTU 12.x so this may be slightly different on other linux distros:

1. cd /etc/postfix (Takes you to the postfix directory with config files)

2. sudo nano main.cf (edit the main postfix file with admin rights)

3. Under network settings, make the following changes:
# network settings

inet_interfaces = all
mydomain   = host1.smsithosting.com
myhostname = host1.smsithosting.com
mynetworks = 192.168.0.0/24 <-- Change this to your local IP subnet
mydestination = localhost.$mydomain, localhost
relay_domains = proxy:mysql:/etc/zpanel/configs/postfix/mysql-relay_domains_maps.cf

4. Make sure your authentication section has these settings:
# authentication

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous < -- IMPORTANT
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
fallback_relay =
smtpd_sasl_authenticated-header=yes
smtpd_delay_reject = no

5. Make sure your rules section has these settings:
# rules restrictions

smtpd_client_restrictions = permit_mynetworks <-- IMPORTANT
smtpd_helo_restrictions = permit_mynetworks
smtpd_sender_restrictions = reject_unknown_sender_domain
smtpd_recipient_restrictions = permit_sasl_authenticated, <-- MAKE SURE YOU HAVE ALL THESE
        permit_mynetworks,
        reject_unauth_destination,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,   <-- THESE SETTINGS WILL STOP ATTACKS
        reject_unknown_recipient_domain
        reject_invalid_hostname,
        reject_unknown_hostname,
        reject_unknown_sender_domain,
        reject_non_fqdn_hostname
# uncomment for realtime black list checks <-- UNCOMMENT THESE SETTINGS IF YOU WANT SPAM CHECKING
       ,reject_rbl_client zen.spamhaus.org  <--THIS IS A GREAT WAY TO STOP SPAM FOR FREE
       ,reject_rbl_client bl.spamcop.net
       ,reject_rbl_client dnsbl.sorbs.net

6. Make sure these various settings are in your file:
smtpd_helo_required = yes

unknown_local_recipient_reject_code = 550
disable_vrfy_command = yes
smtpd_data_restrictions = reject_unauth_pipelining
message_size_limit=20480000
relayhost =

6. Save the config.

7. Reboot the server or restart Postfix processes

Additional Tools:
To watch what is happening on your server and whether it is blocking spam or attacks after changes, run this command to see realtime logging:
tail -f /var/log/mail.log -n 100

To see your pending queue and whether your server is loaded with junk email, run this command to show the Postfix queue. If your queue is overloaded with garbage, run the next command to clean it out:
postqueue -p

To delete any relay or spam stuck in your queue from an attack, run. This will delete your queues in Postfix and ensure your server is not bogged down with crap. Please note this can also delete good mail so be careful with this command and use it only if needed:
sudo postsuper -d ALL

I hope this helps all of you properly secure your Postfix server from relay attacks. Zpanel and Sentora have done a great job with the default configs but they are still open to attack as I found a few days ago. Making the above changes will ensure no one can relay or take advantage of your email server. 

Scott
Reply
Thanks given by: Cantalupo , warmax356 , Qtech
#2
RE: PostFix Not 100% Secure on ZPanel/Sentora
Thanks for input will check those settings for sure..

We care for securing sentura and may be when we have time we should add policyD to set email quotas too.

M B
No support using PM (Auto adding to IGNORE list!), use the forum. 
How to ask

200$ free to start your VPS 60 days credit
Reply
Thanks given by: TGates
#3
RE: PostFix Not 100% Secure on ZPanel/Sentora
I may not agree on using Black lists, this will reject a lot of spam but will result in painfull false positive. Far better to use it in scroring system.

Will check all the other settings.

Notice ALL help here over Sentora security is welcome.

M B
No support using PM (Auto adding to IGNORE list!), use the forum. 
How to ask

200$ free to start your VPS 60 days credit
Reply
Thanks given by:
#4
RE: PostFix Not 100% Secure on ZPanel/Sentora
(09-15-2014, 05:28 AM)Me.B Wrote: I may not agree on using Black lists, this will reject a lot of spam but will result in painfull false positive. Far better to use it in scroring system.

Will check all the other settings.

Notice ALL help here over Sentora security is welcome.

M B

I agree. But the blacklists are an option. You don't have to turn them on. The most important part is to make sure you have the security settings in place to stop a relay attack. These settings are from 3 days of figuring out how to stop a massive relay attack. 

They successfully got through my ZPanel servers with the default Postfix settings so I am sharing this information in the hopes you don't have to go though the same thing I went through. I think if you include the additional settings in the distribution, it will help secure Postfix. Postfix is a really tricky animal and one setting can really throw everything off. 

Postfix is super robust and can handle a ton of email, however, it is very complex and the configs are not for the faint of heart. I know many other hosts and developers use other products because of the time and expertise it takes to make sure it is secure. I personally know Postfix pretty dam well and it is still a challenge to me many times. 

For example, GoDaddy and Hostek (Two big hosting companies) use SmarterMail just because it is more straightforward to administer and secure. It is also much easier to diagnose. I know its not an option here, however, maybe a simpler email open source server can be integrated into Sentora down the road. 

I know Postfix has the unique ability to read SQL lists from the DB so it may be tough to replace but I definitely recommend heavy security testing if you are going to keep it in the product. 
Reply
Thanks given by:
#5
RE: PostFix Not 100% Secure on ZPanel/Sentora
Zpanel windows support Hmailserver that have too neat features.

Will focus on these later and as I said policyD would offer another layer to stop abuses.

M B
No support using PM (Auto adding to IGNORE list!), use the forum. 
How to ask

200$ free to start your VPS 60 days credit
Reply
Thanks given by:
#6
RE: PostFix Not 100% Secure on ZPanel/Sentora
smccarthy945

I've back checked your settings with defaults in zpanel.

1. mynetworks will be locked down in sentora to 127.0.0.1 & server IP.

2. smtpd_sasl_security_options = noanonymous is already in sentora config/ zpanel too.

3. smtpd_client_restrictions = permit_mynetworks not so important as long you don't use:

smtpd_client_restrictions = permit_mynetworks, reject

This will allow any authentificated client to go thru.

4. reject_non_fqdn_recipient, <-- THESE SETTINGS WILL STOP ATTACKS ??

What attacks? This is not correct, this mainly will stop sending to emails like: postmaster directly without a domain name or root. It will not allow relay.
Notice already exist in zpanel/sentora.

5. RBL. Eplained not good to be used.

I always expected you explain a bit more what DDOS attack you got as you point here mainly postfix. Was this email abuse?

M B
No support using PM (Auto adding to IGNORE list!), use the forum. 
How to ask

200$ free to start your VPS 60 days credit
Reply
Thanks given by:
#7
RE: PostFix Not 100% Secure on ZPanel/Sentora
I have with very few (none that I know of False Positives)

smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks,
reject_invalid_hostname,
reject_unauth_destination,
check_policy_service inet:127.0.0.1:60000,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
# uncomment for realtime black list checks
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client list.dsbl.org,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client dul.dnsbl.sorbs.net,
permit

Also I use graylist (5 minute delay on first email from some one, but that is no hassle).
Reply
Thanks given by:
#8
RE: PostFix Not 100% Secure on ZPanel/Sentora
(11-03-2014, 03:55 AM)Skippy Wrote: Also I use graylist (5 minute delay on first email from some one, but that is no hassle).

Hi my friend, I have a question =). How can i configure graylist in sentora??? =)
Reply
Thanks given by:
#9
RE: PostFix Not 100% Secure on ZPanel/Sentora
+1 on the greylist info,

also dear op thanks for posting, it helped me patch some things up that sentora / postfix left open.
Reply
Thanks given by:
#10
RE: PostFix Not 100% Secure on ZPanel/Sentora
(09-15-2014, 04:56 AM)smccarthy945 Wrote: mynetworks = 192.168.0.0/24 <-- Change this to your local IP subnet

are you saying that you should not include your static IP address here?
Reply
Thanks given by:


Possibly Related Threads…
Thread Author Replies Views Last Post
user: 'postfix' host: 'localhost' (Got an error reading communication packets) cezars 0 2 ,781 02-01-2022, 08:58 PM
Last Post: cezars
Postfix mail.log to database stikekar 2 8 ,235 03-02-2019, 01:22 AM
Last Post: TGates
Using ssl certificate for Postfix and Dovecot in multiple domains. davi-dns 9 36 ,252 12-03-2018, 05:13 PM
Last Post: fearworks

Forum Jump:


Users browsing this thread: 4 Guest(s)