This forum uses cookies
This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk. Cookies on this forum also track the specific topics you have read and when you last read them. Please confirm whether you accept or reject these cookies being set.

A cookie will be stored in your browser regardless of choice to prevent you being asked this question again. You will be able to change your cookie settings at any time using the link in the footer.

PostFix Not 100% Secure on ZPanel/Sentora
#1
PostFix Not 100% Secure on ZPanel/Sentora
I came under a DDOS attack a few days ago and learned the hard way that the default config in Sentora/Zpanel is not completely secure from relay attacks. Although the config is well written, you do need to make some changes if you want to completely prevent attacks in the future from happening. Since I spent so much time figuring this out, I figured I would post it for anyone else who has this issue or wants to make sure they don't get relay-hacked.

The 1st thing you need to do is edit the config and put relay protection in place. The default config is still open to attacks by someone who is very knowledgeable on Postfix. This is what you do to secure your box. PLEASE MAKE A BACKUP OF ALL FILES MODIFIED AND SYSTEM BEFORE DOING THIS. I RUN UBUNTU 12.x so this may be slightly different on other linux distros:

1. cd /etc/postfix (Takes you to the postfix directory with config files)

2. sudo nano main.cf (edit the main postfix file with admin rights)

3. Under network settings, make the following changes:
# network settings

inet_interfaces = all
mydomain   = host1.smsithosting.com
myhostname = host1.smsithosting.com
mynetworks = 192.168.0.0/24 <-- Change this to your local IP subnet
mydestination = localhost.$mydomain, localhost
relay_domains = proxy:mysql:/etc/zpanel/configs/postfix/mysql-relay_domains_maps.cf

4. Make sure your authentication section has these settings:
# authentication

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous < -- IMPORTANT
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
fallback_relay =
smtpd_sasl_authenticated-header=yes
smtpd_delay_reject = no

5. Make sure your rules section has these settings:
# rules restrictions

smtpd_client_restrictions = permit_mynetworks <-- IMPORTANT
smtpd_helo_restrictions = permit_mynetworks
smtpd_sender_restrictions = reject_unknown_sender_domain
smtpd_recipient_restrictions = permit_sasl_authenticated, <-- MAKE SURE YOU HAVE ALL THESE
        permit_mynetworks,
        reject_unauth_destination,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,   <-- THESE SETTINGS WILL STOP ATTACKS
        reject_unknown_recipient_domain
        reject_invalid_hostname,
        reject_unknown_hostname,
        reject_unknown_sender_domain,
        reject_non_fqdn_hostname
# uncomment for realtime black list checks <-- UNCOMMENT THESE SETTINGS IF YOU WANT SPAM CHECKING
       ,reject_rbl_client zen.spamhaus.org  <--THIS IS A GREAT WAY TO STOP SPAM FOR FREE
       ,reject_rbl_client bl.spamcop.net
       ,reject_rbl_client dnsbl.sorbs.net

6. Make sure these various settings are in your file:
smtpd_helo_required = yes

unknown_local_recipient_reject_code = 550
disable_vrfy_command = yes
smtpd_data_restrictions = reject_unauth_pipelining
message_size_limit=20480000
relayhost =

6. Save the config.

7. Reboot the server or restart Postfix processes

Additional Tools:
To watch what is happening on your server and whether it is blocking spam or attacks after changes, run this command to see realtime logging:
tail -f /var/log/mail.log -n 100

To see your pending queue and whether your server is loaded with junk email, run this command to show the Postfix queue. If your queue is overloaded with garbage, run the next command to clean it out:
postqueue -p

To delete any relay or spam stuck in your queue from an attack, run. This will delete your queues in Postfix and ensure your server is not bogged down with crap. Please note this can also delete good mail so be careful with this command and use it only if needed:
sudo postsuper -d ALL

I hope this helps all of you properly secure your Postfix server from relay attacks. Zpanel and Sentora have done a great job with the default configs but they are still open to attack as I found a few days ago. Making the above changes will ensure no one can relay or take advantage of your email server. 

Scott
Reply
Thanks given by: Cantalupo , warmax356 , Qtech


Messages In This Thread
PostFix Not 100% Secure on ZPanel/Sentora - by smccarthy945 - 09-15-2014, 04:56 AM

Possibly Related Threads…
Thread Author Replies Views Last Post
user: 'postfix' host: 'localhost' (Got an error reading communication packets) cezars 0 2 ,780 02-01-2022, 08:58 PM
Last Post: cezars
Postfix mail.log to database stikekar 2 8 ,232 03-02-2019, 01:22 AM
Last Post: TGates
Using ssl certificate for Postfix and Dovecot in multiple domains. davi-dns 9 36 ,240 12-03-2018, 05:13 PM
Last Post: fearworks

Forum Jump:


Users browsing this thread: 4 Guest(s)