How to remove phpmail for only one domain?

  • Whenever I had "hacked" websites on my server, attackers got notice of ftp-user-accounts and abused them. So they uploaded php-scripts using ftp, which were executed by an http-call thereafter and deleted subsequently. So keep a look at proftpd's logfiles and change user-passwords if necessary. One thing to keep in mind: you cannot be sure, that spamming-scripts relay mails using postfix. Some of them got an own smtp-engine so you probably don't even notice these mails. Thats why on my system, only the postfix-user is allowed to communicate with foreign hosts with destination port 25.


    If I'd start the webhosting-business again from scratch, I'd additionally implement the configuration from Nuxwin's previous post. Unfortunately I didn't enforce this in the very beginning. So now, with hundrets of domains running, I cannot simply change this, because my client's websites rely on "trusted localhost". That said: by enforcing client-authentication (postfix) in parallel with the firewall-thing described above, you can almost certainly be sure, that your server will not be abused by spammers. Exception: attackers get notice of mail-accounts of your clients...


    To explain this what is happening on your server...
    In general, there are two way of sending mails using php:
    a) The function mail(), which is an integrated part of php. By disabling this function using php.ini, you can prevent users to use this way of sending mails.
    b) You code an own mail-engine using php - this is especially the case when using phpmailer. This framework doesn't rely on mail(), so disabling the function doesn't affect this. And as I said above: these engines doesn't use postfix necessarily...

  • @biologist


    How you are restricting outbound traffic on port 25 (and I presumes also on port 587) to the postfix user exactly? I'm curious here because I didn't know that possibility...

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • @biologist


    Do you think that it could be interesting to setup such rule by default? In version 2.0.0, we will add a firewall module (alla proxmox way) but for now, we could setup that rules through the network manager. So? The only problem is for VM in which iptables is not always available (or where the owner iptables kernel module is not available) but in such case, we can go ahead by ignoring such environments ;)


    BTW: You also restrict the port 587, right?

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • Yes, I absolutely think so! One time I had this problem with massive spamming (with "big party" subsequently, because my IP was blacklisted). While analyzing the source I recognized, that not only mails via postfix were relayed but also directly with an own smtp-engine. That's when I implemented this. After then there were another situations, were a script tried to relay directly. But this time, I was on the driver's seat :-)
    In the end, there was not even one user complaining about not beeing able to relay directly.


    I have to admit: I just implemented this for port 25, but it would rather make sense to do the same for 465 and 587 :-)


    EDIT: Just reviewed my firewall-script - dport 465 and dport 587 are not allowed at all. Only sports 465/587 are allowed (without restriction) but as postfix is usually attached to these ports, this is fine.

  • @biologist


    To resume, you forbid any outbound traffic by default (on ports 25, 587, 465 ), and then allow postfix user with iptables owner module, right?

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • @biologist


    To resume:


    Shell-Script
    1. [email protected]:/# modinfo ipt_ownerfilename: /lib/modules/3.16.0-4-amd64/kernel/net/netfilter/xt_owner.koalias: ip6t_owneralias: ipt_ownerlicense: GPLdescription: Xtables: socket owner matchingauthor: Jan Engelhardt <[email protected]>depends: x_tablesintree: Yvermagic: 3.16.0-4-amd64 SMP mod_unload modversions [email protected]:/# modprobe [email protected]:/# iptables -A OUTPUT -p tcp --dport 25 -m owner ! --uid-owner postfix -j [email protected]:/# iptables -A OUTPUT -p tcp --dport 465 -m owner ! --uid-owner postfix -j [email protected]:/# iptables -A OUTPUT -p tcp --dport 587 -m owner ! --uid-owner postfix -j REJECT


    Result:


    Shell-Script
    1. [email protected]:/# iptables -L OUTPUTChain OUTPUT (policy ACCEPT)target prot opt source destination IMSCP_OUTPUT all -- anywhere anywhere REJECT tcp -- anywhere anywhere tcp dpt:smtp ! owner UID match postfix reject-with icmp-port-unreachableREJECT tcp -- anywhere anywhere tcp dpt:urd ! owner UID match postfix reject-with icmp-port-unreachableREJECT tcp -- anywhere anywhere tcp dpt:submission ! owner UID match postfix reject-with icmp-port-unreachable


    BTW: I would advocate DROP instead of REJECT. This would avoid sending back icmp responses:


    Shell-Script
    1. [email protected]:/# iptables -A OUTPUT -p tcp --dport 25 -m owner ! --uid-owner postfix -j DROP
    2. [email protected]:/# iptables -A OUTPUT -p tcp --dport 465 -m owner ! --uid-owner postfix -j DROP
    3. [email protected]:/# iptables -A OUTPUT -p tcp --dport 587 -m owner ! --uid-owner postfix -j DROP


    Edit: Forgot about DROP since this can slow down legitimate applications...

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • My general FW-Policy:
    as per default, I drop everything IN + OUT. After then, beside of localhost and icmp-rules, I add rules for IN as well as OUT for every service. This is a bit complicated, as you have to think in both directions, but gives granular control about what is allowed. I usually DROP unwanted traffic but this is just my opinion.


    However, your script above for postfix is just the other way around (negation) but works the same. As I already stated, I don't allow any dport 465/587-communication - does postfix really try to use these ports as dports?


    One thing to keep in mind: even root is not allowed to use port 25 outgoing, when it's only configured for postfix. This is ok, but one has to remember this when doing any connection-tests (using telnet) :-)

  • @biologist


    In some setup, yes, postfix is submitting the mails through port 587 (eg. when configured as smarthost). This is the case when you use our smarthost listener ( Postfix acts as a simple smtp client which connects to a remote smtp host. Authentication is made via SASL ). For the port 465, this is almost useless.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • @biologist


    As a bonus we could also implement postfix restriction classes. See http://www.postfix.org/RESTRICTION_CLASS_README.html ;)

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206