Koozali.org: home of the SME Server

SOLVED - Deny sending email to certain users.

Offline dustyp

  • *
  • 40
  • +0/-0
SOLVED - Deny sending email to certain users.
« on: March 15, 2017, 09:11:46 PM »
Is there any way to deny (or disallow) certain users from sending emails in SME 9.x?
 Alternatively, Deny ALL but ALLOW certain users.
 I appear to have remote clients who are using my server to send spam. I require two or three remote users to be able to send and receive emails from anywhere in the world so have been forced to allow remote access to everybody which is dangerous.
 
« Last Edit: March 18, 2017, 02:21:49 AM by dustyp »

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: Deny sending email to certain users.
« Reply #1 on: March 15, 2017, 09:22:32 PM »
I appear to have remote clients who are using my server to send spam.

well, have you any evidence of it?

if it's happening, you likely have some weak passwords or a bugged and exploited web app running on your server

Online Jean-Philippe Pialasse

  • *
  • 2,746
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Deny sending email to certain users.
« Reply #2 on: March 16, 2017, 12:19:18 AM »
Dustyp,

First I second Stefano.

I require two or three remote users to be able to send and receive emails from anywhere in the world so have been forced to allow remote access to everybody which is dangerous.
 

how did you exactly allowed remote access. I you only opened webmail, imaps and/or pops using the server-manager, then only authenticated users are able to send messages. This is not a problem as long as they have strong passwords.

Hence if you have a problem, this is most likely :
- an infected client, that need some cleaning
- an insecure webapp that has been jeopardized (recently there have been a security issue on phpmailer and about all php webapp rely on it.
- poor and weak password that have been compromised.

In anyway you should be able to retrace the origin by analyzing the logs : qpsmptd, sqpsmtpd and qmail.

Offline dustyp

  • *
  • 40
  • +0/-0
Re: Deny sending email to certain users.
« Reply #3 on: March 16, 2017, 01:51:50 AM »
well, have you any evidence of it?

if it's happening, you likely have some weak passwords or a bugged and exploited web app running on your server

My evidence is that replys received by admin that messages to users at unprobable domains cannot be delivered. The undelivered subjects are not ones that any of my users would send. Also, sme9admin occasionally reports an unlikely number of send emails
I suspect that a user has an infected device. I have already forced everybody to change their password to a stronger one.
My only hope of finding out who is responsible is to disable accounts from sending until the spam stops.

Online Jean-Philippe Pialasse

  • *
  • 2,746
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Deny sending email to certain users.
« Reply #4 on: March 16, 2017, 02:53:38 AM »
stopping access to all your user is a way to do, but not the best approach, as the spam can come from elsewhere.

have you any web application ( wordpress or similar) on your server ibays ?


You pointed some clues are from sme9admin, this is a good start : check if both qmail and qpsmtpd show an abnormal level of mail.  If you have sme9admin with latest version available from smecontribs, you can trust the output ( there was a bug in previous versions)

You can the graphes in session and see if both qmail (outgoing) and qpsmtpd (incoming) mails are high.

If this come from a webapp or something on the server it might be only outgoing qmail that is high, but some application might be configured to use an account and deliver through qpsmtpd.

then another step would be to consult the log  either using the server manager either using the console to check connections and find out who is sending the spam.

you can open qmail or qpsmtpd log ans search in the content for one of the sender or recipient, you will be able to find with the lines around what ip or user it comes from


Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: Deny sending email to certain users.
« Reply #5 on: March 16, 2017, 08:00:43 PM »
My evidence is that replys received by admin that messages to users at unprobable domains cannot be delivered. The undelivered subjects are not ones that any of my users would send.

Those messages don't necessarily have anything to do with your server. SPAM senders use forged/stolen sender email addresses all the time.

You have to examine carefully the message headers of the non-delivery notification, to see whether the responses are really to messages sent from your server. Then if they are, you need to determine how those messages were sent.

Offline dustyp

  • *
  • 40
  • +0/-0
Re: Deny sending email to certain users.
« Reply #6 on: March 16, 2017, 11:45:54 PM »


you can open qmail or qpsmtpd log ans search in the content for one of the sender or recipient, you will be able to find with the lines around what ip or user it comes from
That's the reason why I want to disable certain users from sending emails.

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: Deny sending email to certain users.
« Reply #7 on: March 17, 2017, 12:29:31 AM »
You don't need to do so
You'd really start digging your logs
I agree with Charlie: sometimes you receive non delivery notifications but just because the sender is forged
I'll post here an example asap (with the phone rightnow)

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: Deny sending email to certain users.
« Reply #8 on: March 17, 2017, 10:47:37 AM »
this is an example of an undeliverable message that apparently has been sent from a server of mine
Code: [Select]
Return-Path: <root@mydomain.tld>
Received: from [190.43.90.52] (unknown [190.43.90.52])
by mx21.matrix.com.br (Postfix) with ESMTP id 3B9291327ED
for <cadoro@matrix.com.br>; Fri, 10 Mar 2017 17:49:11 -0300 (BRT)
Message-ID: <A9743E5F04E31565B8F293C82FD9A974@Q5192K58QT>
From: <root@mydomain.tld>
To: <cadoro@matrix.com.br>
Subject:
Date: 10 Mar 2017 09:40:43 -0600
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0021_01D299B5.034372E8"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5994

This is a multi-part message in MIME format.

again, having bounces doesn't necessarily mean you are sending spam, but the only way to understand what's goin on is to take a look at your logs

Offline dustyp

  • *
  • 40
  • +0/-0
SOLVED - Re: Deny sending email to certain users.
« Reply #9 on: March 18, 2017, 02:47:40 AM »
Firstly, I have given all my remote users replacement passwords, and forced them into changing them.
Secondly, I have set up individual VPN channels (all address/user configurations noted) which all come into a single subnet on my router and remotely reconfigured all the laptops to use them.
After setting the VPNs, I was able to remove all but the VPN subnet in SME manager. SME9admin is no longer reporting a lot of messages going out and spam@staubigstudio.com (my recipient of unknown incoming emails) has received no more emails since I set up the VPN.
If there are any more unexpected incomings, I will change the rule on the dozen possible VPN addresses disabling incoming IMAP and SMTP as well as their secure options.
I have had a few complains that the users have been forced to use webmail in the past few hours, but they are users and I am the boss  :lol:

Offline TerryF

  • grumpy old man
  • *
  • 1,821
  • +6/-0
Re: SOLVED - Re: Deny sending email to certain users.
« Reply #10 on: March 18, 2017, 03:19:45 AM »
I have had a few complains that the users have been forced to use webmail in the past few hours, but they are users and I am the boss  :lol:

An oldy but still and always a goody :-)

many, many solutions when that happens:  http://bofh.bjash.com/
--
qui scribit bis legit