SMTP Restrictions (formerly SMTP Tweak) [#32896]

Submitted by Mostafa on Thu, 04/10/2014 - 12:04

Hello,

Recently cpanel has added a feature called SMTP Restrictions:

" You may want to prevent users from bypassing your mail server to send mail. This is common practice for spammers.

This feature allows you to configure your server so that the mail transport agent (MTA), Mailman mailing list software, and root user are the only accounts able to connect to remote SMTP servers. "

Please add this good feature to virtualmin too.

Thanks

Status:

Active

Comments

Submitted by Locutus on Thu, 04/10/2014 - 13:10 Comment #1

Sounds very interesting! Do you know how cPanel implements this?

Submitted by Mostafa on Thu, 04/10/2014 - 13:51 Comment #2

I found that csf has that feature, called SMTP_BLOCK

###############################################################################
# SECTION:SMTP Settings
###############################################################################
# Block outgoing SMTP except for root, exim and mailman (forces scripts/users
# to use the exim/sendmail binary instead of sockets access). This replaces the
# protection as WHM > Tweak Settings > SMTP Tweaks
#
# This option uses the iptables ipt_owner/xt_owner module and must be loaded
# for it to work. It may not be available on some VPS platforms
#
# Note: Run /etc/csf/csftest.pl to check whether this option will function on
# this server
SMTP_BLOCK = "1"
 
# If SMTP_BLOCK is enabled but you want to allow local connections to port 25
# on the server (e.g. for webmail or web scripts) then enable this option to
# allow outgoing SMTP connections to the loopback device
SMTP_ALLOWLOCAL = "0"
 
# This is a comma separated list of the ports to block. You should list all
# ports that exim is configured to listen on
SMTP_PORTS = "25,465,587"
 
# Always allow the following comma separated users and groups to bypass
# SMTP_BLOCK
#
# Note: root (UID:0) is always allowed
SMTP_ALLOWUSER = ""
SMTP_ALLOWGROUP = "mail,mailman"

Submitted by JamieCameron on Thu, 04/10/2014 - 19:29 Comment #3

Ok, so do they setup a firewall rule to block outgoing port 25 connections?

You could do this in Virtualmin already, at Webmin -> Network -> Linux Firewall.

Submitted by JamieCameron on Thu, 04/10/2014 - 19:30 Comment #4

Submitted by sgrayban on Fri, 04/11/2014 - 05:56 Comment #5

Hmm that's a interesting feature....

Submitted by sgrayban on Fri, 04/11/2014 - 06:00 Comment #6

Looks like this is part of a software called ConfigServer -- http://www.configserver.com/

See http://www.configserver.com/cp/csf.html

Submitted by Mostafa on Fri, 04/11/2014 - 06:05 Comment #7

If you don't want to install csf, you can use 'iptables ipt_owner/xt_owner module'. Using this feature beside Mail limit feature and mail.log feature of php 5.3, you can more easily deal with spam...

Submitted by sgrayban on Fri, 04/11/2014 - 06:17 Comment #8

Yup you can do that -- see http://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single... for help