Decoupling mail and web services

3 posts / 0 new
Last post
#1 Mon, 02/01/2016 - 09:33
fuerst

Decoupling mail and web services

After hassled one more time with hacked Wordpress installations used to mass send Spam mails I think about using different servers for web and mail services. This is to avoid having the combined web/mail server blacklisted at CBL et al. Running Virtualmin I think that can be done this way - described earlier hier https://www.virtualmin.com/node/37931:

I saw the idea to decouple mail services from web and others is nearly 10 years old. Me asking this 8 years ago too. Time to move forward I guess :-)

My proposal to achieve this - assuming two machines:

  • First server (web): Web, DNS, Virtualmin, etc.
  • Second server (mail): Postfix, Dovecot, Spamassassin, ClamAV.
  • Sync user records using NIS from web to mail.
  • Mount user directories from web using NFS at mail.
  • Let syslog at mail send logs to web.
  • Virtualmin on web needs NFS access to mail:/etc for configuring mail related services. Easier: mount mail:/etc/{postfix,dovecot,spamassassin,clamav} by NFS at mail:/etc. This way Virtualmin can write configuration where it is used to write.
  • Avoid starting postfix et all at web.
  • Virtualmin's Install script needs to allow installing all, or web stuff only or mail stuff only.

As an alternative to the ideas above: Much easier to be implemented is to have Postfix listen and/or sending at a second IP address. May be that will just do the trick of decoupling. smtp_bind_address and/or inet_interfaces are appropriate Postfix configuration candidates.

Mon, 02/01/2016 - 09:51
andreychek

Howdy,

A couple of other ideas for dealing with web app breakins --

One, you could always setup sender dependent IP addresses for sending email. Doing that is described here:

https://www.virtualmin.com/documentation/email/dependent

Two, there's an option within Virtualmin's "Email Addresses" section for setting up email rate limiting. That can be used to automatically stop outgoing email if a flood of spam is discovered.

-Eric

Mon, 02/01/2016 - 10:10
fuerst

Thanks so far! Sender dependent IP addresses sounds good although I rather think of a general way. So I guess setting smtp_bind_address in /etc/postfix/main.cf is the way.

I enabled mail rate limiting now but have to figure out how to limit per domain without configuring every domain manually. I also had to configure it for use wit Postfix in /etc/milter-greylist/greylist.conf. It was set for Sendmail here.

Topic locked