This website is deprecated, and remains online only for historic access to old issues and docs for historic versions of Virtualmin. It has been unmaintained for several years, and should not be relied on for up-to-date information. Please visit www.virtualmin.com instead.

Decoupling mail and web services

3 posts / 0 new

Topic locked

Last post

#1 Mon, 02/01/2016 - 09:33

fuerst

Decoupling mail and web services

After hassled one more time with hacked Wordpress installations used to mass send Spam mails I think about using different servers for web and mail services. This is to avoid having the combined web/mail server blacklisted at CBL et al. Running Virtualmin I think that can be done this way - described earlier hier https://www.virtualmin.com/node/37931:

I saw the idea to decouple mail services from web and others is nearly 10 years old. Me asking this 8 years ago too. Time to move forward I guess :-)

My proposal to achieve this - assuming two machines:

First server (web): Web, DNS, Virtualmin, etc.
Second server (mail): Postfix, Dovecot, Spamassassin, ClamAV.
Sync user records using NIS from web to mail.
Mount user directories from web using NFS at mail.
Let syslog at mail send logs to web.
Virtualmin on web needs NFS access to mail:/etc for configuring mail related services. Easier: mount mail:/etc/{postfix,dovecot,spamassassin,clamav} by NFS at mail:/etc. This way Virtualmin can write configuration where it is used to write.
Avoid starting postfix et all at web.
Virtualmin's Install script needs to allow installing all, or web stuff only or mail stuff only.

As an alternative to the ideas above: Much easier to be implemented is to have Postfix listen and/or sending at a second IP address. May be that will just do the trick of decoupling. smtp_bind_address and/or inet_interfaces are appropriate Postfix configuration candidates.

#2 Mon, 02/01/2016 - 09:51

andreychek

Howdy,

A couple of other ideas for dealing with web app breakins --

One, you could always setup sender dependent IP addresses for sending email. Doing that is described here:

https://www.virtualmin.com/documentation/email/dependent

Two, there's an option within Virtualmin's "Email Addresses" section for setting up email rate limiting. That can be used to automatically stop outgoing email if a flood of spam is discovered.

-Eric

#3 Mon, 02/01/2016 - 10:10

fuerst

Thanks so far! Sender dependent IP addresses sounds good although I rather think of a general way. So I guess setting smtp_bind_address in /etc/postfix/main.cf is the way.

I enabled mail rate limiting now but have to figure out how to limit per domain without configuring every domain manually. I also had to configure it for use wit Postfix in /etc/milter-greylist/greylist.conf. It was set for Sendmail here.

Topic locked