Beefing up security on mail server

1 post / 0 new
#1 Wed, 09/18/2019 - 14:19
yaya-fun
yaya-fun's picture

Beefing up security on mail server

Hello Virtualmin Fans!

I just started migrating my clients to Linode/Virtualmin last year through 2 freelancing server admins. Each client has their own set-up; I'm not operating as an ISP. My challenge is that I cannot always reach my server admins and e-mail issues repeat themselves. With the exception of moving clients to GSuite, I would love your advice so that I can put in place proper procedures.

1) Problem: Breach from someone clicking on a spam email and then sending everyone an email from that email address. Nothing is bulletproof, but I would like suggestions on preventative measures.

Example: After paying for expedited de-listing a backscatterer blacklist, I checked out http://www.uceprotect.net/en/index.php?m=4&s=0 and I like the idea of #2. I sent it to my server admins. Both ignored the idea, but one used a different method (blocking IP addresses) which blocked legit IP's from sending email (ug).

Are the ideas on the UCE Protect link valid? If so, can I hire someone to write the script (idea #2) that I can apply/modify for each client's server?

2) Problem: All clients experience more incoming spam since migrating from a managed shared server to their new cloud server. Am I doing everything I can do to filter out spam? See server specs at the bottom of this message.

a. Greylisting is not enabled; I'm concerned that it will cause more problems to whitelist legit users. --------- b. As of today, my server admin set a mail rate limit of 50/hr, which is handled on a domain level. This seems low to me, so I changed it to 300. 5 employees use that domain. I hope the idea of #1 replaces this solution.

3) Problem: When I need to put a bandaid on a security problem, where can I find the following information? I checked the documentation and did not find it there. a. How do I access the logs for email when a breach happens? --------------- b. What kind of language am I looking for in the log that will indicate the cause of the problem? -------------- c. Where do I go to blacklist an IP Address from using the server?

SYSTEM INFO: Operating system Ubuntu Linux 16.04.5--------------- Perl version 5.022001 --------------- Path to Perl /usr/bin/perl --------------- BIND version 9.10 --------------- Postfix version 3.1.0 --------------- Mail injection command /usr/lib/sendmail -t --------------- Apache version 2.4.18 --------------- PHP versions 7.0.33, 7.1.32, 7.2.22, 7.3.9 --------------- Webalizer version 2.23-08 --------------- Logrotate version 3.8.7 --------------- MySQL version 5.7.27 --------------- ProFTPD version 1.35 --------------- SpamAssassin version 3.4.2 --------------- ClamAV version 0.100.3 ---------------

We have DKIM, SPF and DMARC in place. The free version of MXToolbox is monitoring but it's usually too late when MXToolbox reports a problem.

Thank you for your time! This post is a mouthful!