Hi,
I am running Ubuntu 10.04 LTS with Postfix/Dovecot and ISPConfig.
I have 3 virtual domains setup on my Linode. Each with it's own set of email accounts.

When configuring Outlook to access/test these accounts, I noticed that I could sometimes send mails without using the right account password. It took me a little while to figure out what's happening.

Without a password, my mail server WILL NOT send to domains/destinations that are not local to my linode. An error message is generated. That's good.
However, I found that I could send emails from one of my virtual domains to another one of my virtual domains without needing a password. NOT GOOD. Yes they are local, but they could belong to someone else who doesn't appreciate spam and might get offended. ClamAV is able to detect (presumably through a malformed header or something) these emails and adds ****SPAM**** to the subject, so it's possible to detect these emails. But how do you stop them going out in the first place.

I have SSL configured on my server, but don't necessarily want to force all clients to use it for their emails.

Any suggestions?

Cheers,
Nap

_________________
My VPS system:
(Ubuntu 14.04 LTS, Kernel 3.15.4-x86_64, Apache 2.4.7, MariaDB Server 5.5.40, MariaDB Client 5.5.41, PHP 5.5.9, ISPConfig 3.0.5.4p5, Webmin, PureFTP & Quota, phpMyAdmin, postfix, dovecot, amavis, clamav, spamassassin, awstats, fail2ban, Jailkit, bind9, vlogger, webalizer)

There is no difference between an unauthenticated mail user sending mail to a local mailbox and an unauthenticated mail server sending mail to a local mailbox. If they're going to be receiving mail from arbitrary sources on the Internet, then that's what's going to happen.

You could set up two completely different servers: one to handle outgoing mail (SMTP), one to handle incoming mail (IMAP). There would be no local mailboxes on the outgoing mail server, so all mail would require authentication. (However, the incoming mail server would still accept mail without authentication, of course.)

Also, if your local users are sending out spam that might offend your other local users, just wait until the rest of the Internet gets mail from them.

_________________

/* TODO: need to add signature to posts */

hoopycat,
thnx for your comments. I have a single linode at the moment, so my server will have to do both.


I've got ClamAV installed, which marks these emails with '***SPAM***'.
I'm about to implement a few guides I found at HowToForge on how to improve anti-spam performance. They include the use of GreyList.

How is everyone else handling this problem? Any other tips?

_________________
My VPS system:
(Ubuntu 14.04 LTS, Kernel 3.15.4-x86_64, Apache 2.4.7, MariaDB Server 5.5.40, MariaDB Client 5.5.41, PHP 5.5.9, ISPConfig 3.0.5.4p5, Webmin, PureFTP & Quota, phpMyAdmin, postfix, dovecot, amavis, clamav, spamassassin, awstats, fail2ban, Jailkit, bind9, vlogger, webalizer)

Yes, avoid HowtoForge like the plague.

The only advice they offer is bad.

There are zillions of good sysadmin blogs that tell you the correct way to setup things, Howtoforge isn't one of them.

_________________
Either provide enough details for people to help, or sit back and listen to the crickets chirp.
Security thru obscurity is a myth - and really really annoying.

skippy, I've had nothing but good experiences with the HowToForge guys, especially as I'm such a noob in this area. They've always been polite and answer my questions.

However, I do look at other places to ensure I have more than one opinion on how things should be.

_________________
My VPS system:
(Ubuntu 14.04 LTS, Kernel 3.15.4-x86_64, Apache 2.4.7, MariaDB Server 5.5.40, MariaDB Client 5.5.41, PHP 5.5.9, ISPConfig 3.0.5.4p5, Webmin, PureFTP & Quota, phpMyAdmin, postfix, dovecot, amavis, clamav, spamassassin, awstats, fail2ban, Jailkit, bind9, vlogger, webalizer)