Hi Guys, I'm noob when it comes to email servers. But setup a linode a few weeks ago, installed Ubuntu 14.0.4 and VestaCP with Exim/Dovecot, Apache, Nginx etc.

The ip was blacklisted after about a week, on CBL, for sending spam emails or emails infected with a trojan.

I've got no idea how that happened... I haven't sent a lot of emails from it.

I installed Spam assassin and ClamAV, delisted the ip and hoped that that would fix the problem.

Yesterday the server was blacklisted again

I spend hours researching and figured I needed to block outgoing SMTP port 25 connections.

I tried a few different rules, not really knowing what I was doing. Anyhow, I've ended up blocking all port 25 connections, by simply not specifying any rules for port 25 and denying all by default in iptables.

But I'm puzzled. From what I read, this should stop all incoming and outgoing mail from my server? But it appears that the mail server is still working ok? I'm able to send and receive emails.

I'm just looking for a bit of advice... Am I doing the right thing by not allowing any port 25 connections? Or should I allow incoming and not outgoing, or vice versa? What other things could I be doing to try and stop spammers from taking advantage of my server?

Any help is muchly appreciated

Here's my iptables:

-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 21,12000:12100 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 465,587,2525 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 110,995 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 143,993 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 3306,5432 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8083 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -s 45.56.85.76/32 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 22 -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 110 -j ACCEPT
-A INPUT -p udp -m udp --sport 123 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 3306 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 5432 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 8080 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 8433 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 8083 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 12000:12100 -j ACCEPT

CBL lists your Linode as a SPAM sending IP.
You need to block OUTGOING to port 25 (unless you are really running a mail server trying to communicate with other mail servers on port 25)

So appended to your rules is:
-A OUTPUT -p tcp -m tcp --dport 25 -j DROP

If you don't want email, why install Exim/Dovecot?

_________________
Either provide enough details for people to help, or sit back and listen to the crickets chirp.
Security thru obscurity is a myth - and really really annoying.

Thanks guys. Yes, I actually do run a mail server and want to be able to send emails from it.

I added these three rules:



Will that do the trick?

If I'm sending all my outgoing emails through port 587, then can just completely block all outgoing emails on port 25?

And yes, I figured that by blocking all incoming on port 25 I was stopping emails from coming in. Doh!

It will work if your mail server is operating in smart hub mode where all mail are just given to the 45.56.85.76 server for actual delivery.

That's what I did at home since I have a domain under Google apps, then all my mail gets sent/relayed through google's smtp server under 587. (my ISP actually blocks outgoing 25)

Now if all the mail servers you are talking to uses 587, then yes you can block off 25, but last I checked actual mail server to server intra communication still uses port 25 (ie gmail.com to outlook.com)

Hmmm... ok.

How could I test to see if that configuration I have is working properly?

I seem to be able to send and receive emails no problem at the moment.

We seem to have gone off track.

Since you need to have port 25 open as you are running a public mail server (you are sending mail to other domains directly)
You'll need to audit your server, as CBL is claiming that your IP is involved in some hanky panky.

This is the real challenge when you are running your own server and you have no idea what's wrong.
I'm actually out of ideas right now.

Ok... well that makes two of us!

Have you run an open relay test? Maybe you've got something misconfigured. Also check your mail logs for anything outbound that you didn't send yourself (or another valid account on the system).

As far as I know there is no open relay. I've tested it with mxtoolbox

If it's not an open relay, what else has the ability to send out emails? Something triggered the blacklists to label your IP a spammer.

_________________
Either provide enough details for people to help, or sit back and listen to the crickets chirp.
Security thru obscurity is a myth - and really really annoying.

Yeah, well that's the problem. Maybe there's some rogue php script?

I'm not sure what do to do try and troubleshoot it

You need to check your mail server logs; if you see a gazillion emails from (say) www-data then you know it's coming from a web site you're hosting. If you see a gazillion mails coming in, being relayed, going out then you have an smtp server config error.

_________________
Rgds
Stephen
(Linux user since kernel version 0.11)