Disable SMTP Authentication and not allow open relay

[regisit]

Is there a way to disable SMTP Authentication? By that I don't mean create an open relay, I mean just stop attempts to authenticate via SMTP but still allow incoming email on port 25.

The server is dedicated and for one business only. Mails are sent out from the hosted websites but there should be no inbound emails. Mail accounts on the domains are hosted elsewhere. Ideally we'd block inbound on port 25 completely but our hosting provider requires us to send mail via their relay servers so we have to allow it to deal with any NDRs from their relay cluster. They have an intermittent spam issue so are frequently changing IPs of the relay servers, meaning we can't maintain an accepted list of IPs for inbound mail on port 25.

We have the CSF firewall and it blocks repeated failed attempts to authenticate, but this results in frequent alerts when a hacker tries to break in via SMTP and an ever extending list of blocked IPs. The simplest solution is to not allow anyone to authenticate on SMTP, because nobody should be, but still allow the hosted sites to send mail out and NDRs from the hosting relays to come back.

Is there anyway to set this on WHM 11.42?

 

[cPanelMichael]

The simplest solution is to not allow anyone to authenticate on SMTP, because nobody should be, but still allow the hosted sites to send mail out

Could you elaborate more on how the other websites will be sending out email, if not via SMTP? Also, the following thread contains some information you may find useful:

Blocked Port 25 - Use Another Port

Thank you.

 

[regisit]

For example, Magento sends mail using Zend Mail which ultimately uses PHP mail. Mails are sent using SMTP but there is no explicit SMTP authentication needed for this.

Not sure of the relevance of the Blocked Port 25 post? I can't filter incoming port 25 because I don't know the IPs of the relay servers, which are the only IPs we should accept mail from. It doesn't really matter if spammers try to deliver mail - they'll be rejected with invalid recipient as there's no actual mailboxes on the system aside from the default cPanel account mailbox.

What I was hoping for was a way to reject any SMTP authentication from an external IP, rather blocking IPs once they've failed to authenticate 5 times. As it stands the IP block list will just grow and grow which will surely have an impact on performance over time.

 

[cPanelMichael]

There are no native features in WHM that will reject SMTP authentication attempts from all external IP addresses. You would have to configure a custom Exim ACL to implement this type of rule. Or, you could block the entire country using CSF as this might be easier than attempting to block the individual IP addresses.

Thank you.

 

[townwebsites]

I need the same capability, we see lfd probing bans on external SMTP logins for client-related emails. The websites can send via SMTP but we never need the port open to outside logins.

I think the appropriate rephrasing of the question is, how can you change any configserver rules for iptables in a way that integrates with CPanel management of configserver. IE, can we just edit any of the configserver rules as we would on an unmanaged linux install, or are there parts of the configuration where we have to be aware of how CPanel interacts with configserver.

Thanks,

Charlie

Could you elaborate more on how the other websites will be sending out email, if not via SMTP? Also, the following thread contains some information you may find useful:

Blocked Port 25 - Use Another Port

Thank you.