How to block outgoing un-authenticated emails

[chrismfz]

Regularly clients use old exploitable code which causes holes in their applications that eventually gets used by hackers to install malicious code. Most of the time this code is being used to send spam from our servers.

We have no control over our clients code, so patching the holes is quite impossible.

We use suPHP / suEXEC on all cPanel servers. Turning on "prevent nobody from sending emails" doesn't help.

Every decent PHP script / app has options to use SMTP Authentication. So we can inform users to switch to smtp authentication and send emails from an authenticated user who they created.


So having in mind that, how I could possibly stop any other ways to block outgoing spam mails ?
I've seen malware scripts that they are using just mail() function, I've seen scripts obfuscated I don't even know what they use, anyway all of the spam is coming out NOT using smtp authentication (obviously) so how I can stop anything else except SMTP ?

(including if I am wrong please correct me, not only PHP but cgi-bin / perl which someone can send emails using direct functions like sendmail($message); )

 

[cPanelMichael]

Hello

For PHP scripts, you could add "mail" to the disable_functions line in your PHP configuration file. The following document may also be helpful:

How To Prevent Email Abuse

Thank you.

 

[chrismfz]

Hello thanks for your answer

Isn't possible to block everything except authenticated users (using smtp) ? Someone could possibly use exec(sendmail); or e perl script.

I found a guide, but I don't know if it safe enough?

/http://bobcares.com/blog/blocking-spoofed-mails-going-out-of-your-cpanel-whm-web-hosting-server/

 

[alinford]

I would like to implement the options in that guide, but have a couple of questions. Because of the wording used in the guide, I am not quite sure how to implement.

Here is the first option:

I. Blocking all un-authenticated spoofed outbound emails

1. Login to WHM >> EXIM CONFIGURATION MANAGER >> ADVANCED EDITOR

2. Add the following entry in the top using Add additional configuration setting:

domainlist remote_domains = lsearch;/etc/remotedomains

3. Add the following code under acl_not_smtp :

deny
condition = ${if ! match_domain{${domain:${address:$h_From:}}}{
+local_domains : +remote_domains}}
message = Sorry, you don't have\
permission to send email from this server with a header that\
states the email is from ${lc:${domain:${address:$h_from:}}}.
accept

Here, the ACL will check for the presence of domain name part of the from address in either of the files - /etc/localdomains or /etc/remotedomains. If there is a mismatch, server will reject the email.

The default is acl_not_smtp = acl_not_smtp.
Would I add that code under acl_not_smtp, or remove acl_not_smtp and add the new code?

Same question for the second option:

II. Blocking all authenticated spoofed outbound emails

1. WHM >> EXIM CONFIGURATION MANAGER >> ADVANCED EXIM EDITOR

2. Search for acl_smtp_data and add the following lines under it:

deny
authenticated = *
condition = ${if or {{ !eqi{$authenticated_id} {$sender_address} }\
{ !eqi{$authenticated_id} {${address:$header_From:}} }\
}\
}
message = Your FROM address ( $sender_address , $header_From )
must match your authenticated email user ( $authenticated_id ).
Treating this as a spoofed email.

Here, for all authenticated users, the rule will check whether the authenticated userid matches with the from address. If it matches, it will allow the email. Else, it will display the message "Your FROM must match your authenticated email user. Treating this as spoofed email"

PS: If the acl_smtp_data is mentioned as something else(like acl_smtp_data = check_message), locate check_message and add the above lines just under it.
IMPORTANT points to keep in mind

a. POP before SMTP won't work with this setting. You will have to ask your customers to use the option - "My Server Requires Authentication" in the SMTP settings of their email client.
b. Username in the format user+domain.com will not work. They have to use [email protected] instead.

Mine is currently set to the default, acl_smtp_data = acl_smtp_data. So, it looks like I should add the above code below acl_smtp_data, not replace it.

 

[cPanelMichael]

You are welcome to try using the steps in that guide. It's a third-party customization so it's not officially supported, but it should not prevent Exim from starting successfully.

The default is acl_not_smtp = acl_not_smtp.
Would I add that code under acl_not_smtp, or remove acl_not_smtp and add the new code?

Mine is currently set to the default, acl_smtp_data = acl_smtp_data. So, it looks like I should add the above code below acl_smtp_data, not replace it.

The guide is suggesting you replace the existing entries rather than add the new entries beneath it.

Thank you.

 

[hndservers]

When I add setting under acl_not_smtp it perfectely stop sending withouth authentication, but now issue is that root mail forwarder is also stopped sending server notifications..

 

[cPanelMichael]

When I add setting under acl_not_smtp it perfectely stop sending withouth authentication, but now issue is that root mail forwarder is also stopped sending server notifications..

It's a third-party customization so it's possible things like this can happen. What error message do you see in /var/log/exim_mainlog when root attempts to send a notification?

Thank you.