Sending and Recieving emails...
I am sure many of you will find it a very basic and maybe even a stupid question, but then if you know more than me then you have all the rights to consider me a newbie and as always, I am not offended. :-)
I want to be able to send/receive emails from my webserver, which is also an email server. The easiest option was to port forward 25 and 993 and it worked like a charm. But it ended up as a DDOS attack and because everything was logged, the mail log and mail error log size increased exponentially. It should have been in the ballpark figure of 5-10KB but it went on to 110 MB which eventually broke my email server and my email stopped working.
This made me thinking do I really need to port forward or just a "Rule" would be fine. I will be honest, I still don't know the difference and I am not 100% sure when to create a rule and when to port forward. I understand the basic and I have done a lot of google research and I think I get the gist but I am still not 100% sure when to use which.
The conclusion that I have in my mind (and it may be wrong, so pls feel free to correct me), port forward is to expose my service to the outside world, so other than Http, https and VPN (80,443, 1194), I should not be opening any port (speaking in a very generic sense). This also means (in my own mind) that for email send & receive, all I need is a rule and not a port forward, or else I will be inviting unnecessary traffic from scammers and spammers.
So the question is:
1.> Is my understanding right? Do I need to open a port or create a rule?
2.> If I need a rule, where do I create it? WAN or LAN?
3> Will the rule for IMAP and SMTP be exactly the same or exactly opposite - as one will be to send and another will be to receive.
1 no, you need a port forward for your mail server.
2 lan by default is already open, with port forward rules are automatically created on the wan interface
3 read 1 and 2
a lot of stuff can be done to secure your mail server, spam filter, helo check, openspf, dmarc, fail2ban and also
pfblockerng for example
there is a lot of stuff to consider before thinking of setting up a mail server. it can be dangerous, also legally speaking (Open Mail Relay), for you and others
no one will ddos a mail server without any reason, you probably set the mail server as an open mail relay or they discovered a week password and spammer was using it to send unsollicited/unlimited email all over the world, nice job
110 ΜΒ logs is not much, for an internet facing mail server.
You need to reconsider your server sizing.
I had done the port forwarding and everything worked fine, but then there were too many attacks and scan on port 25, creating unnecessary traffic.
Is port forwarding an easy option here or is it the only option for me to be able to send receive emails? I am trying to understand, why a rule will not be sufficient?
One situation that I can think of is: I have hosted few domains for friends and family, so for them to be able to access their email service at their home/mobile, rules might not work as they won't be on my LAN and so I need to forward my port. Is that right?
Just so you know, I am already using SpamAssassin, ClamAV, Dmarc, SPF and fail2ban. I also looking into pfblockerng and other such tools.
Obviously people are trying to DDoS to send unsolicited/unlimited email all over the world. The good news so far has been that I have a complicated password and so no one has been able to get in so far, but my core issue is, how come they are able to get past my firewall. I don't want my server to be dealing with the bad guys... I want the firewall (pfSense) to be dealing with them and only authenticated/good guys should reach my server.
And so if I open the port (I believe it has to be on WAN), this means it will be open for everyone on the internet for them to scan and attack. Is it not inviting them by letting them know that look my port 25 is open for you to try.
@raviktiwari Running a (mail)service on the public internet will give you just what you experienced.
Putting an ids/ips in front might limit some bad traffic, but certainly, you need to understand difference between filtering and port forwarding first.
Its the equivalent of planning on winning on Nascar, when you can't drive to the grocery around the corner.
@netblues Aah... so online sarcasm is a real thing... :-)
I agree I am new to this networking and firewalling stuff... and probably that is why I am here...isn't it? :-)
I will try reading port filtering and other stuff... meanwhile, do you or anyone else in the group have any comment/feedback on ezjail on pfsense? Is it a good, bad or stupid idea? Is there anything else (any tool or package) that I should explore as my end goal is to authenticate and terminate bad people and bad traffic at firewall level itself...
I am in no rush to find a solution plus I have a test environment to play with, so I will try everything that comes to my mind or comes out in my research or whatever you guys suggest... So pls suggest and guide accordingly.
@raviktiwari It is not sarcasm. You need to understand how things work, what tools do, and then apply them accordingly to your situation.
Anyone would like to have the holy grail of networking. Keep the bad guys out, let the good ones in. Just buy this box and fire all your security engineers.
Unfortunately (for managers) and fortunately for the rest of us, it doesn't work this way.
You need to focus on your mail server platform.
Most mail servers out there don't even have a firewall in front. And they don't need it.
And there is little pfsense (or any firewall) can do to a mail server anyways.
@netblues I agree just a pfsense will not do the magic and there is a lot more for me to learn... Trust me the journey has started now... not only with pfsense, but in general I have started looking into networking and security on a wider basis.
But in the interim, I need to fix whatever is broken as this is also part of the learning as well as a stepping stone for me to get the infrastructure ready for further learning.
Can you pls answer these 3 follow up questions based on your last 3 statements:
What do you mean by I need to focus on my mail server platform? As I have already said, I have SpamAssassin, ClamAV, Dmarc, SPF and fail2ban.installed and configured... is there anything else you want me to explore?
What do you mean by most mail servers out there don't even have and don't need to have a firewall in front of it? Which firewall you are talking about, server firewall or pfsense?
And lastly, when you say, pfsense (or any firewall) can do to a mail server anyways, can you pls throw some more light on it or give some context. I need a full-fledged mail server as I host multiple domains for friends and family (almost like a customer) so they should be able to send/receive emails (many of them configure it via outlook and thunderbird and also access it on their phone.
All ideas and suggestion are welcome.
Have you though about using mailinabox? Their install scripts/software will securely and easily set up an email system using industry standards? i.e. It will solve all of your problems.
Thanks for your suggestion @Netgate-Steve
I had a deep look into MiaB and I did not find anything different or technically superior to what I use (Virtualmmin/Webmin). TBH, I think both of them are exactly same.
I did some quick research for comparing both and got same feedback... for example, you have a look here... https://medium.com/@YourDeeal/an-alternative-to-mail-in-a-box-iredmail-and-mailcow-is-virtualmin-webmin-be4a52d74a3e
IDK I don't use any WebGUI, I can't suggest what's the best, I prefer to have control over my stuff, you never know when a backdoor will be discovered on that kind of software
Bob.Dig last edited by Bob.Dig
Mail-in-a-Box is not a web-gui, it is everything about being an email-server. But I think it will "consumes" the whole machine it is running on.
Netgate Steve last edited by
I played around with Mail-in-a-Box a while ago. It sets everything up/maintains all the security you need. (DANE, DKIM, TLS certs, firewall, etc.). Plus it's easy to use.
For a novice it's a great solution.
The biggest issue is getting an IP address from a cloud provider that isn't blacklisted for sending spam. (Or getting it unblocked which takes time)
Virtualmin does the exact same things plus gives you the option to make changes as you wish plus covers your cPannel cost plus it is opensource plus it has got great community support as well.
I don't see any reason why I or anyone should move from Virtualmin to MiaB... Yes, if someone wishes to keep their hosting separate from mailserver, yes it might be an option, but again you will need 2 different servers and 2 different IPs plus at least 1 if not 2 different firewalls to ensure the security of thos servers (adding cost).
Anyways, this topic has now moved from "Weather we need port forward or will Rules suffice to access emails" to the pros and cons of MiaB.
So to conclude this topic, is it correct to assume:
In order to be able to send and receive emails, a person MUST port forward 25 and 993 on WAN port (which will automatically create a corresponding rule as well). But the same cannot be achieved by just writing an intelligent rule rather than opening any port. Please consider the fact this is a hosted environment for other people also and they also need to be able to access their own emails using my server/services.
Clearly not exactly the same thing as mail-in-a-box just works and is secure. i.e. You shouldn't have to do anything if it's equivalent to mail-in-a-box
It's an email SERVER thus you need to make sure other clients can connect to it from the internet by opening all the needed email ports for input (e.g. 25,587,993,etc) and make sure that it's not set up relay email.
As for the DDOS attack, it sounds like it's configured as an open email relay. Fix that and you are on the way,
Yeah, that is what I was also thinking... even if I use MiaB nothing changes for me... I will have to still install it on my server, manage my server, manage the mail server (to a certain extent), manage the firewall to open ports and manage rules, so why create one additional headache... I think, if I cannot manage my existing server, I am sure I won't be able to manage MiaB server as well.
So it comes down to "how to secure your email server - apart from the standard stuff".
Thanks for giving some pointers around open email relay... as far as I know I don't have it open... but I will check, meanwhile would you mind giving some suggestion where to start and look for - I am using Ubuntu 18
That's the beauty of mail-in-a-box it's all taken care of. You don't have to do anything.
It certainly sounds like it's relaying mail and if it is it will have created another headache for you. Now your IP address will be blacklisted by most of the big email providers out there. You will have some work cut out to get it unblocked (after you have stop the mail relay).
What SMTP Server are you using?
So you want to send mail from your "webserver" for why exactly? You want to like send users emails that forgot their passwords, or information?
There is a huge difference between sending users some email notifications, or reset password links, or whatever.. And the need to run a full blown email server.
To send email, there would be zero need for any inbound ports (port forwards).. And to be honest little need for any email services on your box at all.. You could use some outside email service to actually send the mail.. Kind of how email notifications work in pfsense..
Here is my take on it, with some 30 years experience with email and running email services. Do not run it on your "home" connection.. Its not worth it... Other than if you want to "play" with it to learn how it works.. If you want to setup a box to send and receive mail for your "lab" sure have at it - happy to help you setup something like that. Keep in mind - your prob not going to be able to send to any major domains if your IP is listed as a dynamic IP, ie home... And be able to set the PTR for that IP.. Pretty much all the major players will just not except your mail.. Even if your ISP allows outbound 25, which many of them them do not anyway..
Its just easier, safer and more reliable to let the big dogs handle it to be honest... Many enterprises don't even host their own email any more - they pay some service to do it for them.
The only reason you would need to open inbound ports would be for users to access or send email from your server. You would need the ports open for what service your going to use for that - could be as simple as just web access to their email via something like squirrelmail... Or some other protocols like imap or pop.. The only reason you would need 25 ever inbound is your going to accept mail for users at some domain that has a MX record that points your IP.. domainX.tld for example.. The only reason you would need 25 outbound is your directly sending email to domains... Like netgate.com or gmail.com, etc.
I would highly suggest against that..
So what are the details of what your actually trying to accomplish, a webserver sending emails does not require a email server to be run on your box or on your network even..
I have webserver running, it sends out even a daily newsletter to many different users on many different email domain.. It lets them know when there request has been approved, it lets them know when their request is available.. All via email - which do not have any such services running... It just uses a outside email account to send the emails.
@johnpoz Thanks for getting back to me and trying to rescue me again – I want to let you know I sincerely appreciate all your help and support.
Let me try to answer all your question point wise and also give you some background info about my setup.
I use Virtualmin/Webmin (not sure if you have heard about them or used them ever), which is essence is an alternative to cPannel plus a lot more. Once you have installed ubuntu, you install Virtualmin using their script and it installs almost everything and gives you the entire Unix capability on a GUI. Almost every single command, settings and feature of Unix can be used using GUI. As part of the script, it installs ClamAV, Spamassin, MySQL/Postgres, UFW, fail2ban and a lot more. Plus depending upon the package that you use, it can also help you install anywhere between 7 to 100 preconfigured opensource scripts in one click (like moodle, owncloud, SugarCRM, backup/restore and whatnot) and on top of that, it also leaves you with a bunch of unused modules for you to play with and install – if you want to (taking into consideration any conflict that you might create like it installs postfix for you and if you try to install Sendmail as well, it will conflict so you need to sort it out. Plus their support team is as good as netgate support – seriously. You can also create and edit creating your own DKIM, DMARC, DNS, MX-Record, SSL (letsencrypt) and whatnot… trust me if you have some time, it is worth looking into it.
Now here is the better part… it installs postfix and dovecot by default and I have used the Roundcube script as well (rather than squire mail).
So, at the end of my installation, I have a full-blown hosting server with an integrated mail server running along with it, on the same machine. This might sound little odd or maybe risky to you but there are thousands if not millions of people using this service and it works. I have been using it for almost a year now and I have no complaints.
Now, I host my own websites (4 of them, 2 being e-commerce site) so I need facilities like forgot password, send email or order placed and dispatched and so on… along with this, I also host websites for friends and family and I create email id for them like email@example.com, firstname.lastname@example.org, email@example.com and whatever they need… so I along with my friends should be able to send and receive emails on these email ids using Roundcube or outlook/thunderbird. I have configured all my emails (almost 20 of them) on thunderbird and they are working without any issues.
I understand the risk and pain of using personal mail server, but I would like to deal with it, handle the challenge and learn from it rather than paying google, Microsoft of Zoho… I have thought about running a mail server separately on a different server using tools like mail-in-a-box, but the issue is I will need 2 servers to be running 24x7, loose one more IP, then integrate both the servers, then manage and maintain both of them, secure them, pay for the electricity bill and so on. So if all can be done on 1 machine it will be a lot better, if not then we 2 different server for 2 different services is an option that I can consider.
Now coming to pay 3rd part for mail service – my issue with that approach is: their cost seems reasonable for one email id per month, but when you need 10 of them on every domain that you have, the cost skyrockets and using alias email is not a good option. And t make it worse if I tell my friends that I will host their website for this “X” amount and emails for “Y” I am sure they will tell me that they can go to any cheap hosting provider where they will get email service for free.
Coming to your last question/concern: I have a commercial internet and I have 5 static public IP (I am using 1 for home office internet connection, 1 for the production environment, 1 for the test environment, 1 for VMware environment (which I am struggling with and have raised a question in the firewalling group but no one has answered yet ) and 1 is free at the moment.
I and my customers (friends & family) need to be able to send email to anyone and everyone and we can do that… I can send email to Microsoft, and google and netgate and yahoo and anyone you can think of and it goes fine, that’s not an issue.
Now here is my issue:
I am able to run this service using firewall Natting. Pls, see the screenshot below.
Now the issue is:
As soon as I open the ports, scammers get excited and they start hitting my server and because the port is opened pfsense allows the traffic in and then my server (UFW and fail2ban) has to deal with those request to log in with wrong email id/password. Because I have a strong password, I have been fine until now but if I have a client who decides to keep his password: “password” then one day scammer will get into my server and do what they actually want to do.
This also has a side effect on my server performance as the load increases, log file size increases, it went so bad one day that logwatch could not send me an email because the log file size went 115 MB.
And my main gripe (based on my lack of knowledge/experience) is: I put pfsense in front of the server so that pfsense deals with the bad boys, therefore, reducing any unnecessary load protect the performance of my server, but right now it seems that the whole purpose is defeated. If this is how it is supposed to run, I can simply connect my server to my router and port forward these port on the router itself.
I have a feeling that there should be some option around rules and not port forwarding that will allow me and my friends (who are not on my LAN/OPT1 port) to be able to send and receive emails - like OpenVPN (it works without natting and just on rules). Do you agree? Do you think getting these attacks from scammers is part of the game and I can get away with it? If that is the case what happens when a friend of mine keeps a password for one of his email ids as “password” (I know I can force it to use alphanumeric and special character and so on, but just in case the password is a dictionary word and gets cracked, then what will happen to my server and pfsense)?
Hope this clarifies my situation and gives you enough information to be able to assist me accordingly. In case you have any more question pls do let me know.
Bob.Dig last edited by Bob.Dig
So you have a lot of knowledge in regards of hosting and stuff, at least a lot more than I have. Have you tried pfBlockerNG and suricata? Dealing with bad guys is no out of the box experience and require further work with those two packages.
If you want to receive email from the outside world (internet), there is no other way then open port 25 to the public. If you just want to email inside a vpn, this is possible but still burdensome to setup for every buddy.
have been fine until now but if I have a client who decides to keep his password: “password” then one day scammer will get into my server and do what they actually want to do.
Welcome to trying to run services to the public internet..
Whats the old saying ;) "If you want to run with the big dogs you have to learn to piss in the tall weeds"
I and my customers (friends & family)
Sorry but never in a million years would I host something like a email server for friends and family..
Yup its going to be a nightmare.. Do yourself a favor and just get a domain, if you want a friends and family one and host it on gmail or something...
I host plex, and let friends and family in.. Atleast there plex handles the auth, and worse case - some random user would be able to watch my movies ;) And I would notice because I get alerts every time a user uses a different IP... And would shut that down quick if not from where my family or friends are from..
And I also limit the IPs to being in the US only..
email server is a huge target - because they want to send spam for free.. Have fun getting off a blacklist if a spammer does get in and send a bunch of spam.
My advice would be don't do such a thing unless your up to all the pitfalls that come with doing it.. Sorry there is no magic to stopping that sort of problem once you open services to the public.
@johnpoz providing technical solution and running a business (with cost and earning in mind) are 2 different things.
You always challenge me technically, so let me ask you a simple business question: Do you have any idea how much hosted email id would cost me? Be it Google or Microsft.
I need at least 7 emails on at least 10 domains, so that is 70 emails - minimum. So what do you think is going to be my anual cost/expense?
Almost nothing.. Domains are what 10$ a year.. I have quite a few domains myself.
Something like zoho email only is $1 a month per user.. Gsuite is like $6 a month per user, but each user has full access to all of gsuite..
zoho alternative to gsuite is like $3 a month per user
So even if I take $1 per month service, it will cost me $70 per month equating to $840 per year.
Do you see the difference? From $0 to £840.
The core reason why I got into hosting and running my own web and mail server was to learn what "big dogs" do... it cannot be a rocket science and even if it is, I would like to learn that rocket science and once I have learnt it enough and/or start making enough money, I don't mind migrating on google or Zoho... but until then if I just pay for 3rd party then that means, "It's too difficult, so I don't care" and this would also mean that I can rather throw my server, throw my pfsense, cancel my commercial ISP contract - just sit and let someone do my job - so where is the fun and learing in this?
Do you see the difference? From $0 to £840.
Its not 0$ that is for sure - how much is your time and effort worth? Let them get their own freaking email and pay for it or using free like gmail.
How much does your line cost, how much does it cost to power the server.. How much does it cost to back up all their email. How much does it cost for your system to be blacklist if they send something that gets you on a black list..
Sorry there is no magic button you can press that says bad guys will not bomb the shit out of your email server trying to use it to send spam once you place it on the internet.. There just isn't..
You dealing with all of that sure and and the hell is not $0 a year.. Only reason I let friends and family use my plex, is its my hobby.. And would be running it myself anyway - the second it becomes a problem or takes any of my time that is dealing with a "user" created problem would be the second I shut it down for them to use.
@johnpoz fair enough... but for the time being, I don't want to calculate my time as the cost of running the service - this is a fake economy in my opinion... that is why all western countries are struggling to keep up with the eastern part of the world.
The world needs to stop throwing in all the cost in the name of operational cost... like the cost of the meeting, cost of coffee, cost of air-conditioning and anything else that you can see or think of. if I want, I can start including the cost of this chat that I am having with you, along with your time, your internet cost, netgate platform cost, cost my monitor, mouse, keyboard and whatnot.
Anyways, bringing the topic back to core issue: I get you to point and I partially agree with you that I should not host email ids for friends and family... let's assume I am happy to do that and going forward I will not host email ids for friend and families... this probably also means to say no to my paying customers (which is not good).
But assuming that is the way I am going, what do I do about my own email ids? Don't tell me that even I should host it on Google and Microsoft... because if that is the case, then as I said, I can sell off everything and pay $1000 per yr to Microsoft when the main purpose of all this was to do the technical bit myself and earn some money as MS and Google do.
And as I said they are not using any rocket science so I am sure even I can do whatever heck they are doing... yes it will take time and effort... and I am completely free doing nothing except dealing with and fixing this issue for let's say next 1-3 months. :-)
Gertjan last edited by Gertjan
As soon as I open the ports, scammers get excited and they start hitting my server and because the port is opened pfSense ...
That's totally normal. If you have a to serve port Xx, you'll be needing an server type application that you should (totally) trust, it should be set up to 'listen' to that port, and that port should be reachable by the public that could have to use that port Xx. This actually means that anybody on planet earth can connect to 'your' server.
( people tend to use firewalls on server type devices to lock down non-served ports. Think about this for a minute or so.
If your laughing right now , then ok, perfect. You got it. A firewall on a server is ... quiet useless - There is no reasons to 'close' non served ports, because they are black holes by nature.
This reasoning is valid if the admin admins his server. That is : that he controls what executes,a nd when, on his server - and how it is executed. When the looses control, well, the first thing that would fall is the firewall - so start with not using a firewall on a server => one thing less to 'admin ;) and one thing less to mess up l.
Like Apache2, nginx will be listening to port 80 and or 443. postfix will be listing to 25 TCP and probably also 465 TCP and 587 TCP (now out phasing)
postfix will show / produce huge logs daily ****, filled up connection attempt from 'other' devices on the Internet connecting to your IP:port to try to 'dump' their rubbish. That normal, and you should consider it as simple back ground noise.
Important to know : postfix, as worlds most used mail server, is pretty darn good to take care of the rela mails 'for you' and discarding the rest.
But : postfx is as good as the admin maintaining it.
The setup of a postfix server is ..... huge.
And, IMHO, its totally impossible to encapsulate the settings with some sort of GUI like VirtualMin or others. You have to master - with your head - the master.cf and main.cf files. This is my opinion of course, as I needed a multi domain, multi IPv4, multi IPv6 with added IMAP/POP mailbox support. It should work with Outlook Express (back then) - all Thunderbird version, as up to the latest "Office 365".
For me, it all started here (I guess) : http://www.postfix.org/SMTPD_ACCESS_README.html
This is gold : http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt is still actual as of today !!
A firewall can't help you here "with some rules". *** What really helps to get out the 'door knockers' is a tools like fail2ban.
It parses the postfix logs, searches for known - non accepted by postfix - incoming connections, and if they repeat themselves, or come back to often, the firewall gets loaded with a block rule for that IP.
Se it here in action.
fail2ban parses also ssh logs, web server logs, teamspeak logs, etc, and acts if it finds something suspect.
*** most traffic, even mail traffic, is SSL encoded, so a firewall hasn't even access to the payload, it would see the source IP, and that's it.
**** you'll meet up with logrotate for log file management.
edit : sorry for losing the subject.
edit 2 : I'm not running postfix on or after pfSEnse postfix of course (@work) . ISP lines are mostly big mega f*ck to host mail servers, as they are listed as such.
It's a typical VPS usage, or what I use : a pair of https://www.ovh.com/ca/en/dedicated-servers/ which includes all the IP's needed, and, hopefully I never need it : a huge DOSS protection - on a naked (no GUI) Debian 9/10 install.
When you start to run postfix yourself, bind (named) wiill follow as a master DNS server for your domains, and a web server will follow. Some Squirrel (old ... I know)/Roundcube instances, a MariaDB (ex. MySQL) for housekeeping etc etc.
Btw : the "rock science" used by the big ones has nothing to do with what I / you do. They will not tell how they do it for - logical - security issues. But English/German/Belguim/French/Spanish biggest ISP did this : they took a copy of postfix, as it is 'free ware' (somewhat), and adapted it to it scales up on a pure maddens level.
They ware using qmail back then .... they all paid the price. And no, no 'Exchange' for them.