Sending and Recieving emails...

raviktiwari · Jul 17, 2020, 8:54 PM

Hi there,

I am sure many of you will find it a very basic and maybe even a stupid question, but then if you know more than me then you have all the rights to consider me a newbie and as always, I am not offended. :-)

I want to be able to send/receive emails from my webserver, which is also an email server. The easiest option was to port forward 25 and 993 and it worked like a charm. But it ended up as a DDOS attack and because everything was logged, the mail log and mail error log size increased exponentially. It should have been in the ballpark figure of 5-10KB but it went on to 110 MB which eventually broke my email server and my email stopped working.

This made me thinking do I really need to port forward or just a "Rule" would be fine. I will be honest, I still don't know the difference and I am not 100% sure when to create a rule and when to port forward. I understand the basic and I have done a lot of google research and I think I get the gist but I am still not 100% sure when to use which.

The conclusion that I have in my mind (and it may be wrong, so pls feel free to correct me), port forward is to expose my service to the outside world, so other than Http, https and VPN (80,443, 1194), I should not be opening any port (speaking in a very generic sense). This also means (in my own mind) that for email send & receive, all I need is a rule and not a port forward, or else I will be inviting unnecessary traffic from scammers and spammers.

So the question is:
1.> Is my understanding right? Do I need to open a port or create a rule?
2.> If I need a rule, where do I create it? WAN or LAN?
3> Will the rule for IMAP and SMTP be exactly the same or exactly opposite - as one will be to send and another will be to receive.

Many Thanks,
Rav

kiokoman · Jul 17, 2020, 9:17 PM

1 no, you need a port forward for your mail server.
2 lan by default is already open, with port forward rules are automatically created on the wan interface
3 read 1 and 2

a lot of stuff can be done to secure your mail server, spam filter, helo check, openspf, dmarc, fail2ban and also
pfblockerng for example
there is a lot of stuff to consider before thinking of setting up a mail server. it can be dangerous, also legally speaking (Open Mail Relay), for you and others

no one will ddos a mail server without any reason, you probably set the mail server as an open mail relay or they discovered a week password and spammer was using it to send unsollicited/unlimited email all over the world, nice job

netblues · Jul 18, 2020, 7:21 AM

110 ΜΒ logs is not much, for an internet facing mail server.
You need to reconsider your server sizing.

raviktiwari · Jul 18, 2020, 9:50 AM

Thanks @kiokoman

I had done the port forwarding and everything worked fine, but then there were too many attacks and scan on port 25, creating unnecessary traffic.

Is port forwarding an easy option here or is it the only option for me to be able to send receive emails? I am trying to understand, why a rule will not be sufficient?

One situation that I can think of is: I have hosted few domains for friends and family, so for them to be able to access their email service at their home/mobile, rules might not work as they won't be on my LAN and so I need to forward my port. Is that right?

Just so you know, I am already using SpamAssassin, ClamAV, Dmarc, SPF and fail2ban. I also looking into pfblockerng and other such tools.

Obviously people are trying to DDoS to send unsolicited/unlimited email all over the world. The good news so far has been that I have a complicated password and so no one has been able to get in so far, but my core issue is, how come they are able to get past my firewall. I don't want my server to be dealing with the bad guys... I want the firewall (pfSense) to be dealing with them and only authenticated/good guys should reach my server.

And so if I open the port (I believe it has to be on WAN), this means it will be open for everyone on the internet for them to scan and attack. Is it not inviting them by letting them know that look my port 25 is open for you to try.

Any suggestion?

Many Thanks,
Rav

netblues · Jul 18, 2020, 10:07 AM

@raviktiwari Running a (mail)service on the public internet will give you just what you experienced.
Putting an ids/ips in front might limit some bad traffic, but certainly, you need to understand difference between filtering and port forwarding first.
Its the equivalent of planning on winning on Nascar, when you can't drive to the grocery around the corner.

raviktiwari · Jul 18, 2020, 11:15 AM

@netblues Aah... so online sarcasm is a real thing... :-)

I agree I am new to this networking and firewalling stuff... and probably that is why I am here...isn't it? :-)

I will try reading port filtering and other stuff... meanwhile, do you or anyone else in the group have any comment/feedback on ezjail on pfsense? Is it a good, bad or stupid idea? Is there anything else (any tool or package) that I should explore as my end goal is to authenticate and terminate bad people and bad traffic at firewall level itself...

I am in no rush to find a solution plus I have a test environment to play with, so I will try everything that comes to my mind or comes out in my research or whatever you guys suggest... So pls suggest and guide accordingly.

Many Thanks,
Rav

netblues · Jul 18, 2020, 5:52 PM

@raviktiwari It is not sarcasm. You need to understand how things work, what tools do, and then apply them accordingly to your situation.
Anyone would like to have the holy grail of networking. Keep the bad guys out, let the good ones in. Just buy this box and fire all your security engineers.
Unfortunately (for managers) and fortunately for the rest of us, it doesn't work this way.

You need to focus on your mail server platform.
Most mail servers out there don't even have a firewall in front. And they don't need it.
And there is little pfsense (or any firewall) can do to a mail server anyways.

raviktiwari · Jul 18, 2020, 5:52 PM

@netblues I agree just a pfsense will not do the magic and there is a lot more for me to learn... Trust me the journey has started now... not only with pfsense, but in general I have started looking into networking and security on a wider basis.

But in the interim, I need to fix whatever is broken as this is also part of the learning as well as a stepping stone for me to get the infrastructure ready for further learning.

Can you pls answer these 3 follow up questions based on your last 3 statements:
What do you mean by I need to focus on my mail server platform? As I have already said, I have SpamAssassin, ClamAV, Dmarc, SPF and fail2ban.installed and configured... is there anything else you want me to explore?

What do you mean by most mail servers out there don't even have and don't need to have a firewall in front of it? Which firewall you are talking about, server firewall or pfsense?

And lastly, when you say, pfsense (or any firewall) can do to a mail server anyways, can you pls throw some more light on it or give some context. I need a full-fledged mail server as I host multiple domains for friends and family (almost like a customer) so they should be able to send/receive emails (many of them configure it via outlook and thunderbird and also access it on their phone.

All ideas and suggestion are welcome.

Many Thanks,
Rav

Netgate Steve · Jul 18, 2020, 6:13 PM

Have you though about using mailinabox? Their install scripts/software will securely and easily set up an email system using industry standards? i.e. It will solve all of your problems.

Mail-in-a-Box

raviktiwari · Jul 19, 2020, 11:44 AM

Thanks for your suggestion @Netgate-Steve

I had a deep look into MiaB and I did not find anything different or technically superior to what I use (Virtualmmin/Webmin). TBH, I think both of them are exactly same.

I did some quick research for comparing both and got same feedback... for example, you have a look here... https://medium.com/@YourDeeal/an-alternative-to-mail-in-a-box-iredmail-and-mailcow-is-virtualmin-webmin-be4a52d74a3e

Any suggestion/comments?

Many Thanks,
Rav

kiokoman · Jul 19, 2020, 1:31 PM

IDK I don't use any WebGUI, I can't suggest what's the best, I prefer to have control over my stuff, you never know when a backdoor will be discovered on that kind of software

Bob.Dig · Jul 19, 2020, 2:03 PM

Mail-in-a-Box is not a web-gui, it is everything about being an email-server. But I think it will "consumes" the whole machine it is running on.

Netgate Steve · Jul 19, 2020, 2:30 PM

I played around with Mail-in-a-Box a while ago. It sets everything up/maintains all the security you need. (DANE, DKIM, TLS certs, firewall, etc.). Plus it's easy to use.

For a novice it's a great solution.

The biggest issue is getting an IP address from a cloud provider that isn't blacklisted for sending spam. (Or getting it unblocked which takes time)

raviktiwari · Jul 19, 2020, 8:38 PM

Virtualmin does the exact same things plus gives you the option to make changes as you wish plus covers your cPannel cost plus it is opensource plus it has got great community support as well.

I don't see any reason why I or anyone should move from Virtualmin to MiaB... Yes, if someone wishes to keep their hosting separate from mailserver, yes it might be an option, but again you will need 2 different servers and 2 different IPs plus at least 1 if not 2 different firewalls to ensure the security of thos servers (adding cost).

Anyways, this topic has now moved from "Weather we need port forward or will Rules suffice to access emails" to the pros and cons of MiaB.

So to conclude this topic, is it correct to assume:

In order to be able to send and receive emails, a person MUST port forward 25 and 993 on WAN port (which will automatically create a corresponding rule as well). But the same cannot be achieved by just writing an intelligent rule rather than opening any port. Please consider the fact this is a hosted environment for other people also and they also need to be able to access their own emails using my server/services.

Many Thanks,
Rav

Netgate Steve · Jul 19, 2020, 9:25 PM

Clearly not exactly the same thing as mail-in-a-box just works and is secure. i.e. You shouldn't have to do anything if it's equivalent to mail-in-a-box

It's an email SERVER thus you need to make sure other clients can connect to it from the internet by opening all the needed email ports for input (e.g. 25,587,993,etc) and make sure that it's not set up relay email.

As for the DDOS attack, it sounds like it's configured as an open email relay. Fix that and you are on the way,

raviktiwari · Jul 19, 2020, 11:02 PM

Yeah, that is what I was also thinking... even if I use MiaB nothing changes for me... I will have to still install it on my server, manage my server, manage the mail server (to a certain extent), manage the firewall to open ports and manage rules, so why create one additional headache... I think, if I cannot manage my existing server, I am sure I won't be able to manage MiaB server as well.

So it comes down to "how to secure your email server - apart from the standard stuff".

Thanks for giving some pointers around open email relay... as far as I know I don't have it open... but I will check, meanwhile would you mind giving some suggestion where to start and look for - I am using Ubuntu 18

Many Thanks,
Rav

Netgate Steve · Jul 19, 2020, 11:51 PM

That's the beauty of mail-in-a-box it's all taken care of. You don't have to do anything.

It certainly sounds like it's relaying mail and if it is it will have created another headache for you. Now your IP address will be blacklisted by most of the big email providers out there. You will have some work cut out to get it unblocked (after you have stop the mail relay).

What SMTP Server are you using?

johnpoz · Jul 20, 2020, 12:14 AM

So you want to send mail from your "webserver" for why exactly? You want to like send users emails that forgot their passwords, or information?

There is a huge difference between sending users some email notifications, or reset password links, or whatever.. And the need to run a full blown email server.

To send email, there would be zero need for any inbound ports (port forwards).. And to be honest little need for any email services on your box at all.. You could use some outside email service to actually send the mail.. Kind of how email notifications work in pfsense..

Here is my take on it, with some 30 years experience with email and running email services. Do not run it on your "home" connection.. Its not worth it... Other than if you want to "play" with it to learn how it works.. If you want to setup a box to send and receive mail for your "lab" sure have at it - happy to help you setup something like that. Keep in mind - your prob not going to be able to send to any major domains if your IP is listed as a dynamic IP, ie home... And be able to set the PTR for that IP.. Pretty much all the major players will just not except your mail.. Even if your ISP allows outbound 25, which many of them them do not anyway..

Its just easier, safer and more reliable to let the big dogs handle it to be honest... Many enterprises don't even host their own email any more - they pay some service to do it for them.

The only reason you would need to open inbound ports would be for users to access or send email from your server. You would need the ports open for what service your going to use for that - could be as simple as just web access to their email via something like squirrelmail... Or some other protocols like imap or pop.. The only reason you would need 25 ever inbound is your going to accept mail for users at some domain that has a MX record that points your IP.. domainX.tld for example.. The only reason you would need 25 outbound is your directly sending email to domains... Like netgate.com or gmail.com, etc.

I would highly suggest against that..

So what are the details of what your actually trying to accomplish, a webserver sending emails does not require a email server to be run on your box or on your network even..

I have webserver running, it sends out even a daily newsletter to many different users on many different email domain.. It lets them know when there request has been approved, it lets them know when their request is available.. All via email - which do not have any such services running... It just uses a outside email account to send the emails.

raviktiwari · Jul 21, 2020, 1:08 AM

@johnpoz Thanks for getting back to me and trying to rescue me again – I want to let you know I sincerely appreciate all your help and support.

Let me try to answer all your question point wise and also give you some background info about my setup.

I use Virtualmin/Webmin (not sure if you have heard about them or used them ever), which is essence is an alternative to cPannel plus a lot more. Once you have installed ubuntu, you install Virtualmin using their script and it installs almost everything and gives you the entire Unix capability on a GUI. Almost every single command, settings and feature of Unix can be used using GUI. As part of the script, it installs ClamAV, Spamassin, MySQL/Postgres, UFW, fail2ban and a lot more. Plus depending upon the package that you use, it can also help you install anywhere between 7 to 100 preconfigured opensource scripts in one click (like moodle, owncloud, SugarCRM, backup/restore and whatnot) and on top of that, it also leaves you with a bunch of unused modules for you to play with and install – if you want to (taking into consideration any conflict that you might create like it installs postfix for you and if you try to install Sendmail as well, it will conflict so you need to sort it out. Plus their support team is as good as netgate support – seriously. You can also create and edit creating your own DKIM, DMARC, DNS, MX-Record, SSL (letsencrypt) and whatnot… trust me if you have some time, it is worth looking into it.

Now here is the better part… it installs postfix and dovecot by default and I have used the Roundcube script as well (rather than squire mail).

So, at the end of my installation, I have a full-blown hosting server with an integrated mail server running along with it, on the same machine. This might sound little odd or maybe risky to you but there are thousands if not millions of people using this service and it works. I have been using it for almost a year now and I have no complaints.

Now, I host my own websites (4 of them, 2 being e-commerce site) so I need facilities like forgot password, send email or order placed and dispatched and so on… along with this, I also host websites for friends and family and I create email id for them like info@johnpoz.com, sales@johnpoz.com, support@johnpoz.com and whatever they need… so I along with my friends should be able to send and receive emails on these email ids using Roundcube or outlook/thunderbird. I have configured all my emails (almost 20 of them) on thunderbird and they are working without any issues.

I understand the risk and pain of using personal mail server, but I would like to deal with it, handle the challenge and learn from it rather than paying google, Microsoft of Zoho… I have thought about running a mail server separately on a different server using tools like mail-in-a-box, but the issue is I will need 2 servers to be running 24x7, loose one more IP, then integrate both the servers, then manage and maintain both of them, secure them, pay for the electricity bill and so on. So if all can be done on 1 machine it will be a lot better, if not then we 2 different server for 2 different services is an option that I can consider.

Now coming to pay 3rd part for mail service – my issue with that approach is: their cost seems reasonable for one email id per month, but when you need 10 of them on every domain that you have, the cost skyrockets and using alias email is not a good option. And t make it worse if I tell my friends that I will host their website for this “X” amount and emails for “Y” I am sure they will tell me that they can go to any cheap hosting provider where they will get email service for free.

Coming to your last question/concern: I have a commercial internet and I have 5 static public IP (I am using 1 for home office internet connection, 1 for the production environment, 1 for the test environment, 1 for VMware environment (which I am struggling with and have raised a question in the firewalling group but no one has answered yet ) and 1 is free at the moment.
I and my customers (friends & family) need to be able to send email to anyone and everyone and we can do that… I can send email to Microsoft, and google and netgate and yahoo and anyone you can think of and it goes fine, that’s not an issue.

Now here is my issue:
I am able to run this service using firewall Natting. Pls, see the screenshot below.

login-to-view

Now the issue is:
As soon as I open the ports, scammers get excited and they start hitting my server and because the port is opened pfsense allows the traffic in and then my server (UFW and fail2ban) has to deal with those request to log in with wrong email id/password. Because I have a strong password, I have been fine until now but if I have a client who decides to keep his password: “password” then one day scammer will get into my server and do what they actually want to do.
This also has a side effect on my server performance as the load increases, log file size increases, it went so bad one day that logwatch could not send me an email because the log file size went 115 MB.

And my main gripe (based on my lack of knowledge/experience) is: I put pfsense in front of the server so that pfsense deals with the bad boys, therefore, reducing any unnecessary load protect the performance of my server, but right now it seems that the whole purpose is defeated. If this is how it is supposed to run, I can simply connect my server to my router and port forward these port on the router itself.

I have a feeling that there should be some option around rules and not port forwarding that will allow me and my friends (who are not on my LAN/OPT1 port) to be able to send and receive emails - like OpenVPN (it works without natting and just on rules). Do you agree? Do you think getting these attacks from scammers is part of the game and I can get away with it? If that is the case what happens when a friend of mine keeps a password for one of his email ids as “password” (I know I can force it to use alphanumeric and special character and so on, but just in case the password is a dictionary word and gets cracked, then what will happen to my server and pfsense)?

Hope this clarifies my situation and gives you enough information to be able to assist me accordingly. In case you have any more question pls do let me know.

Many Thanks,
Rav

Bob.Dig · Jul 21, 2020, 6:29 AM

So you have a lot of knowledge in regards of hosting and stuff, at least a lot more than I have. Have you tried pfBlockerNG and suricata? Dealing with bad guys is no out of the box experience and require further work with those two packages.

If you want to receive email from the outside world (internet), there is no other way then open port 25 to the public. If you just want to email inside a vpn, this is possible but still burdensome to setup for every buddy.