Block Anonymous SMTP Connections

G5 Cyber Security

2 weeks ago

TL;DR

This guide shows you how to stop email being sent through your server if someone tries to use it without logging in properly (using a username and password). This helps prevent spam and abuse.

Steps

Understand the Problem

Sometimes, people try to send emails through your server without having valid accounts. This is called anonymous SMTP relaying. It’s bad because:

It can get your server blacklisted as a spam source.
It wastes your server’s resources.
It can damage your reputation.

We will configure the server to only accept connections from authenticated users.

Identify Your Mail Server Software

The steps vary depending on what software you’re using. Common options include:

Postfix: Very popular, often used on Linux servers.
Sendmail: Older but still in use.
Exim: Another common choice for Linux.
Microsoft Exchange: Used in corporate environments.

If you’re not sure, ask your hosting provider or check your server documentation.

Postfix Configuration (Example)

These instructions are for Postfix. If you use different software, see the next section for general guidance.

Edit main.cf: Open the main configuration file with a text editor as root or using sudo.
```
sudo nano /etc/postfix/main.cf
```
Add/Modify Settings: Add these lines to your main.cf file (or modify them if they already exist):
```
smtpd_tls_auth_only = yes
```
```
smtp_sasl_auth_enable = yes
```
```
smtp_sasl_security_options = noanonymous
```
Restart Postfix: Apply the changes by restarting the service.
```
sudo systemctl restart postfix
```

General Guidance for Other Mail Servers

Most mail servers have similar settings. Look for options like:

Require Authentication: Enable a setting that forces users to log in before sending emails.
Disable Anonymous Relaying: Specifically turn off the ability to send emails without credentials.
TLS/SSL Encryption: Make sure you’re using TLS/SSL encryption for secure connections (this is important even with authentication).

Consult your mail server’s documentation for specific instructions.

Testing the Configuration

Try to Send an Email Without Authentication: Use a command-line email client (like telnet or openssl s_client) or a simple email program and try sending an email without providing a username and password. It should fail.
```
openssl s_client -starttls smtp -connect your.mail.server:25
```
Send an Email With Authentication: Now, send an email with valid credentials. This should succeed.
Check Logs: Examine your mail server’s logs for any errors or warnings related to authentication. The log location varies depending on the software (e.g., /var/log/mail.log for Postfix).

Firewall Considerations

Ensure your firewall allows connections on port 25 (SMTP), but consider restricting access to trusted IP addresses if possible.