Allow only know email accounts to send out mail

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
charleso
New user
New user
Posts: 23
Joined: 2016-09-22 15:45

Allow only know email accounts to send out mail

Post by charleso » 2019-02-16 16:57

Please is there a way to allow only known email addresses on my server to send out emails?

The list of known email addressees is easy to get:

Code: Select all

select accountaddress from hm_accounts
If I can ensure that only these users can send out a mail, that would greatly reduce or ELIMINATE outbound SPAM from my server

Any help is welcome please.

Thanks.

User avatar
jimimaseye
Moderator
Moderator
Posts: 7824
Joined: 2011-09-08 17:48

Re: Allow only know email accounts to send out mail

Post by jimimaseye » 2019-02-16 17:22

Erm... enable authentication for sending 'to external' on all ip ranges?? :roll:

[Entered by mobile. Excuse my spelling.]
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

charleso
New user
New user
Posts: 23
Joined: 2016-09-22 15:45

Re: Allow only know email accounts to send out mail

Post by charleso » 2019-02-16 17:39

jimimaseye wrote:
2019-02-16 17:22
Erm... enable authentication for sending 'to external' on all ip ranges?? :roll:

[Entered by mobile. Excuse my spelling.]
Please which options should i set?
Capture.PNG

charleso
New user
New user
Posts: 23
Joined: 2016-09-22 15:45

Re: Allow only know email accounts to send out mail

Post by charleso » 2019-02-16 19:33

jimimaseye wrote:
2019-02-16 17:22
Erm... enable authentication for sending 'to external' on all ip ranges?? :roll:

[Entered by mobile. Excuse my spelling.]
This did not work

palinka
Senior user
Senior user
Posts: 558
Joined: 2017-09-12 17:57

Re: Allow only know email accounts to send out mail

Post by palinka » 2019-02-16 20:20

Somebody guessed a password? Look in your logs and find spam and see which account authenticated it.

User avatar
jimimaseye
Moderator
Moderator
Posts: 7824
Joined: 2011-09-08 17:48

Re: Allow only know email accounts to send out mail

Post by jimimaseye » 2019-02-17 00:19

https://www.hmailserver.com/documentati ... d_for_spam

[Entered by mobile. Excuse my spelling.]
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
mattg
Moderator
Moderator
Posts: 19513
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Allow only know email accounts to send out mail

Post by mattg » 2019-02-17 00:32

For those following this thread

The default hMailserver settings are safe and appropriate for most users.
A poor password is ALWAYS the weakest link.

hMailserver in default mode does allow users to AUTH as a@example.com and then send mail from 'president@whitehouse.com' (or wahtever)

If the password for a@example.com is easily guessed, then your server will likely end up spewing spam.
Things like 'test@example.com' set with a password of 'test', OR 'admin@example.com' set with a password of 'admin' are unfortunately far too common and are VERY easily abused.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

charleso
New user
New user
Posts: 23
Joined: 2016-09-22 15:45

Re: Allow only know email accounts to send out mail

Post by charleso » 2019-02-17 11:11

I'm really in trouble now. All messages to my gmail are bouncing back!!!

..and messages i send from my gmail to my Hmailserver don't arrive anymore

Code: Select all

Your message did not reach some or all of the intended recipients.

Sent: Sun, 17 Feb 2019 10:07:41 +0100
Subject: Test message

The following recipient(s) could not be reached:

okwuagwucne@gmail.com
Error Type: SMTP
Remote server (172.217.197.27) issued an error.
hMailServer sent: .
Remote server replied: 550-5.7.1 This message does not have authentication information or fails to pass
550-5.7.1 authentication checks. To best protect our users from spam, the
550-5.7.1 message has been blocked. Please visit
550-5.7.1 https://support.google.com/mail/answer/81126#authentication for more
550 5.7.1 information. c25si3762621qtm.389 - gsmtp



hMailServer

User avatar
mattg
Moderator
Moderator
Posts: 19513
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Allow only know email accounts to send out mail

Post by mattg » 2019-02-18 00:54

Do this and post the results please
http://www.hmailserver.com/forum/viewto ... 20&t=30914
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

charleso
New user
New user
Posts: 23
Joined: 2016-09-22 15:45

Re: Allow only know email accounts to send out mail

Post by charleso » 2019-02-18 03:22

mattg wrote:
2019-02-18 00:54
Do this and post the results please
http://www.hmailserver.com/forum/viewto ... 20&t=30914

Code: Select all

2019-02-18   Hmailserver: 5.6.7-B2425

DOMAINS

   "Domain1.com" - ebxxxxxxx.com                  Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain2.com" - edxxxxxxx.com                  Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain3.com" - gsxxxx.com                     Enabled: True
      |- "Alias1.com" - maxx.gsxxxx.com
      |- "Alias2.com" - wwx.gsxxxx.com

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain4.com" - hoxxxxxxxxxxxxx.com            Enabled: True
      |- "Alias3.com" - maxx.hoxxxxxxxxxxxxx.com
      |- "Alias4.com" - wwx.hoxxxxxxxxxxxxx.com

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain5.com" - paxxxxxxxxxxxxxxxxxxx.com.ng   Enabled: True
      |- "Alias5.com" - maxx.paxxxxxxxxxxxxxxxxxxx.com.ng
      |- "Alias6.com" - wwx.paxxxxxxxxxxxxxxxxxxx.com.ng

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain6.com" - plxxxxxxxxxxxxxxxxxxxx.co.za   Enabled: True
      |- "Alias7.com" - maxx.plxxxxxxxxxxxxxxxxxxxx.co.za
      |- "Alias8.com" - wex.plxxxxxxxxxxxxxxxxxxxx.co.za

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting: !! ENABLED BUT NOT ACTIVATED!! 

   "Domain7.com" - plxxxxxxxxxxxxxxxxxxxx.com     Enabled: True
      |- "Alias9.com" - maxx.plxxxxxxxxxxxxxxxxxxxx.com
      |- "Alias10.com" - wwx.plxxxxxxxxxxxxxxxxxxxx.com

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain8.com" - raxxxxxxxxxxxxxx.com           Enabled: True
      |- "Alias11.com" - maxx.raxxxxxxxxxxxxxx.com
      |- "Alias12.com" - wex.raxxxxxxxxxxxxxx.com

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False
-----------------------------------------------------------------------------------------------

IP RANGES

IP: 127.0.0.1 - 127.0.0.1     Priority: 15     Name: My computer

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:   True                              Antivirus:   True !! ANTIVIRUS NOT CONFIGURED !!
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       - False
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External - False           


IP: 0.0.0.0 - 255.255.255.255     Priority: 10     Name: Internet

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:   True                              Antivirus:   True !! ANTIVIRUS NOT CONFIGURED !!
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External - False           


------------------------------------------------------
AUTOBANNED Local Addresses:
    No entries

-----------------------------------------------------------------------------------------------

AUTOBAN
  Autoban Enabled: True       Max invalid logon attempts:      2
                              Minutes Before Reset:           60  (1.00 hours, 0.04 days)
                              Minutes to Autoban:          43200  (720.00 hours, 30.00 days)

There is a total of 448 auto-ban IP ranges.
-----------------------------------------------------------------------------------------------

INCOMING RELAYS
   No entries
-----------------------------------------------------------------------------------------------

MIRRORING         Disabled
-----------------------------------------------------------------------------------------------

PROTOCOLS

SMTP
GENERAL             DELIVERY                  RFC COMPLIANCE            ADVANCED
No. Connections:  0  No Retries:  3 Mins: 60   Plain Text:        False  Bind: 
                     Host: Alias5.com          Empty sender:       True  Batch recipients:   100
Max Msg Size:102400  Relay:-                   Incorrect endings:  True  Use STARTTLS:      True
                     (none entered)            Disc. on invalid:   True  Delivered-To hdr: False
                                               Max number commands:  10  Loop limit:           5
                                                                         Recipient hosts:     15
  Routes:
     No routes defined.

POP3
  No. Connections: 0

IMAP
 GENERAL                   PUBLIC FOLDERS                    ADVANCED
  No. Connections:   0      Public folder name: #Public       IMAP sort:  True
                                                              IMAP Quota: True
                                                              IMAP Idle:  True
                                                              IMAP ACL:   True
                                                              Delim: "."
-----------------------------------------------------------------------------------------------

ANTISPAM

GENERAL                              SPAM TESTS              Score   SPAMASSASSIN
  Spam Mark:                  5       Use SPF:            True - 3    Use Spamassassin:   False
  Add X-HmailServer-Spam:     True    Check HELO host:    True - 2
  Add X-HmailServer-Reason:   True    Check MX records:  False    
  Add X-HmailServer-Subject: False    Verify DKIM:       False    

  Spam delete threshold: 50         Maximum message size: 1024

DNSBL ENTRIES:
   No entries

SURBL ENTRIES:
   No 'enabled' entries

GREYLISTING:
  Greylisting:  False

WHITELISTING
   No entries
-----------------------------------------------------------------------------------------------

ANTIVIRUS:  No application configured.

  Block Attachments: False
-----------------------------------------------------------------------------------------------

SSL CERTIFICATES
   Domain4.com
       Certificate: C:\Apps\Domain4.com\-\domain-crt.txt
       Private key: C:\Apps\Domain4.com\-\domain-key.txt
   PaperlessDomain5.com
       Certificate: C:\Apps\Domain5.com\-\domain-crt.txt
       Private key: C:\Apps\Domain5.com\-\domain-key.txt
   Domain6.com
       Certificate: C:\Apps\Domain4.com\-\domain-crt.txt
       Private key: C:\Apps\Domain4.com\-\domain-key.txt
   Domain8.com
       Certificate: C:\Apps\rsg\-\domain-crt.txt
       Private key: C:\Apps\rsg\-\domain-key.txt
-----------------------------------------------------------------------------------------------

SSL/TLS
             SSL 3.0 :  False
             TLS 1.0 :   True
             TLS 1.1 :   True
             TLS 1.2 :   True                Verify Remote SSL/TLS Certs:  False
SslCipherList  :

ECDHE-RSA-AES128-GCM-SHA256     - ECDHE-ECDSA-AES128-GCM-SHA256   - ECDHE-RSA-AES256-GCM-SHA384     
ECDHE-ECDSA-AES256-GCM-SHA384   - DHE-RSA-AES128-GCM-SHA256       - DHE-DSS-AES128-GCM-SHA256       
kEDH+AESGCM                     - ECDHE-RSA-AES128-SHA256         - ECDHE-ECDSA-AES128-SHA256       
ECDHE-RSA-AES128-SHA            - ECDHE-ECDSA-AES128-SHA          - ECDHE-RSA-AES256-SHA384         
ECDHE-ECDSA-AES256-SHA384       - ECDHE-RSA-AES256-SHA            - ECDHE-ECDSA-AES256-SHA          
DHE-RSA-AES128-SHA256           - DHE-RSA-AES128-SHA              - DHE-DSS-AES128-SHA256           
DHE-RSA-AES256-SHA256           - DHE-DSS-AES256-SHA              - DHE-RSA-AES256-SHA              
AES128-GCM-SHA256               - AES256-GCM-SHA384               - HIGH                            
!aNULL                          - !eNULL                          - !EXPORT                         
!DES                            - !3DES                           - !MD5                            
!PSK;                           
-----------------------------------------------------------------------------------------------

TCPIP PORTS                                         Connection Sec
               0.0.0.0         / 110   / POP3   -   StartTLS Optional   Cert: PaperlessDomain5.com
               0.0.0.0         / 143   / IMAP   -   StartTLS Optional   Cert: PaperlessDomain5.com
               0.0.0.0         / 465   / SMTP   -   SSL/TLS             Cert: PaperlessDomain5.com
               0.0.0.0         / 587   / SMTP   -   SSL/TLS             Cert: PaperlessDomain5.com
               0.0.0.0         / 993   / IMAP   -   SSL/TLS             Cert: PaperlessDomain5.com
               0.0.0.0         / 995   / POP3   -   SSL/TLS             Cert: PaperlessDomain5.com

    !! No SMTP Port 25 defined. Direct external SMTP inbound not possible !!

-----------------------------------------------------------------------------------------------

LOGGING      Logging Enabled: True

  Paths:-
    Current:  C:\Program Files (x86)\hMailServer\Logs\hmailserver_2019-02-18.log
    Error:    C:\Program Files (x86)\hMailServer\Logs\ERROR_hmailserver_2019-02-18.log
    Event:    C:\Program Files (x86)\hMailServer\Logs\hmailserver_events.log - Not present
    Awstats:  C:\Program Files (x86)\hMailServer\Logs\hmailserver_awstats.log
                        APPLICATION -    True
                        SMTP        -    True
                        POP3        -    True
                        IMAP        -    True
                        TCPIP       -    True
                        DEBUG       -      .
                        AWSTATS     -    True
-----------------------------------------------------------------------------------------------

SYSTEM TESTS

Database type: MSSQL

IPv6 support is available in operating system.

Backup directory C:\MailBK is writable.

Relative message paths are stored in the database for all messages.

-----------------------------------------------------------------------------------------------

HMAILSERVER.INI

[Directories]
Program folder:  C:\Program Files (x86)\hMailServer\
Database folder: C:\Program Files (x86)\hMailServer\Database
Data folder:     C:\Program Files (x86)\hMailServer\Data
Log folder:      C:\Program Files (x86)\hMailServer\Logs
Temp folder:     C:\Program Files (x86)\hMailServer\Temp
Event folder:    C:\Program Files (x86)\hMailServer\Events

[Database]
Type=              MSSQL
Username=          sa
PasswordEncryption=1
Port=              0
Server=            .
Internal=          0

[Settings]
DisableAUTHList=25
-----------------------------------------------------------------------------------------------

Generated by HMSSettingsDiagnostics v1.95, Hmailserver Forum.

User avatar
mattg
Moderator
Moderator
Posts: 19513
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Allow only know email accounts to send out mail

Post by mattg » 2019-02-18 03:56

You don't allow port 25 communication. Why not?

Please enable all logging in hmailserver, try to send a message to gmail
Wait until you get an error, and post a screen shot of the error, and ALL logs created
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

charleso
New user
New user
Posts: 23
Joined: 2016-09-22 15:45

Re: Allow only know email accounts to send out mail

Post by charleso » 2019-02-18 11:52

mattg wrote:
2019-02-18 03:56
You don't allow port 25 communication. Why not?

Please enable all logging in hmailserver, try to send a message to gmail
Wait until you get an error, and post a screen shot of the error, and ALL logs created
I ran this tool: LiveTcpUdpWatch.exe and monitored for a while, I saw so much inbound traffic on port 25 from unknown IP addresses. My mail server is typically NOT busy on Sundays, yet i was getting way over 10 inbound requests on port 25 per minute.

But i'll re-open it if it is required

charleso
New user
New user
Posts: 23
Joined: 2016-09-22 15:45

Re: Allow only know email accounts to send out mail

Post by charleso » 2019-02-18 13:56

I re-enabled port 25 and i am able to send mails to gmail

However i am still not receiving any email from gmail...

User avatar
jimimaseye
Moderator
Moderator
Posts: 7824
Joined: 2011-09-08 17:48

Re: Allow only know email accounts to send out mail

Post by jimimaseye » 2019-02-18 15:27

It's not imperative to be open IF you are collecting ALL external emails via pop3 (external download).

Are you?
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

charleso
New user
New user
Posts: 23
Joined: 2016-09-22 15:45

Re: Allow only know email accounts to send out mail

Post by charleso » 2019-02-18 19:25

jimimaseye wrote:
2019-02-18 15:27
It's not imperative to be open IF you are collecting ALL external emails via pop3 (external download).

Are you?
No, Most of my clients use IMAP

I stopped my firewall and ran a test, i was able to send and receive from all networks.

I restored the firewall, created an exception just for hMailServer, now all mails are working properly and the spam incidence has stopped.

User avatar
mattg
Moderator
Moderator
Posts: 19513
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Allow only know email accounts to send out mail

Post by mattg » 2019-02-19 00:51

To be honest I'm not sure that you understand what is required to run a mailserver

Incoming mail from another server comes to your server via SMTP on port 25
Other ways that incoming mail gets to your server is that the mail is delivered to another server, and then you connect to that server via External Account POP3, and download the mail

Mail coming from your mail clients to be on-sent will come to your server via SMTP, perhaps via port 25, but could also be any port that you set. This includes the standard port 465 and 587.

IMAP and POP3 connections to your server, are from mail clients connecting to YOUR server to download mail.

You having port 25 inactive will NOT stop you from sending mail to gmail or any other server

You should NOT add an exception to your firewall for hMailserver, you SHOULD however set exceptions for the ports used by hMailserver.

The spamming is unlikely to have been stopped by removing the firewall rules...in fact I'd expect the opposite to happen. The incoming connections on port 25 are likely to be mail being sent to your server. It may be SPAM, but it may also be legitimate mail. Unless you accept the connection, and test the messages you will never know.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

charleso
New user
New user
Posts: 23
Joined: 2016-09-22 15:45

Re: Allow only know email accounts to send out mail

Post by charleso » 2019-02-19 10:36

Thanks for the clarification.

Things are working properly now.
Mails are coming in as expected.

The spam mails have also stopped.

Post Reply