Empowering you with the knowledge to master Linux web hosting, DevOps and Cloud

 Linux Web Hosting, DevOps, and Cloud Solutions

Tag: Outgoing

Email sending limits and throttling – iRedmail free edition

iRedMail is:
1. A ZERO COST, fully fledged, full-featured mail server solution. All components are free and open source software
2. It support unlimited domains and email accounts.
2. SpamAssassin, ClamAV, SPF, DKIM, greylisting, whitelisting, blacklisting.
3. Stores mail accounts in your favorite backend: OpenLDAP, MySQL, MariaDB, PostgreSQL.
4. Supports major Linux distros

Throttling

iRedmail supports following level of throttling for email limits.
Global, per-domain and per-user throttling based on: max size of single message, number of max inbound/outbound messages per time unit.

iRedmail uses a component named iredpad for this. With iRedmail Pro version, you can configure these settings through GUI(iRedadmin panel). However they are not available through GUI for free version. The feature is enabled though we will have to modify them through database directly.

So the database is “iredapd” and table is “throttle”.

Here are some examples

1. Allow user `user@domain.com` to send 50 mails in 5 minutes (period=300):

INSERT INTO throttle (account, kind, priority, period, msg_size, max_msgs, max_quota) VALUES (‘user@domain.com’,’outbound’,100,300,0,50,0);

2. Set global limit of 500 mails per day and a maximum single mail size of 55MB

INSERT INTO throttle (account, kind, priority, period, msg_size, max_msgs, max_quota) VALUES (‘@.’,’outbound’,0,86400,57671680,500,0);

57671680 bytes = 55MB
86400 – 1 Day

# Technical details of throttle plugin
# ————-
#
# Currently you may throttle based on:
#
# – amount of mails sent over a given period of time
# – accumulated mail size sent over a given period of time
# – size of singe message
#
# Eg: You can enforce that user@domain.com does not send more than 1000 mails
# or 1GB of mail (whichever limit is hit first) in 5 minute.
#
# Possible throttling address:
#
# *) Full email address: user@domain.com
# *) Domain name (with a prefixed ‘@’): @domain.com
# *) Sub-domain name (with a prefixed ‘@.’): @.domain.com
# *) IP address: 192.168.1.1
# *) IP network: 192.168.1.*
# *) Catch-all for email address: ‘@.’ (note, the dot is required)
# *) Catch-all for IP address: ‘@ip’
#
# Priorities of different thorttle address (larger digital number has higher priority):
#
# *) email: 100 # e.g. ‘user@domain.com’. Highest priority
# *) wildcard_addr: 90 # e.g. `user@*`. used in plugin `amavisd_wblist`
# # as wildcard sender. e.g. ‘user@*`
# *) ip: 80 # e.g. 173.254.22.21
# *) wildcard_ip: 70 # e.g. 173.254.22.*
# *) cidr: 70 # e.g. 173.254.22.0/24
# *) domain: 60 # e.g. @domain.com
# *) subdomain: 50 # e.g. @.domain.com
# *) top_level_domain: 40 # e.g. @com, @org
# *) catchall: 0 # ‘@.’. Lowest priority

Please note that priority for global setting is 0 and priority of a single user is 100.

Blocking spoofed outgoing mails from your cPanel server

Spoofing is where the mail headers are manipulated to appear as if the mail comes from some other domain. When emails are set to be from an email address on your domain and bounce, they are sent to our servers, attempting to deliver themselves to that mailbox. Generally, you will never see these emails; however, if the email spoofer happens to configure the “From:” header to be a real email box, the bounce will come back to your mailbox and you will receive the email. There is a high chance that a very large number of spam message already sent from server. This can cause high load in the server and sometimes leads to the blacklist of your mail server IP address.

There are two ways in which a spoofed mail can be created.

1. Exploiting vulnerable form to mail scripts to send out spoofed mails through local mail agent.
2. Using stolen mail account login details to send spoofed mails through SMTP authentication.
Let’s look at a solution on how spoofing can be prevented in Exim mail servers commonly implemented in cPanel/WHM servers.

I. Blocking all un-authenticated spoofed outbound emails
1. Login to WHM >> EXIM CONFIGURATION MANAGER >> ADVANCED EDITOR

2. Add the following entry in the top using Add additional configuration setting:

domainlist remote_domains = lsearch;/etc/remotedomains

3. Add the following code under acl_not_smtp :

deny
condition = ${if ! match_domain{${domain:${address:$h_From:}}}{
+local_domains : +remote_domains}}
message = Sorry, you don’t have\
permission to send email from this server with a header that\
states the email is from ${lc:${domain:${address:$h_from:}}}.
accept

Here, the ACL will check for the presence of domain name part of the from address in either of the files – /etc/localdomains or /etc/remotedomains. If there is a mismatch, server will reject the email.

 

II. Blocking all authenticated spoofed outbound emails
1. WHM >> EXIM CONFIGURATION MANAGER >> ADVANCED EXIM EDITOR

2. Search for acl_smtp_data and add the following lines under it:

deny
authenticated = *
condition = ${if or {{ !eqi{$authenticated_id} {$sender_address} }\
{ !eqi{$authenticated_id} {${address:$header_From:}} }\
}\
}
message = Your FROM address ( $sender_address , $header_From )
must match your authenticated email user ( $authenticated_id ).
Treating this as a spoofed email.
Here, for all authenticated users, the rule will check whether the authenticated userid matches with the from address. If it matches, it will allow the email. Else, it will display the message “Your FROM must match your authenticated email user. Treating this as spoofed email”

 

PS: If the acl_smtp_data is mentioned as something else(like acl_smtp_data = check_message), locate check_message and add the above lines just under it.
IMPORTANT points to keep in mind
a. POP before SMTP won’t work with this setting. You will have to ask your customers to use the option – “My Server Requires Authentication” in the SMTP settings of their email client.
b. Username in the format user+domain.com will not work. They have to use user@domain.com instead.

Also your customer cannot change the from field to something other than original authentcated user. People use this method in Website Contact forms.

 

Setting SPF records

Another way to prevent spoofing is using SPF records. You must specify valid spf records for your domain, so that only the intended people or server can send mails on behalf of your domain name.

Powered by WordPress & Theme by Anders Norén