Hello everyone

I’ve to install mailcow mail server some month ago. Everything works well but today I got a message from my VPS provider that my mail server suspended due to spam activity. It was a spam activity from nonauthorized user from my mail domain.

All spam messages were sent from “it@email.mydomain.com

I have set my DNS and DKIM, DMARC, SPF like:email.mydomain.com as mailcow Web Interface and mydomain.com as mail domain

so my DNS config looks:

  • I created “A” record with “email” and IP

  • “CNAME” with “autoconfig” and “email.mydomain.com”

  • “CNAME” with “ autodiscover” and “email.mydomain.com”

  • “MX” with @ and “email.mydomain.com” (Priority: 20)

  • “TXT” with @ and “=spf1 mx a -all”

  • DKIM with my key

  • “DMARC” v=DMARC1; p=quarantine;

So guys can you help and give some advice on what I did wrong when setting mail server or where my mail serve was hacked by spamers?

I have never created this email user “it@email.mydomain.com” and right now it doesn’t exist on my mail server.

Although “email.mydomain.com” is not a mail domain it just a web interface from my mail server. My mail domain is just “mydomain.com” without subdomain

I use mailcow docker-compose as mail server and ubuntu 20.04 with Nginx as reverse-proxy

You should check your logs if the spam was actually sent from your SMTP server. If not, your VPS provider was a little bit too straightforward in concluding that the mail originated from your server. Did the provider give you logs or mail headers? Perhaps someone just used a reply-to address with your (wrong) subdomain. But anyone can do that and you cannot prevent that. That’s why there is DKIM, DMARC and SPF. And mailservers which are correctly configured use these techniques to detect and reject spam etc.

    Have something to say?

    Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

    RobertVanWeersch
    thanks for reply
    and sorry for double created topic

    Please see screenshot

    There are a lot of those messages from “it@email.mydomain.com
    but I use email.mydomain.com only as SMTP server and my mail domain(from I send my mail) just named mydomain.com

    as you can see on the screenshot spammer sent emails from my SMTP address?? and IP address is my local mailcow docker IP
    How it can happen and how I can prevent it in the future?
    Is there a way to deny all unauthorized users?

      If you do not know how to prevent your SMTP server from being an open relay, then you probably should not run your own mail server but should look at a hosted service.

        RobertVanWeersch

        thanks for your reply

        Can I ask you something?

        A few weeks ago I did redirect incoming 2525 port to 25 port on my mailcow host server. I did it for one of my apps which can’t send messages from SSL 465 port but can send it without SSL (25 port usually blocked on home PC’s ).

        So can this redirect cause my issue?
        As I understood correctly those directly forwarding other ports to 25 port can be a reason why I got some issues like an open relay?
        although in any mail server test I never have open '‘an open relay’ result

            8 days later

            dmitrii The simple answer is yes . By improperly relaying or proxying SMTP you will open yourself up to a lot of pain.
            Depending on your proxy, when you relay a connection to a service like postfix, the service will see the Client IP as the [local] relay address, effectively bypassing many important RBL / filtering rules needed to check the remote IP and block attacks.

            I personally use HAProxy to load-balance SMTP, so you can do it pretty easily, but it needs to be tested thoroughly before you consider opening any of your services up to the public.

            Packet captures (tcpdump / wireshark for example) often help to pick up connection issues before you go live. Yesterday I had a new public facing IP I had setup for a new mail service. Though only after doing a packet capture did I realise I had forgotten to add outbound routing (SNAT) rules for the new IP. For example all incoming connections were working flawlessly, but outbound traffic was defaulting to the routing IPs not the new IP.

            PS: If your postfix SMTP server logs only show internal IP addresses as your source for example, then you have a serious issue with your relay.

              No one is typing