Overview
When attempting to secure your server against spam, you might consider enabling the SMTP Restrictions option in WHM or if you have the third-party ConfigServer Security & Firewall (CSF) plugin, the SMTP_BLOCK feature. This article is designed to explain how these two services affect the server. Both options are used to prevent outgoing requests over the common mail ports, but there are some differences to be aware of.
Important Notice: If CSF is installed on the server, it is strongly recommended to use its SMTP_BLOCK feature instead of the SMTP Restrictions option within WHM. CSF can remove rules that are not explicitly defined in its own configuration files. As such, rules added via the SMTP Restrictions could be lost when CSF restarts or reloads the rules. In some cases, this could cause problems with all outbound mail.
SMTP Restrictions (within WHM)
The SMTP Restrictions feature is controlled through Web Host Manager. When this feature is enabled, only the root user, Mail Agent, and Mailman services are allowed to make outgoing connections over ports 25, 465, and 587. If any other user attempts the connection, it is looped back to the server. You can see this for yourself here:
First the rules that are added to the firewall when this is enabled:
[root@test ~]#echo "nat table:" ; iptables -t nat --line-numbers -nL OUTPUT ; echo "filter table:" ; iptables -t filter --line-numbers -nL OUTPUT
nat table:
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 RETURN tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587 owner GID match 990
2 RETURN tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587 owner GID match 12
3 RETURN tcp -- 0.0.0.0/0 127.0.0.1 multiport dports 25,465,587 owner UID match 202
4 RETURN tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587 owner UID match 0
5 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587
filter table:
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587 owner GID match 990
2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587 owner GID match 12
3 ACCEPT tcp -- 0.0.0.0/0 127.0.0.1 multiport dports 25,465,587 owner UID match 202
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587 owner UID match 0
Connecting as the root user:
[root@test ~]# telnet mx1.cpanel.net 25
Trying 208.74.121.68...
Connected to mx1.cpanel.net.
Escape character is '^]'.
220-mx1.cpanel.net ESMTP Exim 4.92 #2 Fri, 12 Apr 2019 05:40:18 -0500
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
Connecting as a normal user:
[user@test ~]$ telnet mx1.cpanel.net 25
Trying 208.74.121.68...
Connected to mx1.cpanel.net.
Escape character is '^]'.
220-test.server ESMTP Exim 4.91 #1 Fri, 12 Apr 2019 12:26:32 +0000
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
As you can see, when connecting as the user, this ends up connecting right back to the main server. This forces users to send any outgoing messages through the server.
This service is either enabled or disabled server wide and would affect all users on the server. You can manage this service either via the "SMTP Restrictions" option in WHM (Home >> Security Center >> SMTP Restrictions) or through "Tweak Settings" (Home >> Server Configuration >> Tweak Settings) on the "Mail" tab.
SMTP_BLOCK (within CSF)
This is a feature that can be enabled in CSF when it is installed that is very similar to the SMTP Restrictions for WHM. This feature adds its own rules for which users can create outgoing connections over ports 25, 465, and 587.
First, the rules that are added to the firewall:
[root@test ~]# iptables -nL SMTPOUTPUT
Chain SMTPOUTPUT (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587 owner GID match 989
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587 owner GID match 12
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587 owner UID match 202
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587 owner UID match 0
LOGDROPOUT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587
Whereas SMTP Restrictions redirects the connection to back to the server, the SMTP_BLOCK feature will reject the connections by default. You can see this behavior for yourself here:
Connecting as the root user:
[root@test ~]# telnet mx1.cpanel.net 25
Trying 208.74.121.68...
Connected to mx1.cpanel.net.
Escape character is '^]'.
220-mx1.cpanel.net ESMTP Exim 4.92 #2 Fri, 12 Apr 2019 07:31:24 -0500
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
Connecting as a normal user:
[user@test ~]$ telnet mx1.cpanel.net 25
Trying 208.74.121.68...
telnet: connect to address 208.74.121.68: Connection refused
It is important to note that even if the SMTP Restrictions are disabled, this setting can still prevent users from making connections to external mail services if it is enabled.
The SMTP_BLOCK function has its own additional configuration options that can be modified through the csf.conf file (which is usually located at /etc/csf/csf.conf). For example, using the “SMTP_ALLOWUSER” or “SMTP_ALLOWGROUP” variables, you can define the users and groups that are allowed to bypass this restriction. This allows you to exclude certain users from this protection that may need to send through an external server. The “SMTP_PORTS” variable allows you to specify the mail ports you want to limit. This is useful if you are using a smarthost over an alternate port and want to limit access to that service as well. You can also redirect the connections instead of rejecting them by enabling the "SMTP_REDIRECT" option.
Please note that we do not provide technical support for CSF, and it is developed by a third-party. The behavior and availability of this feature may change without notice. If you have trouble with the SMTP_BLOCK feature, you may want to run the built-in CSF test script to confirm that any necessary modules are installed. If this was an automatic installation, this can be called with the following command:
/etc/csf/csftest.pl
Summary
While very similar in function, you can see that there are some differences between the two services that could be a little confusing if you are not aware of them. Primarily, the SMTP Restrictions will redirect the request over the mail ports, while the SMTP_BLOCK feature will block the request entirely.
If you want to disable this kind of protection entirely, you would need to ensure that both the SMTP_BLOCK and SMTP Restrictions features were disabled.
Comments
0 comments
Article is closed for comments.