Best Practices To Secure Your Mail Server
- Make sure that you have Plesk outgoing limits enabled to limit any damage from a compromised email account. See here for more information.
- Make sure that your server has the Plesk modsecurity packages installed as a good modsecurity ruleset can block some form spam. See here for more information.
- Enable the X-PHP-Originating-Script header so that Warden can track PHP based mail properly. See here for more information.
- Juggernaut Firewall users can restrict outgoing SMTP access to specific countries to limit SMTP auth brute force attacks (for advanced users only). See here for more information.
Tracking Outgoing Mail Using Warden
Users can go to Warden -> Statistics -> Statistics Out to see which domains and mailboxes are sending out the most mail. Users can click on the columns to sort from greatest to least.
Users can go to Warden -> Reports -> choose reports Domain -> Statistics -> Out or Mailbox - Statistics - Out to see which domains and mailboxes are sending out the most mail. Users can click on the columns to sort from greatest to least.
Administrators can go to Warden -> Queue to monitor the outgoing mail queue. The recipient column will tell you the reason why a server rejected an email. You can click the magnifying glass next to the entry to view more details about a message in the queue. This is helpful in seeing which emails might be spam.
Users can go to Warden -> Logs -> Message log (choose out from the direction select list to monitor to view outgoing mail).
Tracking Who is Authenticating From the Command line
If a high number of login attempts is shown, it is very likely accounts were compromised. Try identifying these accounts in the following way:
zgrep -h 'sasl_method' /var/log/maillog* | cut -d' ' -f9 | cut -d= -f2 | sort | uniq -c | sort -nr