Mail User Agent

This is the part of the system that the user will be most familiar
with. The Mail User Agent (MUA) or mail client is the
application that is used to write, send and read email messages.
Anyone who has written and sent a message on any computer
has used a Mail User Agent. Typical Graphical MUA’s on
Linux are Evolution and KMail. For those who prefer a text
based mail client there are also the more traditional pine and
mail tools.
Mail Transfer Agent
The Mail Transfer Agent (MTA) is the part of the email
system that does much of the work of transferring the email
messages from one computer to another (either on the same
local network or over the internet to a remote system). Once
configured correctly most users will not have any direct
interaction with their chosen MTA unless they wish to re-
configure it for any reason. There are many choices of MTA
available for Linux including sendmail, Postfix, Fetchmail,
Qmail and Exim.
Mail Delivery Agent
Another part of the infrastructure that is typically hidden from
the user. The Mail Delivery Agent (MDA) sits in the
background and performs filtering on the email messages
between the Mail Transfer Agent and the mail client (MUA).
The most popular form of MDA is a spam filter to remove all
the unwanted email messages from the system before they
reach the inbox of the user’s mail client.
Different MTAs

• Exim
• Sendmail
• Postfix
• Qmail
MDA – (MAIL DELIVERY AGENTS)
MUA-MAIL USER AGENTS
How Mail Server Really Works?
 Sample mail log
1: 2010-09-13 05:00:13 [1487] 1Ov4tU-0000Nz-Rm H=mailhost.domain.com
[208.42.54.2]:51792 I=[67.215.162.175]:25 Warning: "SpamAssassin as theuser
detected message as NOT spam (0.0)"
2: 2010-09-13 05:00:13 [1487] 1Ov4tU-0000Nz-Rm <=
[email protected] H=mailhost.domain.com [208.42.54.2]:51792
I=[67.215.162.175]:25 P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=21778
[email protected] T="Daily Science
Maillinglist: Chameleon" from for [email protected]
3: 2010-09-13 05:00:14 [1534] 1Ov4tU-0000Nz-Rm => user F= P=
R=virtual_user T=virtual_userdelivery S=21902 QT=6s DT=0s
4: 2010-09-13 05:00:15 [1534] 1Ov4tU-0000Nz-Rm Completed QT=7s

The Beginning of the Line: Each line starts with the date and time. Immediately
following is the message’s process ID number (PID): 1487
Then exim’s internal message ID:1Ov4tU-0000Nz-Rm The exigrep tool uses
this ID to pull all log lines for this file out of the mainlog; on a busy mailserver,
log lines from the same e-mail may be spread out across the logfile.

The First Line: The next item on the first line starts with “H=”. This specifies
the hostname of the server that the mail originates from. Next (in square
brackets) is the IP address of that server, followed by the port number. “I=”
looks similar, but is describing your mailserver. A warning follows:
Spamassassin believes that this message is not spam.

The Second Line: The second line almost starts the same (with H and I), but
before that the “<=” symbol is used. This indicates that this line is describing the
arrival of the message on your mailserver. Immediately after this symbol is the
e-mail address that this mail is being sent from.After H and I,
the “P” abbreviation designates the protocol being used (here esmtps). Note that
this only means this because it is on a “<=” line; if this were a “=>” line it would
indicate the return path of the message.

The X tells us the particular cipher suite that is used; this is usually not something
you would be looking for when troubleshooting a mail issue. CV refers to
certification verification status, and S is the size of the message.
Next, “id” refers to the message id that was created by the sending server and sent
as one of the mail headers. T (for topic) is the subject of the e-mail. The line ends
with “for [email protected]”, letting us know just who the message is for.
Postfix commands
View the postfix version >> postconf mail_version
Mail queue: >> mailq
To get the number of emails in the queue: >> mailq | wc -l
To list mail queue with Email IDs >> postqueue -p
To remove all mail from the queue : >> postsuper -d ALL
To view the mail content: postcat -q MAIL_ID
What is email authentication
Email Authentication helps prevent spam emails by enabling DKIM and
SPF.
DKIM is a means of verifying incoming email. It ensures that incoming
messages are unmodified and are from the sender from whom they claim to
be. This feature works to prevent incoming spam messages.
While SPF system allows you to specify servers and IP addresses that are
authorised to send mail from your domain(s). This feature works to prevent
outgoing spam messages. An SPF (Sender Policy Framework) record is a
list of servers that are allowed to send e-mail from your domain

When a server attempts to send spam using your domain name other
servers that are receiving the messages may check your domain name to
see if it has a SPF record. If a SPF record is present in your domain’s DNS
zone file the server will then check to see if the mail originated from a
server or IP that is listed in the SPF record. If the mail came from a SPF-listed
source then the message is processed normally. If the mail did not originate from a
server in the SPF list then the message is instantly rejected per the receiving
server’s policies.

● domain.com – The domain that the SPF record applies to

● IN TXT – The DNS zone record type. SPF records are written as TXT record
types.
● v=spf1 – Identifies the TXT record as an SPF record.
● a – Lists the domain’s primary A record as approved to send e-mail.
● mx – Lists the domain’s MX record(s) as approved to send e-mail.
● ~all – Signifies that this list is all inclusive, and no other servers are allowed to
send e-mail per the SPF.
Example: domain.com. IN TXT "v=spf1 a mx ~all"
What is Email Spoofing
Email Spoofing is using an email address as the sender in sending
out SPAM or phising emails without going to the email portal of the
email account. Some does not require authentication like username
and password because they are connecting via LAN or an external
environment using Trojan horses.
Email works the same way. When a server sends an email
message, it specifies the sender, but this sender field can be
specified or scripted to under the pretence from as an email address
that you do not own.
Steps to be taken if your mail identity has been spoofed:
● Change your password immediately for all your email accounts.
● Enable Sender filtering
● Enable recipient filtering
● Further do not respond to any mails which have personal information
from the forged Mail ID
● Add and update the block list regularly with the spammers, either their
domain name or their email addresses

RBL blacklisting (Real-Time Blackhole List) check website

------------
https://mxtoolbox.com/

https://www.talosintelligence.com/
How to Prevent Email Abuse
1. Password Strength Configuration >> increase the minimum
password strength for your users' mail accounts
2. Enable cPHullk >> cPHulk provides protection for your server
against brute force attacks (a hacking method that uses an
automated system to guess passwords). If you enable cPHulk, you
can decrease the chance that a hacker can use a brute force attack
to gain access to your server's mail accounts.
3. SMTP restrictions >> If you enable the SMTP Restrictions
feature, spammers cannot directly interact with remote mail servers
or work around mail security settings.
This feature restricts outgoing email connection attempts to the mail
transfer agent (MTA), the mailman system user, and the root user.
This feature forces both scripts and users to use Exim's sendmail
binary, which helps to prevent direct access to the socket.
4. Tweak Settings in WHM
● Max hourly emails per domain >> This setting specifies the maximum
number of emails that each domain can send per hour.
● Prevent “nobody” from sending mail >> This setting denies the nobody
user the ability to send mail to a remote address
● Maximum percentage of failed or deferred messages a domain may
send per hour >> This setting allows you to specify a maximum
percentage of failed or deferred messages that your domain may send
per hour
5. PHP configuration >> If you configure PHP and suEXEC, ModRuid2, or
suPHP, you can improve server security. This configuration allows you to
know which users run which processes system-wide.