I wouldn't want one of those in my network. I set everything up: External SMTP Service, Sendmail, hostname. If you don't know what process is sending it, the mail could easily be a compromised system or an open proxy or a web form that some spammer is abusing. I would like to send emails through an External SMTP Service (Yandex) with Sendmail on Ubuntu 18.04.3. If you don't know what your normal traffic is, you can add a logging line to the end of your firewall rules so that everything that isn't already matched gets logged.Įven if you manage to block the traffic using the firewall, you will still want to track down and stop what ever is sending the mail. Set your firewalls to drop everything by default and allow through only the traffic you want. If you have multiple exit points, you should have firewalls on each. Combined with abusing a proxy server, mail can even be sent on port 80 or 443 or 3128 (for squid) or many others.ĭoes your network have a single exit point to the internet? Do you have a firewall at that point? (465 has been revoked but may still be in use.). Mail can also be sent on ports 465 and 587. tcpdump -i bond0 -s0 -w/tmp/smtp_dump port 25 Interface options to tcpdump ( -i eth0): if your router uses a different interface than eth0, then you might have to select it with the -i option e.g. Warning: tcpdump will fill your disk in quick time if you have a lot of smtp traffic, so review the output file ls -lh /tmp/smtp_dump and stop the command with ctrl-c when you have a few MB of data to look at. This is accomplished using a request-response structure. SMTP is a text-based protocol designed to be limited to printable ASCII characters. Alternatively, users can filter for ports commonly used in SMTP traffic (i.e., 25, 587 and 465).
#Wireshark ubuntu smtp sendmail install
You can get more sophisticated output if you install wireshark to your local machine and download the dump files, or use tshark at the ssh command line. SMTP in Wireshark SMTP traffic can be filtered in Wireshark using the built-in smtp filter. You can review the file for which hosts are sending smtp traffic from another SSH session # tcpdump -qr /tmp/smtp_dump sudo systemctl stop postfix sudo apt remove postfix & apt purge postfix. First of all, remove the existing postfix installation on Ubuntu. And you are willing to use Sendmail server on your system. Tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes Postfix is the default SMTP service pre-installed on Ubuntu operating systems. You can install tcpdump on the ubuntu router ( apt-get install tcpdump), and configure it to watch for smtp traffic # tcpdump -s0 -w/tmp/smtp_dump port 25 Tcpdump is a useful tool for dumping packets off the network either to file, or to the screen, its generally available in the distro-packing repositories and is very well documented and tested for situations like this.