LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   How to prevent spoofing from Postfix/local part (http://www.linuxquestions.org/questions/linux-security-4/how-to-prevent-spoofing-from-postfix-local-part-722506/)

nihal 04-29-2009 10:51 AM

How to prevent spoofing from Postfix/local part
 
Some people sent spoofing mails from our mail users sent to our user from Postfix/local that is listed in maillog like below:

Apr 29 16:57:02 ns1 postfix/local[3075]: EC2153565E3: to=<user-mydomain.com@ns1.mydns.com>, orig_to=<user@mydomain.com>, relay=local, delay=486, status=sent (delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME)

Bu i do not know how to prevent this people not to use my Postfix/local delivery part. How can i prevent this attack?

When i connect to my mail server to sent or receive my mail it look like
Apr 29 17:25:28 ns1 dovecot: pop3-login: Login: user=<user@mydomain.com>, method=PLAIN, rip=***.***.***.***, lip=***.***.***.***
....
Apr 29 17:25:55 ns1 dovecot: POP3(user@mydomain.com): Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0....



But the attackers connect directly like below:

Apr 29 17:29:59 ns1 postfix/local[2456]: 3192E357FD9: to=<user-mydomain.com@ns1.mydns.com>, orig_to=<user@mydomain.com>, relay=local, delay=261, status=sent (delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME)
....
Apr 29 17:29:59 ns1 postfix/qmgr[2218]: 3192E357FD9: removed


Do you have any idea to solve this problem?

How can the spammer connect to Postfix/local part? My mail server not open relay. i test it.

rweaver 04-30-2009 04:51 PM

Nothing personal, but you're unable to tell the difference between your smtp and pop3 daemon. I suggest you use one of the relay testers on the net to verify that you're not relaying. If you still are coming up as not an open relay then we need more examples to make a determination of what is happening and accurate logs from postfix, we really don't care what dovecot's pop3 is doing when you're talking about sending mail out.

billymayday 04-30-2009 05:27 PM

I would assume that entry is simply postfix delivering to local for local delivery rather than relaying. There should be a log entry prior to this to tell you the IP the server is connected to.

emetib 05-02-2009 12:30 PM

here's a relay test that you can use-
telnet rt.njabl.org 2500

rweaver 05-04-2009 09:37 AM

Quote:

Originally Posted by emetib (Post 3527843)
here's a relay test that you can use-
telnet rt.njabl.org 2500

For reference, you type that into a console on the machine you want to test, and port 25 needs to be forwarded to the machine if it's behind a firewall.

nihal 05-05-2009 02:08 AM

1 Attachment(s)
When i start "telnet rt.njabl.org 2500" it gives this error:
rt.njabl.org/2500: Name or service not know

But i want to say my problem with more details:

I am sharing symptoms..

1. I looked http://www.backscatterer.org and saw this messages;

Code:

A total of 112 Impacts were seen during this listing. <strong>Last was 2009/05/04 10:11 </strong>
Earliest date this IP can expire is 2009/06/01.

History:2008/03/27 22:28 listed
2008/04/24 23:30 expired
2008/07/06 11:15 listed
2008/08/03 11:30 expired
2008/10/25 21:59 listed
2008/11/22 21:03 expired
2008/11/28 13:20 listed
2008/12/26 14:03 expired
2009/01/18 12:24 listed
2009/02/15 13:05 expired
2009/02/26 22:00 listed

When ı saw this, immediately ı check maillog and ı saw there are suspect behaviours in the log..
(this is little sample.. every day event is same.. ı am testing and searching for three days)
That is log;

Code:

May  4 10:11:16 ns1 postfix/qmgr[22585]: 208313582F7: from=<>, size=3511, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: B73073573D5: from=<>, size=4174, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: 6A21B357FE3: from=<>, size=19676, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: 608DB3565C2: from=<>, size=5814, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: D0233358286: from=<>, size=4649, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: DFE6D357A5E: from=<>, size=2637, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: D6973357E8F: from=<>, size=7928, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: CBE3F3578A7: from=<>, size=4142, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: A5D06357AAF: from=<>, size=19281, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: A8520356E10: from=<>, size=3708, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: 4A4E93578E3: from=<>, size=3538, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: 177BB3580F2: from=<>, size=3568, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: 10DAF357893: from=<>, size=2507, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: 73C083573B4: from=<>, size=20001, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: 7922335809A: from=<>, size=2559, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: 38F5D357CB1: from=<>, size=3559, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: 3B20B357598: from=<>, size=3527, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: 3DEA5357C4A: from=<>, size=19171, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: 32FB7357D4A: from=<>, size=7820, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: 890673580F9: from=<>, size=3624, nrcpt=1 (queue active)

and when ı search any qmgr number "for example: 177BB3580F2 "
ı see another log line;

Code:

May  4 10:13:16 ns1 postfix/smtp[18790]: 177BB3580F2: to=<goaled10@bbvacash-mx.com>, relay=none, delay=29981, status=deferred (connect to mail.alestra.net.mx[207.248.224.151]: Connection timed out)
So ı noticed that exactly my server send spam.. after more carefully searching ı catch time while my server sends spam, and ı immediately open postfix mail queue from vritualmin and ı saw outgoing spam mails, after open any mail's content then ı noticed these mail's content to spam...

So ı want to ask you

1.) What is the meaning of blank from=<>
2.) How my server send mail by itself
3.) Which process trigger this mail sending process, and which log file help to show me trigger process


My main.cf is attached.

emetib 05-05-2009 11:38 AM

you're being an open relay right now.
you have to fix your main.cf big time.

first-
fix your myhostname mydomainname myorigin

second-
fix your mynetworks=xxx.xxx.xxx.xxx/29,127.0.0.1
this right here is your biggest problem. you have to get rid of the xxx shit, just use 127.0.0.1/8

uncomment your relayhost and have it empty

start with that.

do you have a hostname? a domain name?

nihal 05-06-2009 04:08 AM

so i change mynetworks value like below

Code:

mynetworks=127.0.0.1/8
i change
Code:

myhostname=ns1.mydomain.com
like this. Bu what is the meaning of this?

And i open
Code:

relayhost=
with empty value. But what is the meaning of this?

Sorry, my english is not good.

what must i do now?

billymayday 05-06-2009 04:39 AM

Relayhost is simply the next port of call for non-local deliveries.

emetib 05-06-2009 11:10 AM

myorigin = $mydomain
mydomain = domainname http://en.wikipedia.org/wiki/Domain_name
myhostname = fqdn http://en.wikipedia.org/wiki/FQDN

do you have a registered domain name?
if you don't have a fqdn, you won't be able to set this up.


All times are GMT -5. The time now is 07:09 PM.