Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Some people sent spoofing mails from our mail users sent to our user from Postfix/local that is listed in maillog like below:
Apr 29 16:57:02 ns1 postfix/local[3075]: EC2153565E3: to=<user-mydomain.com@ns1.mydns.com>, orig_to=<user@mydomain.com>, relay=local, delay=486, status=sent (delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME)
Bu i do not know how to prevent this people not to use my Postfix/local delivery part. How can i prevent this attack?
When i connect to my mail server to sent or receive my mail it look like
Apr 29 17:25:28 ns1 dovecot: pop3-login: Login: user=<user@mydomain.com>, method=PLAIN, rip=***.***.***.***, lip=***.***.***.***
....
Apr 29 17:25:55 ns1 dovecot: POP3(user@mydomain.com): Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0....
Nothing personal, but you're unable to tell the difference between your smtp and pop3 daemon. I suggest you use one of the relay testers on the net to verify that you're not relaying. If you still are coming up as not an open relay then we need more examples to make a determination of what is happening and accurate logs from postfix, we really don't care what dovecot's pop3 is doing when you're talking about sending mail out.
I would assume that entry is simply postfix delivering to local for local delivery rather than relaying. There should be a log entry prior to this to tell you the IP the server is connected to.
here's a relay test that you can use-
telnet rt.njabl.org 2500
For reference, you type that into a console on the machine you want to test, and port 25 needs to be forwarded to the machine if it's behind a firewall.
A total of 112 Impacts were seen during this listing. <strong>Last was 2009/05/04 10:11 </strong>
Earliest date this IP can expire is 2009/06/01.
History:2008/03/27 22:28 listed
2008/04/24 23:30 expired
2008/07/06 11:15 listed
2008/08/03 11:30 expired
2008/10/25 21:59 listed
2008/11/22 21:03 expired
2008/11/28 13:20 listed
2008/12/26 14:03 expired
2009/01/18 12:24 listed
2009/02/15 13:05 expired
2009/02/26 22:00 listed
When ı saw this, immediately ı check maillog and ı saw there are suspect behaviours in the log..
(this is little sample.. every day event is same.. ı am testing and searching for three days)
That is log;
and when ı search any qmgr number "for example: 177BB3580F2 "
ı see another log line;
Code:
May 4 10:13:16 ns1 postfix/smtp[18790]: 177BB3580F2: to=<goaled10@bbvacash-mx.com>, relay=none, delay=29981, status=deferred (connect to mail.alestra.net.mx[207.248.224.151]: Connection timed out)
So ı noticed that exactly my server send spam.. after more carefully searching ı catch time while my server sends spam, and ı immediately open postfix mail queue from vritualmin and ı saw outgoing spam mails, after open any mail's content then ı noticed these mail's content to spam...
So ı want to ask you
1.) What is the meaning of blank from=<>
2.) How my server send mail by itself
3.) Which process trigger this mail sending process, and which log file help to show me trigger process
you're being an open relay right now.
you have to fix your main.cf big time.
first-
fix your myhostname mydomainname myorigin
second-
fix your mynetworks=xxx.xxx.xxx.xxx/29,127.0.0.1
this right here is your biggest problem. you have to get rid of the xxx shit, just use 127.0.0.1/8
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.