LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   postfix logs (https://www.linuxquestions.org/questions/linux-security-4/postfix-logs-703589/)

ddaas 02-10-2009 06:13 AM
Hi there,
Yahoo starts blocking e-mails from our server.
It is possible that someone/somehow is sending spams.
Please help me find what is sending spam from our server.

First please explain to me the following logs (ourdomain is hosted on our server):

Code:
Feb  3 14:45:57 softexp postfix/smtpd[23394]: NOQUEUE: reject: RCPT from unknown[117.87.x.x]: 554 5.7.1 Service unavailable; Client host [117.87.x.x] blocked using sbl-xbl.spamhaus.org; http://www.spamhaus.org/query/bl?ip=117.87.x.x; from=<xyz@yahoo.com.au> to=<experienceoffice@ourdomain.ro> proto=ESMTP helo=<PC-200901111752>

Feb  3 14:45:58 softexp postfix/smtp[23424]: 56966AC86D: to=<xyz@yahoo.com.au>, relay=d.mx.mail.yahoo.com[66.196.82.7]:25, delay=7.6, delays=0/0.01/7.6/0, dsn=4.7.0, status=undeliverable (host d.mx.mail.yahoo.com[66.196.82.7] refused to talk to me: 421 4.7.0 [TS02] Messages from 80.96.148.194 temporarily deferred due to user complaints - 4.16.56.1; see http://postmaster.yahoo.com/421-ts02.html)
What I understand:
1. the client 117.87.x.x tries to connect to our server but is blocked. (it is at spamhouse). It tries to send frm xyz@yahoo.com to experienceoffie@ourdomain.com.
Everything ok till now.
2. what does the second line means? Our server is tring to send to xyz@yahoo.com. Why? It is for sure related with the first log line...
It is because of some bounce message or what?


Thank you

my postfix restrictions are:

Code:
smtpd_helo_restrictions =
 reject_invalid_hostname

smtpd_sender_restrictions =
 reject_unknown_sender_domain,
 reject_non_fqdn_sender,
# warn_if_reject reject_unverified_sender
 reject_unverified_sender,
 permit

smtpd_recipient_restrictions =
# permit_mynetworks
 permit_sasl_authenticated
 reject_unauth_destination
# check_sender_access hash:/usr/local/etc/postfix/access_sender
 check_helo_access pcre:/usr/local/etc/postfix/helo_checks
 reject_non_fqdn_recipient
 reject_unknown_recipient_domain
 reject_unverified_recipient
 reject_rbl_client list.dsbl.org,
 reject_rbl_client sbl-xbl.spamhaus.org,
 reject_rhsbl_sender    dsn.rfc-ignorant.org
 permit

chort 02-11-2009 05:57 AM
Strangely it looks like your Postfix is accepting messages even though the RBL check happened after RCPT. That means even though the message is rejected, Postfix has accepted it, then sent a bounce later (really the only explanation that fits the logs). That's not standard behavior as far as I know.

What's the output of postconf -n?

ddaas 02-11-2009 07:39 AM
Quote:
Originally Posted by chort (Post 3439484)
Strangely it looks like your Postfix is accepting messages even though the RBL check happened after RCPT. That means even though the message is rejected, Postfix has accepted it, then sent a bounce later (really the only explanation that fits the logs). That's not standard behavior as far as I know.

What's the output of postconf -n?
Here is the output:


Code:
postconf -n
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debug_peer_list = dom1.com
html_directory = no
mail_owner = postfix
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
myhostname = mail.dom1.com
mynetworks_style = host
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = no
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtpd_helo_restrictions = reject_invalid_hostname
smtpd_recipient_restrictions = permit_mynetworks  permit_sasl_authenticated  reject_unauth_destination check_sender_access hash:/usr/local/etc/postfix/access_sender check_helo_access pcre:/usr/local/etc/postfix/helo_checks reject_non_fqdn_recipient reject_unknown_recipient_domain reject_unverified_recipient reject_rbl_client list.dsbl.org, reject_rbl_client sbl-xbl.spamhaus.org, reject_rhsbl_sender    dsn.rfc-ignorant.org permit
smtpd_sasl_auth_enable = yes
smtpd_sender_restrictions = reject_unknown_sender_domain, reject_non_fqdn_sender, reject_unverified_sender, permit
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/usr/local/etc/postfix/valias.txt
virtual_gid_maps = static:1000
virtual_mailbox_base = /var/spool/vmail
virtual_mailbox_domains = /usr/local/etc/postfix/vhost.txt
virtual_mailbox_maps = hash:/usr/local/etc/postfix/vmaps.txt
virtual_uid_maps = static:1000

What you are saying is exactly what I was thinking. But why and how can I solve it?
Thank you.

ddaas 02-11-2009 07:42 AM
Another interesting thing is that I get spams with forged sender address. They come from our domains but from remote servers.

So in main.cf I put after permit_sasl_authenticated:
check_sender_access hash:/usr/local/etc/postfix/access_sender

and in access_sender:

mydomain.com REJECT Message1
mydomain1.com REJECT Message2

Now I get in logs Messae1 and Message2, it seems they are rejected but I still receive them. It is very strange..


All times are GMT -5. The time now is 09:04 AM.