LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-10-2009, 06:13 AM   #1
ddaas
Member
 
Registered: Oct 2004
Location: Romania
Distribution: Ubuntu server, FreeBsd
Posts: 453

Rep: Reputation: 30

Hi there,
Yahoo starts blocking e-mails from our server.
It is possible that someone/somehow is sending spams.
Please help me find what is sending spam from our server.

First please explain to me the following logs (ourdomain is hosted on our server):

Code:
Feb  3 14:45:57 softexp postfix/smtpd[23394]: NOQUEUE: reject: RCPT from unknown[117.87.x.x]: 554 5.7.1 Service unavailable; Client host [117.87.x.x] blocked using sbl-xbl.spamhaus.org; http://www.spamhaus.org/query/bl?ip=117.87.x.x; from=<xyz@yahoo.com.au> to=<experienceoffice@ourdomain.ro> proto=ESMTP helo=<PC-200901111752>

Feb  3 14:45:58 softexp postfix/smtp[23424]: 56966AC86D: to=<xyz@yahoo.com.au>, relay=d.mx.mail.yahoo.com[66.196.82.7]:25, delay=7.6, delays=0/0.01/7.6/0, dsn=4.7.0, status=undeliverable (host d.mx.mail.yahoo.com[66.196.82.7] refused to talk to me: 421 4.7.0 [TS02] Messages from 80.96.148.194 temporarily deferred due to user complaints - 4.16.56.1; see http://postmaster.yahoo.com/421-ts02.html)
What I understand:
1. the client 117.87.x.x tries to connect to our server but is blocked. (it is at spamhouse). It tries to send frm xyz@yahoo.com to experienceoffie@ourdomain.com.
Everything ok till now.
2. what does the second line means? Our server is tring to send to xyz@yahoo.com. Why? It is for sure related with the first log line...
It is because of some bounce message or what?


Thank you

my postfix restrictions are:

Code:
smtpd_helo_restrictions = 
 reject_invalid_hostname

smtpd_sender_restrictions =
 reject_unknown_sender_domain,
 reject_non_fqdn_sender,
# warn_if_reject reject_unverified_sender 
 reject_unverified_sender,
 permit

smtpd_recipient_restrictions = 
# permit_mynetworks 
 permit_sasl_authenticated 
 reject_unauth_destination
# check_sender_access hash:/usr/local/etc/postfix/access_sender
 check_helo_access pcre:/usr/local/etc/postfix/helo_checks
 reject_non_fqdn_recipient
 reject_unknown_recipient_domain
 reject_unverified_recipient
 reject_rbl_client list.dsbl.org,
 reject_rbl_client sbl-xbl.spamhaus.org,
 reject_rhsbl_sender    dsn.rfc-ignorant.org
 permit

Last edited by unSpawn; 02-10-2009 at 03:56 PM. Reason: Preserve 0-reply status
 
Old 02-11-2009, 05:57 AM   #2
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Strangely it looks like your Postfix is accepting messages even though the RBL check happened after RCPT. That means even though the message is rejected, Postfix has accepted it, then sent a bounce later (really the only explanation that fits the logs). That's not standard behavior as far as I know.

What's the output of postconf -n?
 
Old 02-11-2009, 07:39 AM   #3
ddaas
Member
 
Registered: Oct 2004
Location: Romania
Distribution: Ubuntu server, FreeBsd
Posts: 453

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by chort View Post
Strangely it looks like your Postfix is accepting messages even though the RBL check happened after RCPT. That means even though the message is rejected, Postfix has accepted it, then sent a bounce later (really the only explanation that fits the logs). That's not standard behavior as far as I know.

What's the output of postconf -n?
Here is the output:


Code:
 postconf -n
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debug_peer_list = dom1.com
html_directory = no
mail_owner = postfix
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
myhostname = mail.dom1.com
mynetworks_style = host
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = no
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtpd_helo_restrictions = reject_invalid_hostname
smtpd_recipient_restrictions = permit_mynetworks  permit_sasl_authenticated  reject_unauth_destination check_sender_access hash:/usr/local/etc/postfix/access_sender check_helo_access pcre:/usr/local/etc/postfix/helo_checks reject_non_fqdn_recipient reject_unknown_recipient_domain reject_unverified_recipient reject_rbl_client list.dsbl.org, reject_rbl_client sbl-xbl.spamhaus.org, reject_rhsbl_sender    dsn.rfc-ignorant.org permit
smtpd_sasl_auth_enable = yes
smtpd_sender_restrictions = reject_unknown_sender_domain, reject_non_fqdn_sender, reject_unverified_sender, permit
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/usr/local/etc/postfix/valias.txt
virtual_gid_maps = static:1000
virtual_mailbox_base = /var/spool/vmail
virtual_mailbox_domains = /usr/local/etc/postfix/vhost.txt
virtual_mailbox_maps = hash:/usr/local/etc/postfix/vmaps.txt
virtual_uid_maps = static:1000

What you are saying is exactly what I was thinking. But why and how can I solve it?
Thank you.
 
Old 02-11-2009, 07:42 AM   #4
ddaas
Member
 
Registered: Oct 2004
Location: Romania
Distribution: Ubuntu server, FreeBsd
Posts: 453

Original Poster
Rep: Reputation: 30
Another interesting thing is that I get spams with forged sender address. They come from our domains but from remote servers.

So in main.cf I put after permit_sasl_authenticated:
check_sender_access hash:/usr/local/etc/postfix/access_sender

and in access_sender:

mydomain.com REJECT Message1
mydomain1.com REJECT Message2

Now I get in logs Messae1 and Message2, it seems they are rejected but I still receive them. It is very strange..
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Problem rotating Postfix logs keyF Linux - Software 3 08-30-2006 07:56 AM
Emails rejected by Postfix is not showing in the logs andrewthk Linux - Networking 0 01-24-2006 12:48 AM
Mail logs + Postfix + SQL + etc... Sapient Linux - Software 1 01-06-2006 08:08 PM
Postfix Logs dawidson Linux - Newbie 1 12-28-2005 03:13 PM
Postfix send, but will not receive (or display in logs) jules_fraser Linux - Networking 0 01-01-2005 07:46 PM


All times are GMT -5. The time now is 02:52 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration