[SOLVED] Mail Server Getting Hammered. Am I Sending Spam?
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I had an account get compromised a couple days ago, now my mailq is flush with spam coming in addressed from my domain. I can't quite tell if it's actually going through.
Sep 24 11:07:12 mail postfix/qmgr[19325]: 9EA88221D73: from=<4r1ll@mydomain.com>, size=2891, nrcpt=10 (queue active)
mail:/etc/postfix# cat /var/log/mail.log |grep pbdh@mydomain.com
Sep 24 10:57:44 mail postfix/qmgr[19325]: 604C1220F64: from=<pbdh@mydomain.com>, size=2897, nrcpt=10 (queue active)
Sep 24 11:35:00 mail amavis[28299]: (28299-01-34) ESMTP::10024 /var/lib/amavis/tmp/amavis-20140924T113202-28299: <pbdh@mydomain.com> -> <unwound@bagozzi.com.br>,<unwritten@bagozzi.com.br>,<unwound@facinter.br>,<unwritten@facinter.br>,<unwound@faculdadepitagoras.com.br>,<unwound@opet.com.br>,<unwound@unibrasil.com.br>,<unwound@uniexp.edu.br>,<unworthy@utp.br>,<unwound@utp.br> SIZE=2897 Received: from mail.mydomain.com ([127.0.0.1]) by localhost (mail.mydomain.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP; Wed, 24 Sep 2014 11:35:00 -0400 (EDT)
Sep 24 11:35:00 mail amavis[28299]: (28299-01-34) Checking: oQ5OxjnsmPdd [198.143.128.138] <pbdh@mydomain.com> -> <unwound@bagozzi.com.br>,<unwritten@bagozzi.com.br>,<unwound@facinter.br>,<unwritten@facinter.br>,<unwound@faculdadepitagoras.com.br>,<unwound@opet.com.br>,<unwound@unibrasil.com.br>,<unwound@uniexp.edu.br>,<unworthy@utp.br>,<unwound@utp.br>
Sep 24 11:35:00 mail amavis[28299]: (28299-01-34) cached 1597092b8b64737f3c51686f07db45d4 from <pbdh@mydomain.com> (1,1)
Sep 24 11:35:00 mail postfix/qmgr[19325]: B00E81498EC: from=<pbdh@mydomain.com>, size=3301, nrcpt=10 (queue active)
Sep 24 11:35:00 mail amavis[28299]: (28299-01-34) FWD via SMTP: <pbdh@mydomain.com> -> <unwound@bagozzi.com.br>,<unwritten@bagozzi.com.br>,<unwound@facinter.br>,<unwritten@facinter.br>,<unwound@faculdadepitagoras.com.br>,<unwound@opet.com.br>,<unwound@unibrasil.com.br>,<unwound@uniexp.edu.br>,<unworthy@utp.br>,<unwound@utp.br>, 250 2.0.0 Ok, id=28299-01-34, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as B00E81498EC
Sep 24 11:35:00 mail amavis[28299]: (28299-01-34) Passed CLEAN, [198.143.128.138] [198.143.128.138] <pbdh@mydomain.com> -> <unwound@bagozzi.com.br>,<unwritten@bagozzi.com.br>,<unwound@facinter.br>,<unwritten@facinter.br>,<unwound@faculdadepitagoras.com.br>,<unwound@opet.com.br>,<unwound@unibrasil.com.br>,<unwound@uniexp.edu.br>,<unworthy@utp.br>,<unwound@utp.br>, mail_id: oQ5OxjnsmPdd, Hits: -87.587, size: 2893, queued_as: B00E81498EC, 246 ms
Sep 24 11:35:21 mail postfix/local[28286]: B66EC149B14: to=<pbdh@mydomain.com>, relay=local, delay=0.02, delays=0.02/0/0/0, dsn=5.1.1, status=bounced (unknown user: "pbdh")
My server can hardly keep up, and I'm seeing things in the mailq that look like:
Code:
delivery temporarily suspended: host vip-us-br-mx.terra.com[208.84.244.133] refused to talk to me: 421 4.3.2 rejected: Too much dconnections from mail.mydomain.com[my.ip.address])
I can't clear the queue because they are using randomly generated addresses each time.
main.cf:
Code:
myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
delay_warning_time = 4h
# next line added by duke
# virtual_alias_maps = hash:/etc/postfix/virtual/domains
# decided not to do this, see line below: mydestination
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
# myorigin = $mydomain
myorigin = /etc/mailname
myhostname = mail.mydomain.com
mydomain = mydomain.com
mydestination = $myhostname, localhost, localhost.$mydomain, $mydomain, localhost.chara.gsu.edu, chara.gsu.edu, astro.gsu.edu
relayhost =
mynetworks = 127.0.0.0/8, ip.ip.ip.ip,
notify_classes = resource, software
home_mailbox = Maildir/
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
content_filter=smtp-amavis:[127.0.0.1]:10024
#
message_size_limit=1024000000
mailbox_size_limit=0
#
# restrictions
smtpd_restriction_classes =
has_our_domain_as_sender
has_our_domain_as_sender =
check_sender_access hash:/etc/postfix/our_domain_as_sender
reject
smtpd_helo_required = yes
disable_vrfy_command = yes
smtpd_recipient_restrictions =
reject_non_fqdn_recipient
reject_non_fqdn_sender
reject_unknown_sender_domain
reject_unknown_recipient_domain
permit_sasl_authenticated
permit_mynetworks
check_sender_access hash:/etc/postfix/sender_access
check_client_access hash:/etc/postfix/internal_networks
check_sender_access hash:/etc/postfix/not_our_domain_as_sender
reject_unauth_destination
check_recipient_access hash:/etc/postfix/protect_internal_aliases
reject_multi_recipient_bounce
# reject_rbl_client ix.dnsbl.manitu.net
reject_rbl_client sbl-xbl.spamhaus.org
reject_rbl_client pbl.spamhaus.org
# reject_rbl_client dnsbl.sorbs.net
reject_rbl_client bl.spamcop.net
reject_rbl_client b.barracudacentral.org
check_recipient_access hash:/etc/postfix/role_account_exceptions
check_helo_access pcre:/etc/postfix/helo_checks
reject_non_fqdn_hostname
reject_invalid_hostname
check_sender_mx_access cidr:/etc/postfix/bogus_mx
check_sender_access hash:/etc/postfix/rhsbl_sender_exceptions
reject_rhsbl_sender dsn.rfc-ignorant.org
check_sender_access hash:/etc/postfix/common_spam_senderdomains
check_sender_access regexp:/etc/postfix/common_spam_senderdomain_keywords
permit
smtpd_data_restrictions =
reject_unauth_pipelining
permit
address_verify_map = btree:/var/spool/postfix/verified_senders
address_verify_negative_cache = no
header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = pcre:/etc/postfix/mime_header_checks
# SASL/SMTP AUTH configuration
smtpd_sasl_auth_enable = yes
# force noplaintext auth without tls
# more SASL mechanisms than just PLAIN and LOGIN
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
# force noplaintext auth without tls as a client
#smtp_sasl_security_options = noanonymous, noplaintext
#smtp_sasl_tls_security_options = noanonymous
smtpd_sasl_authenticated_header = yes
# Following allows machines on $mynetworks to send email without SMTP AUTH
# A side effect of this is that clients on these network do not see
# 250 AUTH PLAIN ... and 250 AUTH=PLAIN ... responces, outside clients do.
smtpd_sasl_exceptions_networks = $mynetworks
broken_sasl_auth_clients = yes
# Following sets SASL realm, for now keep empty
smtpd_sasl_local_domain =
# TLS configuration
#
smtpd_tls_security_level = may
# To enforce
# smtpd_tls_security_level = encrypt
#
# Obsolete, but still supported
smtpd_use_tls = yes
# To enforce
# smtpd_enforce_tls = yes
#
# Enforce TLS when using SMTP AUTH as we use PLAIN and LOGIN
smtpd_tls_auth_only = yes
#
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
#
# Certificates and keys
smtpd_tls_cert_file=/etc/postfix/ssl/mail_mydomain.com.crt
smtpd_tls_key_file= /etc/postfix/ssl/mail.mydomain.com.key
smtpd_tls_CAfile = /etc/postfix/ssl/COMODOHigh-AssuranceSecureServerCA.crt
smtpd_tls_session_cache_database = sdbm:${queue_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtp_tls_session_cache_database = sdbm:${queue_directory}/smtp_scache
smtp_tls_session_cache_timeout = 3600s
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
readme_directory = /usr/share/doc/postfix
html_directory = /usr/share/doc/postfix/html
Answer was in the ORDER of smtpd_recipient_restrictions:
reject_unauth_destination
should go right below
permit_mynetworks
in my case.
Order seems to be very important for that setting, and it takes some sitting and thinking to mull your way through the order that postfix is checking.
In my case, I was trying to allow access to mailing list aliases from a certain domain. Unfortunately it did that check before the reject_unauth_destination check.
What I believe was happening is that they were able to successfully spoof the domain, and bypass the relay checks due to my poor design of smtpd_recipient_restrictions.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.