Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I see a ton of spam from users who are not on my system ending up in my mailq to be sent out. I have checked and double checked, and I can't figure out how they are able to do it. I do not have an open relay. I have tested that. Can someone who is more experienced than me tell me what I'm doing wrong here?
I expect that users who are not authenticated should not be able to send anything, but that apparently isn't the case.
Example of spam in my logs:
Code:
Dec 2 23:46:56 mail postfix/qmgr[32460]: 7903D82FFE: from=<vampirella77@yahoo.com>, size=2522, nrcpt=9 (queue active)
Dec 2 23:46:56 mail amavis[11674]: (11674-02) ESMTP::10024 /var/lib/amavis/tmp/amavis-20141202T234613-11674-nCRh8OtF: <vampirella77@yahoo.com> -> <g-9137907083-9041-901570566-1364809270539@bounce.info.bonprix.de>,<g-9137907083-9041-901577504-1364982193439@bounce.info.bonprix.de>,<g-2116625321-7181-1300406337-1364886113795@bounce.mail.kidoh.de>,<g-6237883870-7177-600658207-1364810778610@bounce.mail.weltbild.de>,<bounce-2336_HTML-50651786-82591-1068141-1926@bounce.official.nike.com>,<e3-28596563223-12c06dII52a3ceII1@e3.emarsys.net>,<3f9.c.143550131.J337930-6320762@hm.anpdm.com>,<newsletter-EMID0AE02J80GNE019CLTUU054PF000M44KO4@info.zalando.de>,<deals-EMID0AA01AQ123V0IQI82054K9P01IFSDA9@reiseinfos.ab-in-den-urlaub.de> SIZE=2522 Received: from mail.phy-astr.gsu.edu ([127.0.0.1]) by localhost (mail.phy-astr.gsu.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP; Tue, 2 Dec 2014 23:46:56 -0500 (EST)
Dec 2 23:46:56 mail amavis[11674]: (11674-02) Checking: GcRyvWFSsn6w [193.8.201.1] <vampirella77@yahoo.com> -> <g-9137907083-9041-901570566-1364809270539@bounce.info.bonprix.de>,<g-9137907083-9041-901577504-1364982193439@bounce.info.bonprix.de>,<g-2116625321-7181-1300406337-1364886113795@bounce.mail.kidoh.de>,<g-6237883870-7177-600658207-1364810778610@bounce.mail.weltbild.de>,<bounce-2336_HTML-50651786-82591-1068141-1926@bounce.official.nike.com>,<e3-28596563223-12c06dII52a3ceII1@e3.emarsys.net>,<3f9.c.143550131.J337930-6320762@hm.anpdm.com>,<newsletter-EMID0AE02J80GNE019CLTUU054PF000M44KO4@info.zalando.de>,<deals-EMID0AA01AQ123V0IQI82054K9P01IFSDA9@reiseinfos.ab-in-den-urlaub.de>
Dec 2 23:47:02 mail postfix/qmgr[32460]: 2AFA583001: from=<vampirella77@yahoo.com>, size=2925, nrcpt=9 (queue active)
Dec 2 23:47:02 mail amavis[11674]: (11674-02) FWD from <vampirella77@yahoo.com> -> <g-9137907083-9041-901570566-1364809270539@bounce.info.bonprix.de>,<g-9137907083-9041-901577504-1364982193439@bounce.info.bonprix.de>,<g-2116625321-7181-1300406337-1364886113795@bounce.mail.kidoh.de>,<g-6237883870-7177-600658207-1364810778610@bounce.mail.weltbild.de>,<bounce-2336_HTML-50651786-82591-1068141-1926@bounce.official.nike.com>,<e3-28596563223-12c06dII52a3ceII1@e3.emarsys.net>,<3f9.c.143550131.J337930-6320762@hm.anpdm.com>,<newsletter-EMID0AE02J80GNE019CLTUU054PF000M44KO4@info.zalando.de>,<deals-EMID0AA01AQ123V0IQI82054K9P01IFSDA9@reiseinfos.ab-in-den-urlaub.de>,BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 2AFA583001
Dec 2 23:47:02 mail amavis[11674]: (11674-02) Passed CLEAN {RelayedOpenRelay}, [193.8.201.1]:54207 [193.8.201.1] <vampirella77@yahoo.com> -> <g-9137907083-9041-901570566-1364809270539@bounce.info.bonprix.de>,<g-9137907083-9041-901577504-1364982193439@bounce.info.bonprix.de>,<g-2116625321-7181-1300406337-1364886113795@bounce.mail.kidoh.de>,<g-6237883870-7177-600658207-1364810778610@bounce.mail.weltbild.de>,<bounce-2336_HTML-50651786-82591-1068141-1926@bounce.official.nike.com>,<e3-28596563223-12c06dII52a3ceII1@e3.emarsys.net>,<3f9.c.143550131.J337930-6320762@hm.anpdm.com>,<newsletter-EMID0AE02J80GNE019CLTUU054PF000M44KO4@info.zalando.de>,<deals-EMID0AA01AQ123V0IQI82054K9P01IFSDA9@reiseinfos.ab-in-den-urlaub.de>, Queue-ID: 7903D82FFE, Message-ID: <5C1B29D8F03441F6BCC83921E487F4C4@mail.phy-astr.gsu.edu>, mail_id: GcRyvWFSsn6w, Hits: 2.434, size: 2522, queued_as: 2AFA583001, 6110 ms
Dec 2 23:47:04 mail postfix/qmgr[32460]: C330A82FE9: from=<vampirella77@yahoo.com>, size=2032, nrcpt=5 (queue active)
Dec 2 23:47:04 mail amavis[10929]: (10929-11) ESMTP::10024 /var/lib/amavis/tmp/amavis-20141202T230244-10929-FyInYedm: <vampirella77@yahoo.com> -> <e3-1429880737342-2cf75cII8be07fII4@e3.emarsys.net>,<e3-28598855904-a208fII2b145bII1@e3.emarsys.net>,<e3-28601572319-e3f9aII234936II1@e3.emarsys.net>,<mailgun@mailer13.agnitas.de>,<YvesRocher-ctg1aece2aajhoerlxv2vfivuw6zabjq@news.yves-rocher.de> SIZE=2032 Received: from mail.phy-astr.gsu.edu ([127.0.0.1]) by localhost (mail.phy-astr.gsu.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP; Tue, 2 Dec 2014 23:47:04 -0500 (EST)
Dec 2 23:47:04 mail amavis[10929]: (10929-11) Checking: p7ji1yTvb7Ws [193.8.201.1] <vampirella77@yahoo.com> -> <e3-1429880737342-2cf75cII8be07fII4@e3.emarsys.net>,<e3-28598855904-a208fII2b145bII1@e3.emarsys.net>,<e3-28601572319-e3f9aII234936II1@e3.emarsys.net>,<mailgun@mailer13.agnitas.de>,<YvesRocher-ctg1aece2aajhoerlxv2vfivuw6zabjq@news.yves-rocher.de>
Dec 2 23:47:11 mail amavis[10929]: (10929-11) Blocked SPAM {DiscardedOpenRelay,Quarantined}, [193.8.201.1]:54207 [193.8.201.1] <vampirella77@yahoo.com> -> <e3-1429880737342-2cf75cII8be07fII4@e3.emarsys.net>,<e3-28598855904-a208fII2b145bII1@e3.emarsys.net>,<e3-28601572319-e3f9aII234936II1@e3.emarsys.net>,<mailgun@mailer13.agnitas.de>,<YvesRocher-ctg1aece2aajhoerlxv2vfivuw6zabjq@news.yves-rocher.de>, quarantine: spambucket@phy-astr.gsu.edu, Queue-ID: C330A82FE9, Message-ID: <B9D858F1C24A6C77550B02CD296B8BB2@mail.phy-astr.gsu.edu>, mail_id: p7ji1yTvb7Ws, Hits: 10.928, size: 2032, 6141 ms
Dec 3 00:01:03 mail postfix/qmgr[32460]: 2AFA583001: from=<vampirella77@yahoo.com>, size=2925, nrcpt=9 (queue active)
Dec 3 00:26:03 mail postfix/qmgr[32460]: 2AFA583001: from=<vampirella77@yahoo.com>, size=2925, nrcpt=9 (queue active)
Dec 3 01:16:03 mail postfix/qmgr[32460]: 2AFA583001: from=<vampirella77@yahoo.com>, size=2925, nrcpt=9 (queue active)
Dec 3 02:31:03 mail postfix/qmgr[32460]: 2AFA583001: from=<vampirella77@yahoo.com>, size=2925, nrcpt=9 (queue active)
Dec 3 03:46:03 mail postfix/qmgr[32460]: 2AFA583001: from=<vampirella77@yahoo.com>, size=2925, nrcpt=9 (queue active)
Dec 3 03:51:05 mail postfix/smtp[14937]: 3009182FE9: to=<vampirella77@yahoo.com>, relay=mta5.am0.yahoodns.net[98.138.112.37]:25, delay=1.8, delays=0/0/0.52/1.2, dsn=5.0.0, status=bounced (host mta5.am0.yahoodns.net[98.138.112.37] said: 554 delivery error: dd This user doesn't have a yahoo.com account (vampirella77@yahoo.com) [-5] - mta1477.mail.ne1.yahoo.com (in reply to end of DATA command))
Dec 3 05:01:04 mail postfix/qmgr[32460]: 2AFA583001: from=<vampirella77@yahoo.com>, size=2925, nrcpt=9 (queue active)
Dec 3 06:16:04 mail postfix/qmgr[32460]: 2AFA583001: from=<vampirella77@yahoo.com>, size=2925, nrcpt=9 (queue active)
Dec 3 07:31:04 mail postfix/qmgr[32460]: 2AFA583001: from=<vampirella77@yahoo.com>, size=2925, nrcpt=9 (queue active)
Dec 3 08:46:04 mail postfix/qmgr[32460]: 2AFA583001: from=<vampirella77@yahoo.com>, size=2925, nrcpt=9 (queue active)
Dec 3 10:01:04 mail postfix/qmgr[32460]: 2AFA583001: from=<vampirella77@yahoo.com>, size=2925, nrcpt=9 (queue active)
Dec 3 11:16:04 mail postfix/qmgr[32460]: 2AFA583001: from=<vampirella77@yahoo.com>, size=2925, nrcpt=9 (queue active)
main.cf
Code:
myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
delay_warning_time = 4h
# next line added by duke
# virtual_alias_maps = hash:/etc/postfix/virtual/domains
# decided not to do this, see line below: mydestination
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
# myorigin = $mydomain
myorigin = /etc/mailname
myhostname = mail.myfqdn.com
mydomain = myfqdn.com
mydestination = $myhostname, localhost, localhost.$mydomain, $mydomain, localhost.myfqdn.com, myfqdn.com
relayhost =
mynetworks = 127.0.0.0/8
notify_classes = resource, software
home_mailbox = Maildir/
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
content_filter=smtp-amavis:[127.0.0.1]:10024
#
message_size_limit=1024000000
mailbox_size_limit=0
#
# restrictions
smtpd_restriction_classes =
has_our_domain_as_sender
has_our_domain_as_sender =
check_sender_access hash:/etc/postfix/our_domain_as_sender
reject
smtpd_helo_required = yes
disable_vrfy_command = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated
permit_mynetworks
reject_unauth_destination
reject_non_fqdn_recipient
reject_non_fqdn_sender
reject_unknown_sender_domain
reject_unknown_recipient_domain
check_sender_access hash:/etc/postfix/sender_access
check_sender_access hash:/etc/postfix/not_our_domain_as_sender
check_recipient_access hash:/etc/postfix/protect_internal_aliases
reject_sender_login_mismatch
reject_multi_recipient_bounce
reject_rbl_client sbl-xbl.spamhaus.org
reject_rbl_client pbl.spamhaus.org
reject_rbl_client bl.spamcop.net
reject_rbl_client b.barracudacentral.org
check_recipient_access hash:/etc/postfix/role_account_exceptions
check_helo_access pcre:/etc/postfix/helo_checks
check_sender_mx_access cidr:/etc/postfix/bogus_mx
check_sender_access hash:/etc/postfix/rhsbl_sender_exceptions
reject_rhsbl_sender dsn.rfc-ignorant.org
check_sender_access hash:/etc/postfix/common_spam_senderdomains
check_sender_access regexp:/etc/postfix/common_spam_senderdomain_keywords
permit
smtpd_data_restrictions =
reject_unauth_pipelining
permit
address_verify_map = btree:/var/spool/postfix/verified_senders
address_verify_negative_cache = no
header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = pcre:/etc/postfix/mime_header_checks
# SASL/SMTP AUTH configuration
smtpd_sasl_auth_enable = yes
# force noplaintext auth without tls
# A side effect of this is that in sasl/smtpd.conf we must list
# more SASL mechanisms than just PLAIN and LOGIN
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
# force noplaintext auth without tls as a client
#smtp_sasl_security_options = noanonymous, noplaintext
#smtp_sasl_tls_security_options = noanonymous
smtpd_sasl_authenticated_header = yes
# Following allows machines on $mynetworks to send email without SMTP AUTH
# A side effect of this is that clients on these network do not see
# 250 AUTH PLAIN ... and 250 AUTH=PLAIN ... responces, outside clients do.
smtpd_sasl_exceptions_networks = $mynetworks
broken_sasl_auth_clients = yes
# Following sets SASL realm, for now keep empty
smtpd_sasl_local_domain =
# TLS configuration
#
smtpd_tls_security_level = may
# To enforce
# smtpd_tls_security_level = encrypt
#
# Obsolete, but still supported
smtpd_use_tls = yes
# To enforce
# smtpd_enforce_tls = yes
#
# Enforce TLS when using SMTP AUTH as we use PLAIN and LOGIN
smtpd_tls_auth_only = yes
#
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
#
# Certificates and keys
smtpd_tls_cert_file=/etc/postfix/ssl/mail_phy-astr_gsu_edu.crt
smtpd_tls_key_file= /etc/postfix/ssl/mail.phy-astr.gsu.edu.unencrypt.key
smtpd_tls_CAfile = /etc/postfix/ssl/COMODOHigh-AssuranceSecureServerCA.crt
smtpd_tls_session_cache_database = sdbm:${queue_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtp_tls_session_cache_database = sdbm:${queue_directory}/smtp_scache
smtp_tls_session_cache_timeout = 3600s
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
readme_directory = /usr/share/doc/postfix
html_directory = /usr/share/doc/postfix/html
master.cf
Code:
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - - - - smtpd
-o receive_override_options=no_address_mappings
submission inet n - - - - smtpd
-o smtpd_enforce_tls=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
smtps inet n - - - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
#628 inet n - - - - qmqpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - - 300 1 oqmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - - - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - - - - smtp
-o fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - - - - showq
error unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
#
# amavisd-new processes
#
smtp-amavis unix - - n - 5 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o smtpd_milters=
-o local_header_rewrite_clients=
-o local_recipient_maps=
-o relay_recipient_maps=
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
retry unix - - - - - error
Received: from mail.phy-astr.gsu.edu ([127.0.0.1])
Looks like the mail is being submitted locally. I suspect the box has been hacked and is running a proxy of some sort to hide the origin. Before you clean up run tcpdump and see if there's some suspicious inbound traffic.
Edit: never mind, that's your virus scanner. The mail is being submitted from
Code:
cRyvWFSsn6w [193.8.201.1]
Is that a host on your network?
Last edited by smallpond; 12-04-2014 at 06:21 AM.
Reason: on closer inspection
No, 193.8.201.1 is not my host network. I'm really baffled as to how these can be submitted. Am I reading the logs wrong? Are they not actually getting passed?
Everyday I check the mailq and see 50+ messages deferred in there from these sorts of messages. They do not originate from my network, but appear to be attempted to deliver, but are blocked by remote server. I've checked everywhere and I can't seem to find out why this is happening. I did upgrade from Debian Squeeze to Wheezy, but I can't find that anything major has changed that would allow this behavior.
Code:
DC42083012 2737 Thu Dec 4 06:41:34 ukere13@yahoo.com
(connect to bbs.hamburg.de[212.1.41.30]:25: Connection refused)
jan.rambke@bbs.hamburg.de
DEE9D83025 11388 Thu Dec 4 10:14:03 MAILER-DAEMON
(host mta5.am0.yahoodns.net[98.138.112.37] said: 451 4.3.2 Internal error reading data (in reply to MAIL FROM command))
vinisarus@yahoo.com
068B782FDF 2521 Wed Dec 3 16:20:11 sarah_schaeffer@yahoo.com
(connect to mail.navigate.de[88.198.172.251]:25: Connection timed out)
marcus@stober.de
CFF0C82FD8 2646 Wed Dec 3 18:57:54 antjerieckhoff@yahoo.com
(connect to mx1.mail.bg[2001:67c:16b8:1::2:17]:25: Network is unreachable)
ivo@mail.bg
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
