Postfix Ignoring Authentication
Hello again. I have been using Postfix for quite a while now, until recently when it started acting up. This morning, I received a call from Time Warner Cable, telling me that my internet is in a 24-hour quarantine period where I'm stuck when dial-up speeds. They informed me that my server was sending out spam messages to random clients of theirs. I looked at my syslog file, and sure enough, there were hundreds of emails being relayed through my postfix server to a bunch of different addresses.
So, what do I do to fix this? Why has Postfix not checking for authentication? If I supply it credentials, it checks it and verifies it. If I don't, it still allows it. Currently, I have disabled postfix, which I hate to do because it is what I use to receive all of my mail. I need to get it back up and running as soon as possible. Here is main.cf: Code:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version |
it may be some line is missing
I have: Code:
# good luck |
Quote:
1. the connection is made from localhost. 2. the destination domain is one for which the postfix server is the final destination. you should probably take a look at the mail logs. two possibilities come to mind: 1. the spammer knows some valid credentials 2. the spammer was able to send by hacking the web server on the same machine as postfix. |
Look at these messages from the log file. I sent these myself purposely using incorrect credentials, and it still went through:
Code:
Oct 11 17:34:59 www postfix/smtpd[6015]: connect from cpe-67-253-81-61.maine.res.rr.com[67.253.81.61] |
Quote:
|
I see that now. Adding this line has fixed the problem:
Code:
mynetworks_style = host |
i don't know. on closer look, you were taking liberties with the mynetworks format. the postconf(5) man page does not mention that you are allowed to embed ipv4 address inside an ipv6.
|
No IPv6 addresses are in use on this network. And mynetworks_style did not work.
Code:
Oct 11 21:29:13 www postfix/smtp[7970]: 5C7F91BF9: to=<Chandra_Guevara@yahoo.cp>, relay=smtp-server.maine.rr.com[71.74.56.22]:25, delay=375423, delays=375423/0.04/0.25/0.25, dsn=4.1.8, status=deferred (host smtp-server.maine.rr.com[71.74.56.22] said: 450 4.1.8 - Domain of recipient does not resolve [R0309001] (in reply to RCPT TO command)) |
things you can post:
1. the output of postconf -n 2. the complete history of one of the spam emails (e.g. for the one to _@yahoo.com, "grep 3C4C866C /var/log/mail.log", or whatever your mail log is). |
This is the result of "postconf -n":
Code:
alias_database = hash:/etc/postfix/aliases |
your log doesn't show how the mail was submitted. please go back further in time in the logs. try "grep -r 3C4C866C /var/log/mail*"
|
It doesn't show that much more. http://projects.aldenpease.me/3C4C866Cr.log. Is there another way I can set up authentication? As in like a hostname ACL or so?
|
try to find a message with has a shorter history, then. it would be helpful to see how the spam got injected into the system.
you can restrict the senders by IP address, sender, etc, but that's not authenatication, and neither is it secure. have you tested your sasl config by following this? |
The authentication works, and is the only way to send mail unless you are from the local system, which it looks like it's coming from the local system according to this log: http://projects.aldenpease.me/B86FE681.log. I have no idea how this could be happening. Is it possible to force authentication even for the local machine? Thank you.
|
Quote:
at your apache logs for the page accessed at the time the mail was sent. your smtpd_recipient_restrictions have been different the two times you've posted them. in the meantime, if you don't need it, it's good to remove permit_mynetworks from the list. that would require all outgoing mail submitted to smtpd to be authenticated. |
I believe I have found the culprit. A few days ago I initialized an open proxy with the SSH Daemon, and about the same time this started happening. Here are the only other records in my log files in that time period plus or minus 3 minutes.
Code:
/var/log/auth.log.1:Oct 8 02:40:58 www sshd[2411]: error: connect_to 168.95.5.32 port 25: failed. |
All times are GMT -5. The time now is 04:51 AM. |