[SOLVED] Postfix Ignoring Authentication

alden_pease · 10-11-2011, 03:25 PM

Hello again. I have been using Postfix for quite a while now, until recently when it started acting up. This morning, I received a call from Time Warner Cable, telling me that my internet is in a 24-hour quarantine period where I'm stuck when dial-up speeds. They informed me that my server was sending out spam messages to random clients of theirs. I looked at my syslog file, and sure enough, there were hundreds of emails being relayed through my postfix server to a bunch of different addresses.

So, what do I do to fix this? Why has Postfix not checking for authentication? If I supply it credentials, it checks it and verifies it. If I don't, it still allows it. Currently, I have disabled postfix, which I hate to do because it is what I use to receive all of my mail. I need to get it back up and running as soon as possible. Here is main.cf:

Code:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = aldenpease.me
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
myorigin = aldenpease.me
# mydestination = www.aldenpease.me, localhost.aldenpease.me, localhost
mydestination =
local_recipient_maps =
relayhost = smtp-server.maine.rr.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

smtpd_helo_required = yes
disable_vrfy_command = yes
#content_filter = amavis:[127.0.0.1]:10024

virtual_mailbox_base = /var/spool/mail/virtual
virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf
virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf

virtual_uid_maps = static:5000
virtual_gid_maps = static:5000

smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = no
smtpd_security_options = noanonymous
smtpd_sasl_local_domain =

smtpd_sender_restrictions = permit_sasl_authenticated, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit
smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, permit

Thank you for your help; please get back to me as soon as possible.

lithos · 10-11-2011, 04:12 PM

it may be some line is missing
I have:

Code:

#
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_tls_auth_only = no

I can't explain everything it does because I don't know, It works and It's ok for me.

good luck

Berhanie · 10-11-2011, 04:27 PM

Quote:

If I supply it credentials, it checks it and verifies it. If I don't, it still allows it.

according to your restrictions, postfix will allow unauthenticated senders in these cases:
1. the connection is made from localhost.
2. the destination domain is one for which the postfix server is the final destination.

you should probably take a look at the mail logs. two possibilities come to mind:
1. the spammer knows some valid credentials
2. the spammer was able to send by hacking the web server on the same machine as postfix.

alden_pease · 10-11-2011, 04:38 PM

Look at these messages from the log file. I sent these myself purposely using incorrect credentials, and it still went through:

Code:

Oct 11 17:34:59 www postfix/smtpd[6015]: connect from cpe-67-253-81-61.maine.res.rr.com[67.253.81.61]
Oct 11 17:34:59 www postfix/smtpd[6015]: warning: SASL authentication failure: no secret in database
Oct 11 17:34:59 www postfix/smtpd[6015]: warning: cpe-67-253-81-61.maine.res.rr.com[67.253.81.61]: SASL DIGEST-MD5 authentication failed: authentication failure
Oct 11 17:34:59 www postfix/smtpd[6015]: 7E71A81D: client=cpe-67-253-81-61.maine.res.rr.com[67.253.81.61], sasl_method=LOGIN, sasl_username=alden@aldenpease.me
Oct 11 17:34:59 www postfix/cleanup[6018]: 7E71A81D: message-id=<002601cc885d$b371fdb0$1a55f910$@aldenpease.me>
Oct 11 17:34:59 www postfix/qmgr[5734]: 7E71A81D: from=<alden@aldenpease.me>, size=3158, nrcpt=1 (queue active)
Oct 11 17:35:00 www postfix/smtp[6019]: 7E71A81D: to=<apease11@gmail.com>, relay=smtp-server.maine.rr.com[71.74.56.22]:25, delay=0.57, delays=0.12/0.01/0.23/0.2, dsn=2.0.0, status=sent (250 OK B5/BB-05514-5A6B49E4)
Oct 11 17:35:00 www postfix/qmgr[5734]: 7E71A81D: removed
Oct 11 17:35:02 www postfix/smtpd[6015]: disconnect from cpe-67-253-81-61.maine.res.rr.com[67.253.81.61]

Any idea?

Berhanie · 10-11-2011, 04:50 PM

Quote:

Oct 11 17:34:59 www postfix/smtpd[6015]: 7E71A81D: client=cpe-67-253-81-61.maine.res.rr.com[67.253.81.61], sasl_method=LOGIN, sasl_username=alden@aldenpease.me

but, you did authenticate.

alden_pease · 10-11-2011, 04:53 PM

I see that now. Adding this line has fixed the problem:

Code:

mynetworks_style = host

Is it coincidental? Thank you.

Berhanie · 10-11-2011, 05:20 PM

i don't know. on closer look, you were taking liberties with the mynetworks format. the postconf(5) man page does not mention that you are allowed to embed ipv4 address inside an ipv6.

alden_pease · 10-11-2011, 09:10 PM

No IPv6 addresses are in use on this network. And mynetworks_style did not work.

Code:

Oct 11 21:29:13 www postfix/smtp[7970]: 5C7F91BF9: to=<Chandra_Guevara@yahoo.cp>, relay=smtp-server.maine.rr.com[71.74.56.22]:25, delay=375423, delays=375423/0.04/0.25/0.25, dsn=4.1.8, status=deferred (host smtp-server.maine.rr.com[71.74.56.22] said: 450 4.1.8 - Domain of recipient does not resolve [R0309001] (in reply to RCPT TO command))
Oct 11 21:29:13 www postfix/smtp[7971]: 623AF1BFD: to=<Ronnie_Leon@yahoo.cp>, relay=smtp-server.maine.rr.com[71.74.56.22]:25, delay=313870, delays=313869/0.56/0.24/0.18, dsn=4.1.8, status=deferred (host smtp-server.maine.rr.com[71.74.56.22] said: 450 4.1.8 - Domain of recipient does not resolve [R0309001] (in reply to RCPT TO command))
Oct 11 21:29:13 www postfix/smtp[7972]: 6D8811BF1: to=<_@yahoo.cp>, relay=smtp-server.maine.rr.com[71.74.56.22]:25, delay=379248, delays=379246/0.56/0.24/0.23, dsn=4.1.8, status=deferred (host smtp-server.maine.rr.com[71.74.56.22] said: 450 4.1.8 - Domain of recipient does not resolve [R0309001] (in reply to RCPT TO command))
Oct 11 21:29:14 www postfix/smtp[7968]: 3C4C866C: to=<_@yahoo.cp>, relay=smtp-server.maine.rr.com[71.74.56.22]:25, delay=378480, delays=378479/0.56/0.35/0.17, dsn=4.1.8, status=deferred (host smtp-server.maine.rr.com[71.74.56.22] said: 450 4.1.8 - Domain of recipient does not resolve [R0309001] (in reply to RCPT TO command))
Oct 11 21:29:43 www postfix/smtp[7969]: B86FE681: to=<ddldsdb44@popmail.com>, relay=smtp-server.maine.rr.com[71.74.56.22]:25, delay=326925, delays=326894/0.03/0.29/30, dsn=4.1.8, status=deferred (host smtp-server.maine.rr.com[71.74.56.22] said: 450 4.1.8 - Domain of recipient does not resolve [R0309001] (in reply to RCPT TO command))

It's just relaying no matter what right now.

Berhanie · 10-12-2011, 09:55 AM

things you can post:
1. the output of postconf -n
2. the complete history of one of the spam emails (e.g. for the one to _@yahoo.com, "grep 3C4C866C /var/log/mail.log", or whatever your mail log is).

alden_pease · 10-12-2011, 01:16 PM

This is the result of "postconf -n":

Code:

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
disable_vrfy_command = yes
inet_interfaces = all
local_recipient_maps =
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
mydestination =
myhostname = aldenpease.me
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mynetworks_style = host
myorigin = aldenpease.me
readme_directory = no
recipient_delimiter = +
relayhost = smtp-server.maine.rr.com
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_delay_reject = no
smtpd_helo_required = yes
smtpd_recipient_restrictions = reject_unauth_pipelining, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sender_restrictions = permit_sasl_authenticated, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/spool/mail/virtual
virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf
virtual_uid_maps = static:5000

The results to "grep 3C4C866C /var/log/mail.log" can be found at http://projects.aldenpease.me/3C4C866C.log. Thank you for your time Berhanie.

Berhanie · 10-12-2011, 02:23 PM

your log doesn't show how the mail was submitted. please go back further in time in the logs. try "grep -r 3C4C866C /var/log/mail*"

alden_pease · 10-12-2011, 04:51 PM

It doesn't show that much more. http://projects.aldenpease.me/3C4C866Cr.log. Is there another way I can set up authentication? As in like a hostname ACL or so?

Berhanie · 10-12-2011, 05:01 PM

try to find a message with has a shorter history, then. it would be helpful to see how the spam got injected into the system.
you can restrict the senders by IP address, sender, etc, but that's not authenatication, and neither is it secure.
have you tested your sasl config by following this?

alden_pease · 10-12-2011, 10:00 PM

The authentication works, and is the only way to send mail unless you are from the local system, which it looks like it's coming from the local system according to this log: http://projects.aldenpease.me/B86FE681.log. I have no idea how this could be happening. Is it possible to force authentication even for the local machine? Thank you.

Berhanie · 10-13-2011, 10:57 AM

Quote:

Oct 8 02:40:58 www postfix/smtpd[13935]: B86FE681: client=www[127.0.0.1]
Oct 8 02:40:59 www postfix/cleanup[13937]: B86FE681: message-id=<@>
Oct 8 02:40:59 www postfix/qmgr[2459]: B86FE681: from=<_@yahoo.com.au>, size=2063, nrcpt=1 (queue active)

nice find. so it's something on the machine itself. now you need to find the wayward script. try by looking
at your apache logs for the page accessed at the time the mail was sent.

your smtpd_recipient_restrictions have been different the two times you've posted them. in the meantime,
if you don't need it, it's good to remove permit_mynetworks from the list. that would require all outgoing
mail submitted to smtpd to be authenticated.