LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 10-11-2011, 03:25 PM   #1
alden_pease
LQ Newbie
 
Registered: Mar 2011
Distribution: Debian Squeeze/Debian Lenny
Posts: 16

Rep: Reputation: 0
Exclamation Postfix Ignoring Authentication


Hello again. I have been using Postfix for quite a while now, until recently when it started acting up. This morning, I received a call from Time Warner Cable, telling me that my internet is in a 24-hour quarantine period where I'm stuck when dial-up speeds. They informed me that my server was sending out spam messages to random clients of theirs. I looked at my syslog file, and sure enough, there were hundreds of emails being relayed through my postfix server to a bunch of different addresses.

So, what do I do to fix this? Why has Postfix not checking for authentication? If I supply it credentials, it checks it and verifies it. If I don't, it still allows it. Currently, I have disabled postfix, which I hate to do because it is what I use to receive all of my mail. I need to get it back up and running as soon as possible. Here is main.cf:

Code:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = aldenpease.me
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
myorigin = aldenpease.me
# mydestination = www.aldenpease.me, localhost.aldenpease.me, localhost
mydestination =
local_recipient_maps =
relayhost = smtp-server.maine.rr.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

smtpd_helo_required = yes
disable_vrfy_command = yes
#content_filter = amavis:[127.0.0.1]:10024

virtual_mailbox_base = /var/spool/mail/virtual
virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf
virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf

virtual_uid_maps = static:5000
virtual_gid_maps = static:5000

smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = no
smtpd_security_options = noanonymous
smtpd_sasl_local_domain =

smtpd_sender_restrictions = permit_sasl_authenticated, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit
smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, permit
Thank you for your help; please get back to me as soon as possible.
 
Old 10-11-2011, 04:12 PM   #2
lithos
Senior Member
 
Registered: Jan 2010
Location: SI : 45.9531, 15.4894
Distribution: CentOS, OpenNA/Trustix, testing desktop openSuse 12.1 /Cinnamon/KDE4.8
Posts: 1,144

Rep: Reputation: 217Reputation: 217Reputation: 217
it may be some line is missing
I have:
Code:
#
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_tls_auth_only = no
I can't explain everything it does because I don't know, It works and It's ok for me.

good luck
 
Old 10-11-2011, 04:27 PM   #3
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
Quote:
If I supply it credentials, it checks it and verifies it. If I don't, it still allows it.
according to your restrictions, postfix will allow unauthenticated senders in these cases:
1. the connection is made from localhost.
2. the destination domain is one for which the postfix server is the final destination.

you should probably take a look at the mail logs. two possibilities come to mind:
1. the spammer knows some valid credentials
2. the spammer was able to send by hacking the web server on the same machine as postfix.
 
Old 10-11-2011, 04:38 PM   #4
alden_pease
LQ Newbie
 
Registered: Mar 2011
Distribution: Debian Squeeze/Debian Lenny
Posts: 16

Original Poster
Rep: Reputation: 0
Look at these messages from the log file. I sent these myself purposely using incorrect credentials, and it still went through:

Code:
Oct 11 17:34:59 www postfix/smtpd[6015]: connect from cpe-67-253-81-61.maine.res.rr.com[67.253.81.61]
Oct 11 17:34:59 www postfix/smtpd[6015]: warning: SASL authentication failure: no secret in database
Oct 11 17:34:59 www postfix/smtpd[6015]: warning: cpe-67-253-81-61.maine.res.rr.com[67.253.81.61]: SASL DIGEST-MD5 authentication failed: authentication failure
Oct 11 17:34:59 www postfix/smtpd[6015]: 7E71A81D: client=cpe-67-253-81-61.maine.res.rr.com[67.253.81.61], sasl_method=LOGIN, sasl_username=alden@aldenpease.me
Oct 11 17:34:59 www postfix/cleanup[6018]: 7E71A81D: message-id=<002601cc885d$b371fdb0$1a55f910$@aldenpease.me>
Oct 11 17:34:59 www postfix/qmgr[5734]: 7E71A81D: from=<alden@aldenpease.me>, size=3158, nrcpt=1 (queue active)
Oct 11 17:35:00 www postfix/smtp[6019]: 7E71A81D: to=<apease11@gmail.com>, relay=smtp-server.maine.rr.com[71.74.56.22]:25, delay=0.57, delays=0.12/0.01/0.23/0.2, dsn=2.0.0, status=sent (250 OK B5/BB-05514-5A6B49E4)
Oct 11 17:35:00 www postfix/qmgr[5734]: 7E71A81D: removed
Oct 11 17:35:02 www postfix/smtpd[6015]: disconnect from cpe-67-253-81-61.maine.res.rr.com[67.253.81.61]
Any idea?
 
Old 10-11-2011, 04:50 PM   #5
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
Quote:
Oct 11 17:34:59 www postfix/smtpd[6015]: 7E71A81D: client=cpe-67-253-81-61.maine.res.rr.com[67.253.81.61], sasl_method=LOGIN, sasl_username=alden@aldenpease.me
but, you did authenticate.
 
Old 10-11-2011, 04:53 PM   #6
alden_pease
LQ Newbie
 
Registered: Mar 2011
Distribution: Debian Squeeze/Debian Lenny
Posts: 16

Original Poster
Rep: Reputation: 0
I see that now. Adding this line has fixed the problem:

Code:
mynetworks_style = host
Is it coincidental? Thank you.
 
Old 10-11-2011, 05:20 PM   #7
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
i don't know. on closer look, you were taking liberties with the mynetworks format. the postconf(5) man page does not mention that you are allowed to embed ipv4 address inside an ipv6.
 
Old 10-11-2011, 09:10 PM   #8
alden_pease
LQ Newbie
 
Registered: Mar 2011
Distribution: Debian Squeeze/Debian Lenny
Posts: 16

Original Poster
Rep: Reputation: 0
No IPv6 addresses are in use on this network. And mynetworks_style did not work.

Code:
Oct 11 21:29:13 www postfix/smtp[7970]: 5C7F91BF9: to=<Chandra_Guevara@yahoo.cp>, relay=smtp-server.maine.rr.com[71.74.56.22]:25, delay=375423, delays=375423/0.04/0.25/0.25, dsn=4.1.8, status=deferred (host smtp-server.maine.rr.com[71.74.56.22] said: 450 4.1.8 - Domain of recipient does not resolve [R0309001] (in reply to RCPT TO command))
Oct 11 21:29:13 www postfix/smtp[7971]: 623AF1BFD: to=<Ronnie_Leon@yahoo.cp>, relay=smtp-server.maine.rr.com[71.74.56.22]:25, delay=313870, delays=313869/0.56/0.24/0.18, dsn=4.1.8, status=deferred (host smtp-server.maine.rr.com[71.74.56.22] said: 450 4.1.8 - Domain of recipient does not resolve [R0309001] (in reply to RCPT TO command))
Oct 11 21:29:13 www postfix/smtp[7972]: 6D8811BF1: to=<_@yahoo.cp>, relay=smtp-server.maine.rr.com[71.74.56.22]:25, delay=379248, delays=379246/0.56/0.24/0.23, dsn=4.1.8, status=deferred (host smtp-server.maine.rr.com[71.74.56.22] said: 450 4.1.8 - Domain of recipient does not resolve [R0309001] (in reply to RCPT TO command))
Oct 11 21:29:14 www postfix/smtp[7968]: 3C4C866C: to=<_@yahoo.cp>, relay=smtp-server.maine.rr.com[71.74.56.22]:25, delay=378480, delays=378479/0.56/0.35/0.17, dsn=4.1.8, status=deferred (host smtp-server.maine.rr.com[71.74.56.22] said: 450 4.1.8 - Domain of recipient does not resolve [R0309001] (in reply to RCPT TO command))
Oct 11 21:29:43 www postfix/smtp[7969]: B86FE681: to=<ddldsdb44@popmail.com>, relay=smtp-server.maine.rr.com[71.74.56.22]:25, delay=326925, delays=326894/0.03/0.29/30, dsn=4.1.8, status=deferred (host smtp-server.maine.rr.com[71.74.56.22] said: 450 4.1.8 - Domain of recipient does not resolve [R0309001] (in reply to RCPT TO command))
It's just relaying no matter what right now.
 
Old 10-12-2011, 09:55 AM   #9
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
things you can post:
1. the output of postconf -n
2. the complete history of one of the spam emails (e.g. for the one to _@yahoo.com, "grep 3C4C866C /var/log/mail.log", or whatever your mail log is).
 
Old 10-12-2011, 01:16 PM   #10
alden_pease
LQ Newbie
 
Registered: Mar 2011
Distribution: Debian Squeeze/Debian Lenny
Posts: 16

Original Poster
Rep: Reputation: 0
This is the result of "postconf -n":
Code:
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
disable_vrfy_command = yes
inet_interfaces = all
local_recipient_maps =
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
mydestination =
myhostname = aldenpease.me
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mynetworks_style = host
myorigin = aldenpease.me
readme_directory = no
recipient_delimiter = +
relayhost = smtp-server.maine.rr.com
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_delay_reject = no
smtpd_helo_required = yes
smtpd_recipient_restrictions = reject_unauth_pipelining, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sender_restrictions = permit_sasl_authenticated, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/spool/mail/virtual
virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf
virtual_uid_maps = static:5000
The results to "grep 3C4C866C /var/log/mail.log" can be found at http://projects.aldenpease.me/3C4C866C.log. Thank you for your time Berhanie.
 
Old 10-12-2011, 02:23 PM   #11
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
your log doesn't show how the mail was submitted. please go back further in time in the logs. try "grep -r 3C4C866C /var/log/mail*"
 
Old 10-12-2011, 04:51 PM   #12
alden_pease
LQ Newbie
 
Registered: Mar 2011
Distribution: Debian Squeeze/Debian Lenny
Posts: 16

Original Poster
Rep: Reputation: 0
It doesn't show that much more. http://projects.aldenpease.me/3C4C866Cr.log. Is there another way I can set up authentication? As in like a hostname ACL or so?
 
Old 10-12-2011, 05:01 PM   #13
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
try to find a message with has a shorter history, then. it would be helpful to see how the spam got injected into the system.
you can restrict the senders by IP address, sender, etc, but that's not authenatication, and neither is it secure.
have you tested your sasl config by following this?
 
Old 10-12-2011, 10:00 PM   #14
alden_pease
LQ Newbie
 
Registered: Mar 2011
Distribution: Debian Squeeze/Debian Lenny
Posts: 16

Original Poster
Rep: Reputation: 0
The authentication works, and is the only way to send mail unless you are from the local system, which it looks like it's coming from the local system according to this log: http://projects.aldenpease.me/B86FE681.log. I have no idea how this could be happening. Is it possible to force authentication even for the local machine? Thank you.
 
Old 10-13-2011, 10:57 AM   #15
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
Quote:
Oct 8 02:40:58 www postfix/smtpd[13935]: B86FE681: client=www[127.0.0.1]
Oct 8 02:40:59 www postfix/cleanup[13937]: B86FE681: message-id=<@>
Oct 8 02:40:59 www postfix/qmgr[2459]: B86FE681: from=<_@yahoo.com.au>, size=2063, nrcpt=1 (queue active)
nice find. so it's something on the machine itself. now you need to find the wayward script. try by looking
at your apache logs for the page accessed at the time the mail was sent.

your smtpd_recipient_restrictions have been different the two times you've posted them. in the meantime,
if you don't need it, it's good to remove permit_mynetworks from the list. that would require all outgoing
mail submitted to smtpd to be authenticated.

Last edited by Berhanie; 10-13-2011 at 11:01 AM.
 
1 members found this post helpful.
  


Reply

Tags
authentication failure, mail, postfix, sasl, spam


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
postfix authentication silver163 Linux - Server 1 05-01-2011 03:45 PM
Postfix/sasl authentication jwenzel09 Linux - Server 2 03-16-2011 01:20 AM
Postfix 2.7.0 ignoring main.cf params? Ron7 Linux - Software 12 10-13-2010 12:41 PM
postfix smtp authentication hariiyer Linux - Server 4 09-14-2009 02:30 AM
Postfix ignoring mailbox_command..... b0redom Solaris / OpenSolaris 1 08-18-2009 08:16 AM


All times are GMT -5. The time now is 09:50 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration