Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hello again. I have been using Postfix for quite a while now, until recently when it started acting up. This morning, I received a call from Time Warner Cable, telling me that my internet is in a 24-hour quarantine period where I'm stuck when dial-up speeds. They informed me that my server was sending out spam messages to random clients of theirs. I looked at my syslog file, and sure enough, there were hundreds of emails being relayed through my postfix server to a bunch of different addresses.
So, what do I do to fix this? Why has Postfix not checking for authentication? If I supply it credentials, it checks it and verifies it. If I don't, it still allows it. Currently, I have disabled postfix, which I hate to do because it is what I use to receive all of my mail. I need to get it back up and running as soon as possible. Here is main.cf:
Code:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = aldenpease.me
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
myorigin = aldenpease.me
# mydestination = www.aldenpease.me, localhost.aldenpease.me, localhost
mydestination =
local_recipient_maps =
relayhost = smtp-server.maine.rr.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
smtpd_helo_required = yes
disable_vrfy_command = yes
#content_filter = amavis:[127.0.0.1]:10024
virtual_mailbox_base = /var/spool/mail/virtual
virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf
virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = no
smtpd_security_options = noanonymous
smtpd_sasl_local_domain =
smtpd_sender_restrictions = permit_sasl_authenticated, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit
smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, permit
Thank you for your help; please get back to me as soon as possible.
If I supply it credentials, it checks it and verifies it. If I don't, it still allows it.
according to your restrictions, postfix will allow unauthenticated senders in these cases:
1. the connection is made from localhost.
2. the destination domain is one for which the postfix server is the final destination.
you should probably take a look at the mail logs. two possibilities come to mind:
1. the spammer knows some valid credentials
2. the spammer was able to send by hacking the web server on the same machine as postfix.
i don't know. on closer look, you were taking liberties with the mynetworks format. the postconf(5) man page does not mention that you are allowed to embed ipv4 address inside an ipv6.
No IPv6 addresses are in use on this network. And mynetworks_style did not work.
Code:
Oct 11 21:29:13 www postfix/smtp[7970]: 5C7F91BF9: to=<Chandra_Guevara@yahoo.cp>, relay=smtp-server.maine.rr.com[71.74.56.22]:25, delay=375423, delays=375423/0.04/0.25/0.25, dsn=4.1.8, status=deferred (host smtp-server.maine.rr.com[71.74.56.22] said: 450 4.1.8 - Domain of recipient does not resolve [R0309001] (in reply to RCPT TO command))
Oct 11 21:29:13 www postfix/smtp[7971]: 623AF1BFD: to=<Ronnie_Leon@yahoo.cp>, relay=smtp-server.maine.rr.com[71.74.56.22]:25, delay=313870, delays=313869/0.56/0.24/0.18, dsn=4.1.8, status=deferred (host smtp-server.maine.rr.com[71.74.56.22] said: 450 4.1.8 - Domain of recipient does not resolve [R0309001] (in reply to RCPT TO command))
Oct 11 21:29:13 www postfix/smtp[7972]: 6D8811BF1: to=<_@yahoo.cp>, relay=smtp-server.maine.rr.com[71.74.56.22]:25, delay=379248, delays=379246/0.56/0.24/0.23, dsn=4.1.8, status=deferred (host smtp-server.maine.rr.com[71.74.56.22] said: 450 4.1.8 - Domain of recipient does not resolve [R0309001] (in reply to RCPT TO command))
Oct 11 21:29:14 www postfix/smtp[7968]: 3C4C866C: to=<_@yahoo.cp>, relay=smtp-server.maine.rr.com[71.74.56.22]:25, delay=378480, delays=378479/0.56/0.35/0.17, dsn=4.1.8, status=deferred (host smtp-server.maine.rr.com[71.74.56.22] said: 450 4.1.8 - Domain of recipient does not resolve [R0309001] (in reply to RCPT TO command))
Oct 11 21:29:43 www postfix/smtp[7969]: B86FE681: to=<ddldsdb44@popmail.com>, relay=smtp-server.maine.rr.com[71.74.56.22]:25, delay=326925, delays=326894/0.03/0.29/30, dsn=4.1.8, status=deferred (host smtp-server.maine.rr.com[71.74.56.22] said: 450 4.1.8 - Domain of recipient does not resolve [R0309001] (in reply to RCPT TO command))
things you can post:
1. the output of postconf -n
2. the complete history of one of the spam emails (e.g. for the one to _@yahoo.com, "grep 3C4C866C /var/log/mail.log", or whatever your mail log is).
try to find a message with has a shorter history, then. it would be helpful to see how the spam got injected into the system.
you can restrict the senders by IP address, sender, etc, but that's not authenatication, and neither is it secure.
have you tested your sasl config by following this?
The authentication works, and is the only way to send mail unless you are from the local system, which it looks like it's coming from the local system according to this log: http://projects.aldenpease.me/B86FE681.log. I have no idea how this could be happening. Is it possible to force authentication even for the local machine? Thank you.
Oct 8 02:40:58 www postfix/smtpd[13935]: B86FE681: client=www[127.0.0.1]
Oct 8 02:40:59 www postfix/cleanup[13937]: B86FE681: message-id=<@>
Oct 8 02:40:59 www postfix/qmgr[2459]: B86FE681: from=<_@yahoo.com.au>, size=2063, nrcpt=1 (queue active)
nice find. so it's something on the machine itself. now you need to find the wayward script. try by looking
at your apache logs for the page accessed at the time the mail was sent.
your smtpd_recipient_restrictions have been different the two times you've posted them. in the meantime,
if you don't need it, it's good to remove permit_mynetworks from the list. that would require all outgoing
mail submitted to smtpd to be authenticated.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.