Mail Relay in Postfix

dougnc · 07-20-2007, 09:02 AM

I'm running postfix on SuSE 10.2. I really don't want to be relaying mail for spammers. When I went into Webmin the postfix mail queue showed 8 undelivered messages.

I have this parameter set up in main.cf:

relay_domains = $mynetworks

Shouldn't that stop the relaying?

Thanks!

farslayer · 07-20-2007, 09:58 AM

would depend on the definition of $mynetworks

http://www.postfix.org/uce.html#relay_domains
Default: relay_domains = $mydestination

Heres my config..

Code:

mail:~# postconf -n

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
home_mailbox = Maildir/
mailbox_command = /usr/bin/maildrop
mailbox_size_limit = 0
mime_header_checks = regexp:/etc/postfix/maps/mime_header_checks.regexp
mydestination = mail.mydomain.net, mydomain.net, localhost.mydomain.net, localhost, localhost.localdomain
mynetworks = 192.168.0.0/24, 172.16.1.0/24, 127.0.0.0/24
myorigin = /etc/mailname
recipient_delimiter = +
smtpd_banner = $myhostname
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_recipient_restrictions = 
  reject_non_fqdn_sender
  reject_non_fqdn_recipient
  reject_unknown_sender_domain
  reject_unknown_recipient_domain
  permit_mynetworks
  reject_unauth_destination
  reject_unauth_pipelining
  reject_invalid_hostname
  reject_rbl_client bl.spamcop.net
  reject_rbl_client list.dsbl.org
  reject_rbl_client zen.spamhaus.org
  reject_rbl_client dnsbl.sorbs.net
  permit
smtpd_sasl_auth_enable = no

no relay troubles here. the mail server will only relay mail for the IP addresses defined in mynetworks and the domains defined in my destination.

the smtpd _recipient_restrictions impose additional limitations on who to accept mail from.

dougnc · 07-20-2007, 12:47 PM

Quote:

Originally Posted by farslayer

would depend on the definition of $mynetworks

http://www.postfix.org/uce.html#relay_domains
Default: relay_domains = $mydestination

Heres my config..

Code:

mail:~# postconf -n

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
home_mailbox = Maildir/
mailbox_command = /usr/bin/maildrop
mailbox_size_limit = 0
mime_header_checks = regexp:/etc/postfix/maps/mime_header_checks.regexp
mydestination = mail.mydomain.net, mydomain.net, localhost.mydomain.net, localhost, localhost.localdomain
mynetworks = 192.168.0.0/24, 172.16.1.0/24, 127.0.0.0/24
myorigin = /etc/mailname
recipient_delimiter = +
smtpd_banner = $myhostname
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_recipient_restrictions = 
  reject_non_fqdn_sender
  reject_non_fqdn_recipient
  reject_unknown_sender_domain
  reject_unknown_recipient_domain
  permit_mynetworks
  reject_unauth_destination
  reject_unauth_pipelining
  reject_invalid_hostname
  reject_rbl_client bl.spamcop.net
  reject_rbl_client list.dsbl.org
  reject_rbl_client zen.spamhaus.org
  reject_rbl_client dnsbl.sorbs.net
  permit
smtpd_sasl_auth_enable = no

no relay troubles here. the mail server will only relay mail for the IP addresses defined in mynetworks and the domains defined in my destination.

the smtpd _recipient_restrictions impose additional limitations on who to accept mail from.

Why do you have the black lists in smtpd_recipent_restrictions. I have it in client restrictions, like so:

smtpd_client_restrictions = permit_mynetworks, reject_rbl_client zen.spamhaus.org, permit

I was relaying stuff with the default postfix configuration. I tried adding the $mynetwork in an effort to stop it.

Here's one of the bogus e-mails trying to get out. This is from /var/log/mail:

Jul 20 13:42:40 venture postfix/smtp[12143]: 47DA46CBD2: to=<dqqvgahosiaq@branassoc.com>, relay=none, delay=294246, delays=294246/0.05/0.19/0, dsn=4.4.1, status=deferred (connect to branassoc.com[63.74.146.64]: Connection refused)

farslayer · 07-21-2007, 11:00 PM

I followed the examples from Ralf Hlidebrandt (author of The book of Postfix ). That's why they are there..

Most of the UCE how to's on the postfix site show the rbl done under smtpd_recipient_restrictions
http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt

I can't give you a more technical answer than 'I followed the examples' and it works, because when I run mail stats on the log files the black lists are definitely blocking. It looks like it can be done in either location.

dougnc · 07-23-2007, 10:15 AM

Well, I guess my postfix has been hacked. I have the relay turned off, but it's still relaying. Here's the bogus mails I now have in my queue.

I'm probably the main spam source for the entire northwest.

005246CBD7 005246CBD7 Sat Jul 21 05:17:21 MAILER-DAEMON cservice.ref27305866568465.nf@northforkbank.com 6.48 kB
3F53D6CBDE 3F53D6CBDE Sat Jul 21 16:47:33 ffraid@webt.com postmaster@com.com 3.05 kB
BC6A96C9E9 BC6A96C9E9 Fri Jul 20 22:03:01 root@com.com root@com.com 501 bytes
DE70B6CBD9 DE70B6CBD9 Wed Jul 18 23:01:53 MAILER-DAEMON root@com.com 2.19 kB

dougnc · 07-23-2007, 01:10 PM

Wow. Looks like my SuSE Linux server has been hacked and is spamming people.

This is the email I've just got:

"Hi. This is the qmail-send program at webmail2.ecritel.net.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<dt@industrietextile.com>:
user is over quota

--- Below this line is a copy of the message.

Return-Path: <dougnc@me.ccom>
Received: (qmail 25544 invoked by uid 505); 23 Jul 2007 15:47:11 -0000
Received: from dougnc@me.com by webmail2.ecritel.net by uid 502 with qmail-scanner-1.16
*( Clear:.
*Processed in 2.073625 secs); 23 Jul 2007 15:47:11 -0000
Received: from unknown (HELO cpe90-146-30-32.liwest.at) (90.146.30.32)
* by webmail2.ecritel.net with SMTP; 23 Jul 2007 15:47:09 -0000
Received: from asbrmnw ([192.187.112.115])
********by cpe90-146-30-32.liwest.at (8.13.4/8.13.4) with SMTP id k459414943495m1Da119383
********for <dt@industrietextile.com>; Mon, 23 Jul 2007 17:45:04 +0100 (CDT)
********(envelope-from dougnc@me.com)
Message-ID: <00ab01c7cd40$702a4d50$201e925a@asbrmnw>
From: "dougnc" <dougnc@me.com>
To: <dt@industrietextile.com>
Subject: gratifying debutante
Date: Mon, 23 Jul 2007 22:41:10 +0600
MIME-Version: 1.0
Content-Type: multipart/related;
********boundary="----=_NextPart_000_00A8_01C7CD51.33508AF0";
********type="multipart/alternative"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3028
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028

This is a multi-part message in MIME format.

farslayer · 07-23-2007, 09:25 PM

if you think you are an open relay. why not use one of the relay tests..
http://www.abuse.net/relay.html

The error posted in your last message is simply another mail server that is unable to deliver a message your server send because the recipient mailbox is full.

Quote:

user is over quota

Theres no way I can tell from what is posted whether that message was relayed from somewhere else or if it was a legit message sent by one of your users.

I see a lot of junk like that when our users have their autoreply turned on and it replies to a spam message.

still your best bet is to use one of the online tests to verify your mail server status... open or closed

you may also want to check this site for info on securing your mail server..
http://www.mail-abuse.com/an_sec3rdparty.html

dougnc · 07-24-2007, 08:50 AM

Quote:

Originally Posted by farslayer

if you think you are an open relay. why not use one of the relay tests..
http://www.abuse.net/relay.html

The error posted in your last message is simply another mail server that is unable to deliver a message your server send because the recipient mailbox is full.

Theres no way I can tell from what is posted whether that message was relayed from somewhere else or if it was a legit message sent by one of your users.

I see a lot of junk like that when our users have their autoreply turned on and it replies to a spam message.

still your best bet is to use one of the online tests to verify your mail server status... open or closed

you may also want to check this site for info on securing your mail server..
http://www.mail-abuse.com/an_sec3rdparty.html

I know definitely that it wasn't sent from one of my users. It's a home server and I'm the only login.

I used that relay test and all my domains tested as no relay.

But when I went into Webmin, postfix configuration, and looked at mail queue, I found this new one. It's definitely not one of my users. (I changed the first email addy)

67EA46CAD8 67EA46CAD8 Tue Jul 24 08:29:11 name@domain to postmaster@com.com 2.36 kB connect to com.com[216.239.122.102]: Connection timed out

I'm really not getting this. Postfix is supposed to default to no relay. I must assume that Postfix has been hacked like I used to get my Exchange server hacked.

Thanks!

farslayer · 07-24-2007, 06:46 PM

If you wold post your config ( postconf -n )it would be easier to find a misconfiguration that might be allowing the relay..

Berhanie · 07-24-2007, 08:20 PM

Also, you might post complete logs, not pieces of lines, so we can see what's going on. The part in bold (below) is especially important, as it records how the mail was submitted, whether by smtp (as below), or via the command line. Since you're probably not an open relay, maybe someone's submitting mail through one of your web forms.

Code:

Jul 24 17:07:17 myhost postfix/smtpd[11277]: connect from somehost.domain.com.br[xxx.xxx.xxx.xxx]

dougnc · 07-26-2007, 07:43 AM

Ok. Here's my postconf -n

Code:

alias_maps = hash:/etc/aliases
biff = no
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
debug_peer_level = 2
defer_transports =
disable_dns_lookups = no
disable_mime_output_conversion = no
html_directory = /usr/share/doc/packages/postfix/html
inet_interfaces = 127.0.0.1 ::1 10.7.1.178
inet_protocols = all
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains =
masquerade_exceptions = root
message_size_limit = 10240000
mydestination = $myhostname, localhost.$mydomain 
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
readme_directory = /usr/share/doc/packages/postfix/README_FILES
relay_domains = $mynetworks
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /usr/share/doc/packages/postfix/samples
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtp_sasl_auth_enable = no
smtp_use_tls = no
smtpd_client_restrictions = permit_mynetworks, reject_rbl_client zen.spamhaus.org, permit
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_recipient_restrictions = reject_non_fqdn_sender  reject_non_fqdn_recipient  reject_unknown_sender_domain  reject_unknown_recipient_domain  permit_mynetworks  reject_unauth_destination  reject_unauth_pipelining  reject_invalid_hostname  reject_rbl_client bl.spamcop.net  reject_rbl_client list.dsbl.org  reject_rbl_client zen.spamhaus.org  reject_rbl_client dnsbl.sorbs.net  permit
smtpd_sasl_auth_enable = no
smtpd_sender_restrictions = hash:/etc/postfix/access,reject_unknown_address
smtpd_use_tls = no
strict_8bitmime = no
strict_rfc821_envelopes = no
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_domains = hash:/etc/postfix/virtual
virtual_alias_maps = hash:/etc/postfix/virtual

And here's the logs from a bogus email that's in my postfix out queue. See the email addy it was first sent to? lastnamedoug@mydomain.com? The original has my real last name, but I changed it. The very spooky thing is that as far as I know, my last name appears nowhere on the internet.

Code:

venture:/var/log # grep stancilgjikaf@dorsetboats.com mail
Jul 24 08:29:07 venture postfix/smtpd[1776]: 31B626C9E8: reject: RCPT from unknown[124.227.218.186]: 
550 5.1.1 <lastnamedoug@customosas.com>: Recipient address rejected: User unknown in local recipient
 table; from=<stancilgjikaf@dorsetboats.com> to=<lastnamedoug@customosas.com> proto=SMTP helo=<dorsetboats.com>
Jul 24 08:29:11 venture postfix/qmgr[12133]: 31B626C9E8: from=<stancilgjikaf@dorsetboats.com>, size=2295, nrcpt=1 (queue active)
Jul 24 08:29:11 venture postfix/qmgr[12133]: 67EA46CAD8: from=<stancilgjikaf@dorsetboats.com>, size=2420, nrcpt=1 (queue active)
Jul 24 08:49:19 venture postfix/qmgr[12133]: 67EA46CAD8: from=<stancilgjikaf@dorsetboats.com>, size=2420, nrcpt=1 (queue active)
Jul 24 09:22:39 venture postfix/qmgr[12133]: 67EA46CAD8: from=<stancilgjikaf@dorsetboats.com>, size=2420, nrcpt=1 (queue active)
Jul 24 10:29:19 venture postfix/qmgr[12133]: 67EA46CAD8: from=<stancilgjikaf@dorsetboats.com>, size=2420, nrcpt=1 (queue active)
Jul 24 11:52:39 venture postfix/qmgr[12133]: 67EA46CAD8: from=<stancilgjikaf@dorsetboats.com>, size=2420, nrcpt=1 (queue active)
Jul 24 13:15:59 venture postfix/qmgr[12133]: 67EA46CAD8: from=<stancilgjikaf@dorsetboats.com>, size=2420, nrcpt=1 (queue active)
Jul 24 14:39:19 venture postfix/qmgr[12133]: 67EA46CAD8: from=<stancilgjikaf@dorsetboats.com>, size=2420, nrcpt=1 (queue active)
Jul 24 16:02:39 venture postfix/qmgr[12133]: 67EA46CAD8: from=<stancilgjikaf@dorsetboats.com>, size=2420, nrcpt=1 (queue active)
Jul 24 17:25:59 venture postfix/qmgr[12133]: 67EA46CAD8: from=<stancilgjikaf@dorsetboats.com>, size=2420, nrcpt=1 (queue active)
Jul 24 18:49:19 venture postfix/qmgr[12133]: 67EA46CAD8: from=<stancilgjikaf@dorsetboats.com>, size=2420, nrcpt=1 (queue active)
Jul 24 20:12:39 venture postfix/qmgr[12133]: 67EA46CAD8: from=<stancilgjikaf@dorsetboats.com>, size=2420, nrcpt=1 (queue active)
Jul 24 21:35:59 venture postfix/qmgr[12133]: 67EA46CAD8: from=<stancilgjikaf@dorsetboats.com>, size=2420, nrcpt=1 (queue active)
Jul 24 22:59:19 venture postfix/qmgr[12133]: 67EA46CAD8: from=<stancilgjikaf@dorsetboats.com>, size=2420, nrcpt=1 (queue active)
Jul 25 00:22:39 venture postfix/qmgr[12133]: 67EA46CAD8: from=<stancilgjikaf@dorsetboats.com>, size=2420, nrcpt=1 (queue active)
Jul 25 01:45:59 venture postfix/qmgr[12133]: 67EA46CAD8: from=<stancilgjikaf@dorsetboats.com>, size=2420, nrcpt=1 (queue active)
Jul 25 03:09:19 venture postfix/qmgr[12133]: 67EA46CAD8: from=<stancilgjikaf@dorsetboats.com>, size=2420, nrcpt=1 (queue active)
Jul 25 04:32:39 venture postfix/qmgr[12133]: 67EA46CAD8: from=<stancilgjikaf@dorsetboats.com>, size=2420, nrcpt=1 (queue active)
Jul 25 05:55:59 venture postfix/qmgr[12133]: 67EA46CAD8: from=<stancilgjikaf@dorsetboats.com>, size=2420, nrcpt=1 (queue active)
Jul 25 07:19:19 venture postfix/qmgr[12133]: 67EA46CAD8: from=<stancilgjikaf@dorsetboats.com>, size=2420, nrcpt=1 (queue active)
Jul 25 08:42:39 venture postfix/qmgr[12133]: 67EA46CAD8: from=<stancilgjikaf@dorsetboats.com>, size=2420, nrcpt=1 (queue active)
Jul 25 09:29:53 venture postfix/qmgr[12133]: 67EA46CAD8: from=<stancilgjikaf@dorsetboats.com>, size=2420, nrcpt=1 (queue active)
Jul 25 10:39:19 venture postfix/qmgr[12133]: 67EA46CAD8: from=<stancilgjikaf@dorsetboats.com>, size=2420, nrcpt=1 (queue active)
Jul 25 12:02:39 venture postfix/qmgr[12133]: 67EA46CAD8: from=<stancilgjikaf@dorsetboats.com>, size=2420, nrcpt=1 (queue active)
Jul 25 13:26:00 venture postfix/qmgr[12133]: 67EA46CAD8: from=<stancilgjikaf@dorsetboats.com>, size=2420, nrcpt=1 (queue active)
Jul 25 14:49:19 venture postfix/qmgr[12133]: 67EA46CAD8: from=<stancilgjikaf@dorsetboats.com>, size=2420, nrcpt=1 (queue active)
Jul 25 16:12:39 venture postfix/qmgr[12133]: 67EA46CAD8: from=<stancilgjikaf@dorsetboats.com>, size=2420, nrcpt=1 (queue active)
Jul 25 17:35:59 venture postfix/qmgr[12133]: 67EA46CAD8: from=<stancilgjikaf@dorsetboats.com>, size=2420, nrcpt=1 (queue active)
Jul 25 18:59:19 venture postfix/qmgr[12133]: 67EA46CAD8: from=<stancilgjikaf@dorsetboats.com>, size=2420, nrcpt=1 (queue active)
Jul 25 20:22:39 venture postfix/qmgr[12133]: 67EA46CAD8: from=<stancilgjikaf@dorsetboats.com>, size=2420, nrcpt=1 (queue active)
Jul 25 21:46:00 venture postfix/qmgr[12133]: 67EA46CAD8: from=<stancilgjikaf@dorsetboats.com>, size=2420, nrcpt=1 (queue active)
Jul 25 23:09:20 venture postfix/qmgr[12133]: 67EA46CAD8: from=<stancilgjikaf@dorsetboats.com>, size=2420, nrcpt=1 (queue active)
Jul 26 00:32:40 venture postfix/qmgr[12133]: 67EA46CAD8: from=<stancilgjikaf@dorsetboats.com>, size=2420, nrcpt=1 (queue active)
Jul 26 01:56:00 venture postfix/qmgr[12133]: 67EA46CAD8: from=<stancilgjikaf@dorsetboats.com>, size=2420, nrcpt=1 (queue active)
Jul 26 03:19:20 venture postfix/qmgr[12133]: 67EA46CAD8: from=<stancilgjikaf@dorsetboats.com>, size=2420, nrcpt=1 (queue active)
Jul 26 04:42:40 venture postfix/qmgr[12133]: 67EA46CAD8: from=<stancilgjikaf@dorsetboats.com>, size=2420, nrcpt=1 (queue active)
Jul 26 06:06:00 venture postfix/qmgr[12133]: 67EA46CAD8: from=<stancilgjikaf@dorsetboats.com>, size=2420, nrcpt=1 (queue active)
Jul 26 07:29:20 venture postfix/qmgr[12133]: 67EA46CAD8: from=<stancilgjikaf@dorsetboats.com>, size=2420, nrcpt=1 (queue active)

Thanks for the help!

dougnc · 07-30-2007, 08:00 PM

I've got more bogus messages going thru my mail queue.

Any ideas?

farslayer · 07-30-2007, 09:48 PM

I would suggest joining the postfix mail list and ask over there. the people that write and maintain postfix monitor that list and theres some people that know postfix inside and out. they would be able to get you sorted out in no time.

http://www.postfix.org/lists.html

dougnc · 08-01-2007, 08:48 AM

Quote:

Originally Posted by farslayer

I would suggest joining the postfix mail list and ask over there. the people that write and maintain postfix monitor that list and theres some people that know postfix inside and out. they would be able to get you sorted out in no time.

http://www.postfix.org/lists.html

Thanks! I'm on their list!

ramram29 · 08-01-2007, 09:51 AM

In your postconf output above I don't see a definition for $mynetworks which is what is allowd to relay. The most significant variable is "relay_host". You need to create the '$mynetworks =' variable then you should be fine.