Review your favorite Linux distribution.
Go Back > Forums > Linux Forums > Linux - Newbie
User Name
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!


  Search this Thread
Old 10-28-2016, 12:43 PM   #1
Registered: Aug 2012
Posts: 789

Rep: Reputation: Disabled
Preventing postfix from being hacked

I am getting thousands of messages similar to those below in /var/log/maillog. Looks like someone is trying to hack me, but I am not sure. What do you think is happening? What could I do to figure it out, and if a hack, what can I do to prevent it?

Oct 28 09:33:08 devserver postfix/error[11544]: D1D4920105A: to=<>, relay=none, delay=0.09, delays=0.06/0/0/0.04, dsn=4.7.8, status=deferred (delivery temporarily suspended: SASL authentication failed; server[] said: 535-5.7.8 Username and Password not accepted. Learn more at?535 5.7.8 h9sm5513927paw.18 - gsmtp)
Oct 28 09:33:11 devserver postfix/smtp[11506]: 52CB9200538: SASL authentication failed; server[] said: 535-5.7.8 Username and Password not accepted. Learn more at?535 5.7.8 a78sm20048591pfj.44 - gsmtp
Oct 28 09:33:12 devserver postfix/smtp[11506]: 52CB9200538: to=<>,[]:587, delay=47066, delays=47061/0.1/5.8/0, dsn=4.7.8, status=deferred (SASL authentication failed; server[] said: 535-5.7.8 Username and Password not accepted. Learn more at?535 5.7.8 g27sm4254884pfj.46 - gsmtp)
Old 10-29-2016, 10:40 AM   #2
LQ Guru
Registered: Jan 2006
Location: Ireland
Distribution: Slackware, Slarm64 & Android
Posts: 15,699

Rep: Reputation: 2222Reputation: 2222Reputation: 2222Reputation: 2222Reputation: 2222Reputation: 2222Reputation: 2222Reputation: 2222Reputation: 2222Reputation: 2222Reputation: 2222
You have put up very little information.
On the snippet you provided, It looks like someone is using your box as a relay. Now I know next to nothing about your server, and I suspect you may have the same problem.
Things you can do are: Restrict who can send mail, change passwords to secure ones; increase logging of everything to debug level; update any programs that are running; and go to town tightening up on permissions; make sure nobody can send mail except who you want.

Then you can sort out who the (expletive deleted) is sending these barrages of mail and nobble their account, if they're a user. Act smartly or you'll find yourself on and your legit email will be bounced.
Old 10-30-2016, 08:44 AM   #3
Registered: Aug 2012
Posts: 789

Original Poster
Rep: Reputation: Disabled
Thank you Business Kid for your reply.

Sorry, I know I didn't give you much, but didn't know where to start. Good news is no one is using my email server. Bad news is I am getting thousands of SSH break in attempts. Looked at some of the emails, and they are generated by failtoban trying to send out an email, but I must not have configured something correctly.

*** ENVELOPE RECORDS maildrop/32BED200349 ***
message_arrival_time: Sun Oct 30 05:31:07 2016
named_attribute: rewrite_context=local
sender_fullname: root
*** MESSAGE CONTENTS maildrop/32BED200349 ***
regular_text: Subject: [Fail2Ban] SSH: banned from devserver.michaels.lan
regular_text: Date: Sun, 30 Oct 2016 05:31:07 -0700
regular_text: From: Fail2Ban <>
regular_text: To:
regular_text: Hi,
regular_text: The IP has just been banned by Fail2Ban after
regular_text: 5 attempts against SSH.
regular_text: Here is more information about :
regular_text: missing whois program
regular_text: Regards,
unterminated_text: Fail2Ban
*** HEADER EXTRACTED maildrop/32BED200349 ***
*** MESSAGE FILE END maildrop/32BED200349 ***
[root@devserver ~]#
Old 10-30-2016, 07:01 PM   #4
LQ Veteran
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Check your ssh jail for directives such as

You customized your ssh jail, yes? The name is non-standard/default.

Rem those out.
bounce fail2ban.
Check for mail "noise"


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Hacked postfix.. bzzika Linux - Security 2 02-19-2012 06:21 AM
[SOLVED] Postfix -- hacked?? bulls_i3 Linux - Security 6 10-24-2010 10:43 AM
preventing postfix from listening on port 25 tklima Linux - Server 5 08-30-2010 01:06 PM
Preventing Backscatter with Postfix SteveJenkins Linux - Server 6 08-30-2010 06:50 AM
Is my Postfix got hacked? How to check? woranl Linux - Security 6 07-26-2005 05:52 PM > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 06:15 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration