Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have allready four years my own server, using Postfix as MTA. The server is located in a datacenter directly connected to the internet, so security has been an issue when setting up Postfix.
I thought I only accepted mail relay from sasl_authenticated users, or from trusted networks, but somehow a spammer has managed to gain access.
Currently I have shut down Postfix to prevent getting blacklisted further, but I have have several clients depending heavily on mail sent through my server, so a solution is very much needed.
The last few days I've tried several things in the configuration of the main.cf, and currently I have:
I run my own personal sendmail domain server, and whilst I have no experience of using sasl_authentication I have managed to block all mail relaying attempts by combining the following:
1. Have a well configured Sendmail access file
2. Blocking relaying of mail to port 25 on my server using iptables to specific IP addresses - do your clients have static addresses -if yes this would be ideal!!!?
For example within my /etc/sysconfig/iptables:
-A INPUT -p tcp -m tcp -m state -s XXX.XXX.XXX.XXX --dport 25 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m state -s XXX.XXX.XXX.XXX --dport 25 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m state --dport 25 --state NEW -j DROP
Where in the above example the first 2 lines represents the 2 static WAN addresses. Any attempts to relay mail from addresses other than those specified in the first 2 lines will result in the data packets being dropped.
Thanks Rawcous for your answer. I understand you use sendmail as MTA, so your configuration files are a little different from mine. I'm a bit desparate at the moment so I'm researching on installing another MTA at the moment.
Usually my clients use static IP addresses, that's why I had the restrict_my_networks.
The recommendation is to use a no. of methods of securing your system rather than relying on one hence in your case - it sounds like you have this covered. Also with sendmail you can add a couple of lines to your config file that performs an automatic spam lookup on emails that are relayed through your MTA - I have set mine to use Spamhaus.org.
If you implement all of the suggestions then it may be a security flaw on the part of the data centre.... I would also recommend contacting them. The worrying fact that I have found is that a large no. of attempted hacks / code injection attempts on my web server have come from compromised servers hosted on the AMAZON AWS data centre servers.
ps - i'm not an expert by any stretch of the imagination but for my needs I have found it very configurable, it is secure, there are a large no. of plugins available for it (i.e. Anti-Virus mail scanner plugins such as Clamav plugins) - also an important thing that I am assuming also applies to Postfix is that recent versions of Sendmail have mail relaying disabled by default.
I can't find a user in the log files, or it must be "33"
Code:
Jan 30 18:49:08 Ubuntu-64-min postfix/pickup[1603]: 326741683B82: uid=33 from=<www-data>
Jan 30 18:49:08 Ubuntu-64-min postfix/cleanup[16170]: 326741683B82: message-id=<20140130174908.326741683B82@mail.xxxxxxxxxx.xxx>
Jan 30 18:49:08 Ubuntu-64-min postfix/cleanup[16170]: warning: mysql:/etc/postfix/mysql-virtual-alias-maps.cf is unavailable. unsupported dictionary type: mysql
Jan 30 18:49:08 Ubuntu-64-min postfix/cleanup[16170]: warning: mysql:/etc/postfix/mysql-virtual-alias-maps.cf lookup error for "fkrikorian@cs.com"
Jan 30 18:49:08 Ubuntu-64-min postfix/cleanup[16170]: warning: 326741683B82: virtual_alias_maps map lookup problem for fkrikorian@cs.com -- deferring delivery
Jan 30 18:49:08 Ubuntu-64-min postfix/pickup[1603]: 42C4F1683B82: uid=33 from=<www-data>
Jan 30 18:49:08 Ubuntu-64-min postfix/cleanup[16170]: 42C4F1683B82: message-id=<20140130174908.42C4F1683B82@mail.xxxxxxxxx.xx>
Jan 30 18:49:08 Ubuntu-64-min postfix/cleanup[16170]: warning: mysql:/etc/postfix/mysql-virtual-alias-maps.cf is unavailable. unsupported dictionary type: mysql
Jan 30 18:49:08 Ubuntu-64-min postfix/cleanup[16170]: warning: mysql:/etc/postfix/mysql-virtual-alias-maps.cf lookup error for "fox310r@aol.com"
Jan 30 18:49:08 Ubuntu-64-min postfix/pickup[1603]: 457411683B82: uid=33 from=<www-data>
Jan 30 18:49:08 Ubuntu-64-min postfix/pickup[1603]: warning: 504621683B82: message has been queued for 1 days
Jan 30 18:49:08 Ubuntu-64-min postfix/pickup[1603]: 504621683B82: uid=33 from=<www-data>
Jan 30 18:49:08 Ubuntu-64-min postfix/pickup[1603]: 518981683B82: uid=33 from=<www-data>
Jan 30 18:49:08 Ubuntu-64-min postfix/pickup[1603]: 52C0F1683B82: uid=33 from=<www-data>
Jan 30 18:49:08 Ubuntu-64-min postfix/pickup[1603]: 530441683B82: uid=33 from=<www-data>
Jan 30 18:49:08 Ubuntu-64-min postfix/pickup[1603]: 60C061683B82: uid=33 from=<www-data>
Jan 30 18:49:08 Ubuntu-64-min postfix/pickup[1603]: 664331683B82: uid=33 from=<www-data>
Jan 30 18:49:08 Ubuntu-64-min postfix/pickup[1603]: 6F95C1683B82: uid=33 from=<www-data>
Jan 30 18:49:08 Ubuntu-64-min postfix/pickup[1603]: 6FEAD1683B82: uid=33 from=<www-data>
Jan 30 18:49:08 Ubuntu-64-min postfix/pickup[1603]: 718F31683B82: uid=33 from=<www-data>
Jan 30 18:49:08 Ubuntu-64-min postfix/pickup[1603]: 758541683B82: uid=33 from=<www-data>
Jan 30 18:49:08 Ubuntu-64-min postfix/pickup[1603]: 75CDF1683B82: uid=33 from=<www-data>
Jan 30 18:49:08 Ubuntu-64-min postfix/pickup[1603]: 760A91683B82: uid=33 from=<www-data>
Jan 30 18:49:08 Ubuntu-64-min postfix/pickup[1603]: 83D371683B82: uid=33 from=<www-data>
Jan 30 18:49:08 Ubuntu-64-min postfix/pickup[1603]: 84F011683B82: uid=33 from=<www-data>
Jan 30 18:49:08 Ubuntu-64-min postfix/pickup[1603]: 8533E1683B82: uid=33 from=<www-data>
Jan 30 18:49:08 Ubuntu-64-min postfix/pickup[1603]: 87A401683B82: uid=33 from=<www-data>
Jan 30 18:49:08 Ubuntu-64-min postfix/pickup[1603]: 90DB11683B82: uid=33 from=<www-data>
Jan 30 18:49:08 Ubuntu-64-min postfix/pickup[1603]: 9129D1683B82: uid=33 from=<www-data>
Jan 30 18:49:08 Ubuntu-64-min postfix/smtp[14252]: connect to mx.dr1.us.army.mil[143.69.243.34]:25: Connection timed out
Jan 30 18:49:08 Ubuntu-64-min postfix/smtp[14252]: smtp_connect_addr: trying: mx.us.army.mil[143.69.251.34] port 25...
Jan 30 18:49:09 Ubuntu-64-min postfix/pickup[1603]: 91B311683B82: uid=33 from=<www-data>
I can't understand the mysql message, because the users are also managed through a mysql table, and that works fine. But I must admit that I tried to manage the mynetworks through a mysql table, and these efforts didn't work out....
The from=<www-data> is a sure sign that www-data IS sending mail and that with a joomla install could very well be the source.
was the clue I needed! In fact it isn't the Joomla installation, but a website enabling clients of my clients to make appointments with my clients. This website sends emails for registering and confirming. Just before this all started I got a strange registering email with the same name as the spam domain. I now think that registration was to investigate the procedure and abuse it.
For now I have to disable this procedure, tommorrow I will research how to solve this in a safe way!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
