Is my postfix mail server hacked?

bzzik · 05-14-2009, 02:42 AM

Hi guys!

I am new to web hosting. I am running not so big hosting and do not have much customers. One of our customers have complied to me, that registration mails from his website goes to spam. I searched my IP and found it blacklisted in two databases.

I started to analyze logs, and noticed that from 25th of April something started to happen. Tons of mails are sent, but I do not have such many customers. My mail server is in .lv zone and I have customers witth .lv domains, but mostly some .es mail addresses are there in maillog.

Maillog is full of this kind of records:

Quote:

May 10 23:29:10 s2 sendmail[24894]: alias database /etc/aliases rebuilt by root
May 10 23:29:10 s2 sendmail[24894]: /etc/aliases: 76 aliases, longest 10 bytes, 765 bytes total
May 10 23:29:10 s2 postfix/postfix-script: starting the Postfix mail system
May 10 23:29:10 s2 postfix/master[24940]: daemon started -- version 2.3.3, configuration /etc/postfix
May 10 23:29:10 s2 postfix/qmgr[24943]: EF8FB104715: from=<oficina@banestnet.es>, size=2466, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 12BB110476C: from=<info@bancaja.es>, size=2411, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: DD321104AA3: from=<info@banesnet.es>, size=2453, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 1F1C31049C8: from=<info@santandersupernet.es>, size=3322, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: B4256104A91: from=<info@banesnet.es>, size=2453, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 16087104ABA: from=<info@banesnet.es>, size=2453, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 7C140104A30: from=<info@santandersupernet.es>, size=3322, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 1DBF8104763: from=<info@santandersupernet.es>, size=3322, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 3EF34104A94: from=<info@banesnet.es>, size=2453, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 10524104B1D: from=<>, size=4283, nrcpt=1 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: D7476104739: from=<info@santandersupernet.es>, size=3322, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 1B061104A63: from=<info@santandersupernet.es>, size=3322, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 20B4A1049BF: from=<info@santandersupernet.es>, size=3322, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 1AE4F104A3E: from=<info@santandersupernet.es>, size=3322, nrcpt=49 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: E83FD1048F8: from=<info@bancaja.es>, size=2395, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 1F6591046ED: from=<oficina@banestnet.es>, size=2466, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: B2B1910470C: from=<info@santandersupernet.es>, size=3322, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 1190610463F: from=<info@bancaja.es>, size=2395, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 7FDF11049C6: from=<info@santandersupernet.es>, size=3322, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 150BB104940: from=<info@bancaja.es>, size=2395, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 6C9B3104A3B: from=<info@santandersupernet.es>, size=3322, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 1E5E210470F: from=<oficina@banestnet.es>, size=2466, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 18B78104A20: from=<info@santandersupernet.es>, size=3322, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 19F8F104913: from=<info@bancaja.es>, size=2395, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: EA5E21048A8: from=<info@bancaja.es>, size=2395, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 1EC44104978: from=<info@santandersupernet.es>, size=3322, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 37BD41046F1: from=<info@santandersupernet.es>, size=3322, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 1849B1048E5: from=<>, size=8177, nrcpt=1 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 87D4B1049E9: from=<info@banesnet.es>, size=2453, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 1AD35104B0A: from=<>, size=11424, nrcpt=1 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 863FA104ACF: from=<info@banesnet.es>, size=2453, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 11766104B27: from=<>, size=5173, nrcpt=1 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 53AF210478E: from=<info@santandersupernet.es>, size=3322, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 18F8D10482E: from=<>, size=7066, nrcpt=1 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 1098C104A85: from=<info@banesnet.es>, size=2453, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 1A565104971: from=<info@bancaja.es>, size=2395, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 14EAE1047B1: from=<>, size=10543, nrcpt=1 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 16CCE104B24: from=<>, size=5388, nrcpt=1 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 1C4411048D8: from=<info@bancaja.es>, size=2395, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 17C83104791: from=<info@bancaja.es>, size=2411, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 14407104A0A: from=<>, size=8067, nrcpt=1 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 154FD10478F: from=<info@bancaja.es>, size=2411, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 11328104A44: from=<info@santandersupernet.es>, size=3322, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 1686C104A03: from=<>, size=10161, nrcpt=1 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 164DC104757: from=<info@bancaja.es>, size=2411, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 17EF5104A8B: from=<info@banesnet.es>, size=2453, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 11E691049A5: from=<info@santandersupernet.es>, size=3322, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 12D171048E4: from=<info@bancaja.es>, size=2395, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 10D321046CE: from=<>, size=8321, nrcpt=1 (queue active)

and more:

Quote:

May 10 23:29:11 s2 postfix/qmgr[24943]: 0817B104877: from=<info@bancaja.es>, size=2395, nrcpt=49 (queue active)
May 10 23:29:11 s2 postfix/qmgr[24943]: 0C0C7104A14: from=<>, size=5170, nrcpt=1 (queue active)
May 10 23:29:11 s2 postfix/qmgr[24943]: 052E9104717: from=<>, size=5478, nrcpt=1 (queue active)
May 10 23:29:11 s2 postfix/smtp[24960]: connect to primera.net.uniovi.es[156.35.11.21]: Connection refused (port 25)
May 10 23:29:11 s2 postfix/smtp[24952]: 12BB110476C: host mxav2.loschatosdelturia.com[62.193.206.40] refused to talk to me: 554 av3.amenworld.com AMEN AMEN requires that all mail servers must have a P
TR record with a valid Reverse DNS entry. Currently your mail server does not fill that requirement.
May 10 23:29:11 s2 postfix/smtp[24965]: connect to correo0.uma.es[150.214.40.111]: Connection refused (port 25)
May 10 23:29:11 s2 postfix/smtp[24961]: connect to mailhost.inves.es[62.97.103.145]: Connection refused (port 25)
May 10 23:29:11 s2 postfix/smtp[24961]: DD321104AA3: to=<juandi@inves.es>, relay=none, delay=303490, delays=303490/0.14/0.2/0, dsn=4.4.1, status=deferred (connect to mailhost.inves.es[62.97.103.145]:
Connection refused)
May 10 23:29:11 s2 postfix/smtp[24952]: 12BB110476C: to=<loschatosdelturia@loschatosdelturia.com>, relay=mxav1.loschatosdelturia.com[62.193.206.39]:25, delay=393754, delays=393754/0.07/0.29/0, dsn=4.0
.0, status=deferred (host mxav1.loschatosdelturia.com[62.193.206.39] refused to talk to me: 554 av3.amenworld.com AMEN AMEN requires that all mail servers must have a PTR record with a valid Reverse D
NS entry. Currently your mail server does not fill that requirement.)
May 10 23:29:11 s2 postfix/smtp[25011]: connect to correo0.uma.es[150.214.40.111]: Connection refused (port 25)
May 10 23:29:11 s2 postfix/smtp[24951]: 12BB110476C: host mx.dca.untd.com[64.136.44.37] refused to talk to me: 550 Access denied...4df38e2b4e03c3c373833e4b5a3b5ae3cf83779a6 3c78a5bc39e635b5ef7f7bb132ad
3bef7d3afabdfdb...
May 10 23:29:11 s2 postfix/smtp[24953]: 12BB110476C: host mxav2.loscorleone.com[62.193.206.42] refused to talk to me: 554 av4.amenworld.com AMEN AMEN requires that all mail servers must have a PTR rec
ord with a valid Reverse DNS entry. Currently your mail server does not fill that requirement.
May 10 23:29:11 s2 postfix/smtp[25032]: connect to mailhost-antispam.ttd.net[213.0.184.65]: Connection refused (port 25)
May 10 23:29:11 s2 postfix/smtp[25032]: 1DBF8104763: to=<danidaniel@jumpy.es>, relay=none, delay=307199, delays=307199/0.45/0.09/0, dsn=4.4.1, status=deferred (connect to mailhost-antispam.ttd.net[213
.0.184.65]: Connection refused)
May 10 23:29:11 s2 postfix/smtp[24986]: connect to mail-av.celbio.it[217.194.7.78]: Connection refused (port 25)
May 10 23:29:11 s2 postfix/smtp[24963]: certificate verification failed for mx.terra.es: num=19elf signed certificate in certificate chain
May 10 23:29:11 s2 postfix/smtp[24963]: certificate verification failed for mx.terra.es: num=24:invalid CA certificate
May 10 23:29:11 s2 postfix/smtp[24963]: certificate verification failed for mx.terra.es: num=26:unsupported certificate purpose
May 10 23:29:11 s2 postfix/smtp[24963]: certificate verification failed for mx.terra.es: num=10:certificate has expired
May 10 23:29:11 s2 postfix/smtp[24963]: certificate verification failed for mx.terra.es:certificate has expired
May 10 23:29:11 s2 postfix/smtp[24963]: certificate verification failed for mx.terra.es:certificate has expired
May 10 23:29:11 s2 postfix/smtp[24963]: certificate verification failed for mx.terra.es: num=10:certificate has expired
May 10 23:29:11 s2 postfix/smtp[24963]: certificate verification failed for mx.terra.es:certificate has expired
May 10 23:29:11 s2 postfix/smtp[24963]: certificate verification failed for mx.terra.es:certificate has expired
May 10 23:29:11 s2 postfix/smtp[24948]: EF8FB104715: to=<oportunidade.vaga@terra.com.br>, relay=vip-us-br-mx.terra.com[208.84.244.133]:25, delay=368659, delays=368658/0.06/0.53/0, dsn=4.7.1, status=de
ferred (host vip-us-br-mx.terra.com[208.84.244.133] refused to talk to me: 450 4.7.1 Client host rejected: cannot find your hostname, [87.226.13.245])
May 10 23:29:11 s2 postfix/smtp[25002]: 16087104ABA: to=<mirandajose@mixmail.com>, relay=ing.wanadoo.es[62.36.20.73]:25, delay=303410, delays=303409/0.32/0.28/0, dsn=4.0.0, status=deferred (host ing.w
anadoo.es[62.36.20.73] refused to talk to me: 550 Reverse DNS lookup failed for host 87.226.13.245.)
May 10 23:29:11 s2 postfix/smtp[24962]: DD321104AA3: to=<juanfernandez1973@orangemail.es>, relay=inc.wanadoo.es[62.36.20.20]:25, delay=303491, delays=303490/0.14/0.47/0, dsn=4.0.0, status=deferred (ho
st inc.wanadoo.es[62.36.20.20] refused to talk to me: 550 Reverse DNS lookup failed for host 87.226.13.245.)

I have tested my server for OPEN Relay on some site and got the answer:
>Unable to relay: Invalid response code received from server
> This server is NOT Open Relay

More info about my system:

CentOS 5.2
[root@s2 ~]# uname -r
2.6.18-92.1.22.el5
[root@s2 ~]# ps auxf

Quote:

USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 2060 644 ? Ss Mar23 0:01 init [3]
root 2 0.0 0.0 0 0 ? S< Mar23 0:00 [migration/0]
root 3 0.0 0.0 0 0 ? SN Mar23 0:00 [ksoftirqd/0]
root 4 0.0 0.0 0 0 ? S< Mar23 0:00 [watchdog/0]
root 5 0.0 0.0 0 0 ? S< Mar23 0:00 [migration/1]
root 6 0.0 0.0 0 0 ? SN Mar23 0:00 [ksoftirqd/1]
root 7 0.0 0.0 0 0 ? S< Mar23 0:00 [watchdog/1]
root 8 0.0 0.0 0 0 ? S< Mar23 0:00 [events/0]
root 9 0.0 0.0 0 0 ? S< Mar23 0:00 [events/1]
root 10 0.0 0.0 0 0 ? S< Mar23 0:00 [khelper]
root 11 0.0 0.0 0 0 ? S< Mar23 0:00 [kthread]
root 15 0.0 0.0 0 0 ? S< Mar23 0:02 \_ [kblockd/0]
root 16 0.0 0.0 0 0 ? S< Mar23 0:00 \_ [kblockd/1]
root 17 0.0 0.0 0 0 ? S< Mar23 0:00 \_ [kacpid]
root 126 0.0 0.0 0 0 ? S< Mar23 0:00 \_ [cqueue/0]
root 127 0.0 0.0 0 0 ? S< Mar23 0:00 \_ [cqueue/1]
root 130 0.0 0.0 0 0 ? S< Mar23 0:00 \_ [khubd]
root 132 0.0 0.0 0 0 ? S< Mar23 0:00 \_ [kseriod]
root 192 0.0 0.0 0 0 ? S Mar23 0:02 \_ [pdflush]
root 193 0.0 0.0 0 0 ? S Mar23 0:10 \_ [pdflush]
root 194 0.0 0.0 0 0 ? S< Mar23 0:03 \_ [kswapd0]
root 195 0.0 0.0 0 0 ? S< Mar23 0:00 \_ [aio/0]
root 196 0.0 0.0 0 0 ? S< Mar23 0:00 \_ [aio/1]
root 352 0.0 0.0 0 0 ? S< Mar23 0:00 \_ [kpsmoused]
root 387 0.0 0.0 0 0 ? S< Mar23 0:00 \_ [ata/0]
root 388 0.0 0.0 0 0 ? S< Mar23 0:00 \_ [ata/1]
root 389 0.0 0.0 0 0 ? S< Mar23 0:00 \_ [ata_aux]
root 393 0.0 0.0 0 0 ? S< Mar23 0:00 \_ [scsi_eh_0]
root 394 0.0 0.0 0 0 ? S< Mar23 0:00 \_ [scsi_eh_1]
root 395 0.0 0.0 0 0 ? S< Mar23 0:00 \_ [scsi_eh_2]
root 396 0.0 0.0 0 0 ? S< Mar23 0:00 \_ [scsi_eh_3]
root 400 0.0 0.0 0 0 ? S< Mar23 0:00 \_ [scsi_eh_4]
root 401 0.0 0.0 0 0 ? S< Mar23 0:00 \_ [scsi_eh_5]
root 404 0.0 0.0 0 0 ? S< Mar23 0:08 \_ [md8_raid1]
root 407 0.0 0.0 0 0 ? S< Mar23 0:04 \_ [md7_raid1]
root 410 0.0 0.0 0 0 ? S< Mar23 2:30 \_ [md6_raid1]
root 413 0.0 0.0 0 0 ? S< Mar23 5:11 \_ [md5_raid1]
root 416 0.0 0.0 0 0 ? S< Mar23 0:00 \_ [md3_raid1]
root 419 0.0 0.0 0 0 ? S< Mar23 3:04 \_ [md2_raid1]
root 422 0.0 0.0 0 0 ? S< Mar23 0:00 \_ [md1_raid1]
root 423 0.0 0.0 0 0 ? S< Mar23 0:14 \_ [kjournald]
root 450 0.0 0.0 0 0 ? S< Mar23 0:00 \_ [kauditd]
root 849 0.0 0.0 0 0 ? S< Mar23 0:00 \_ [kmpathd/0]
root 850 0.0 0.0 0 0 ? S< Mar23 0:00 \_ [kmpathd/1]
root 880 0.0 0.0 0 0 ? S< Mar23 0:01 \_ [kjournald]
root 882 0.0 0.0 0 0 ? S< Mar23 0:00 \_ [kjournald]
root 884 0.0 0.0 0 0 ? S< Mar23 0:10 \_ [kjournald]
root 886 0.0 0.0 0 0 ? S< Mar23 0:43 \_ [kjournald]
root 888 0.0 0.0 0 0 ? S< Mar23 0:01 \_ [kjournald]
root 1089 0.0 0.0 0 0 ? S< Mar23 0:00 \_ [kondemand/0]
root 1090 0.0 0.0 0 0 ? S< Mar23 0:00 \_ [kondemand/1]
root 480 0.0 0.0 2104 488 ? S<s Mar23 0:00 /sbin/udevd -d
root 1377 0.0 0.0 13176 760 ? S<sl Mar23 0:03 auditd
root 1379 0.0 0.0 13080 916 ? S<sl Mar23 0:02 \_ /sbin/audispd
root 1410 0.0 0.0 1720 628 ? Ss Mar23 2:19 syslogd -m 0
root 1413 0.0 0.0 1672 408 ? Ss Mar23 0:00 klogd -x
root 1429 0.0 0.0 2428 372 ? Ss Mar23 0:13 irqbalance
rpc 1498 0.0 0.0 1808 556 ? Ss Mar23 0:00 portmap
rpcuser 1535 0.0 0.0 1848 720 ? Ss Mar23 0:00 rpc.statd
root 1584 0.0 0.0 1836 316 ? Ss Mar23 0:00 mdadm --monitor --scan -f --pid-file=/var/run/mdadm/mdadm.pid
root 1618 0.0 0.0 5436 588 ? Ss Mar23 0:00 rpc.idmapd
dbus 1645 0.0 0.0 2748 800 ? Ss Mar23 0:09 dbus-daemon --system
root 1660 0.0 0.0 2144 764 ? Ss Mar23 0:00 /usr/sbin/hcid
root 1685 0.0 0.0 0 0 ? S< Mar23 0:00 [krfcommd]
root 1733 0.0 0.0 12848 1352 ? Ssl Mar23 0:01 pcscd
root 1756 0.0 0.0 1904 452 ? Ss Mar23 0:00 /usr/bin/hidd --server
root 1777 0.0 0.0 13912 1344 ? Ssl Mar23 0:15 automount
root 1800 0.0 0.0 1668 536 ? Ss Mar23 0:00 /usr/sbin/acpid
root 1833 0.0 0.0 7040 1052 ? Ss Mar23 0:04 /usr/sbin/sshd
root 1624 0.0 0.1 9892 2828 ? Ss 00:59 0:00 \_ sshd: root@pts/0
root 1626 0.0 0.0 4664 1476 pts/0 Ss 00:59 0:00 \_ -bash
root 1699 0.0 0.0 4216 904 pts/0 R+ 01:01 0:00 \_ ps -auxf
root 1868 0.0 0.0 9720 1988 ? Ss Mar23 0:00 cupsd
ntp 1886 0.0 0.2 4332 4332 ? SLs Mar23 0:00 ntpd -u ntp:ntp -p /var/run/ntpd.pid -g
root 1921 0.0 0.0 4528 1220 ? S Mar23 0:00 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --socket=/var/lib
mysql 1978 0.0 1.0 140896 21868 ? Sl Mar23 2:17 \_ /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=
root 2136 0.0 0.0 5268 1116 ? Ss Mar23 0:00 crond
xfs 2171 0.0 0.0 3412 1256 ? Ss Mar23 0:00 xfs -droppriv -daemon
root 2200 0.0 0.0 2244 432 ? Ss Mar23 0:00 /usr/sbin/atd
root 2215 0.0 0.0 5532 1048 ? Ss Mar23 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
root 2216 0.0 0.0 5532 1036 ? S Mar23 0:00 \_ /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
root 2217 0.0 0.0 5532 1036 ? S Mar23 0:00 \_ /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
root 2218 0.0 0.0 5532 1036 ? S Mar23 0:00 \_ /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
root 2219 0.0 0.0 5532 1036 ? S Mar23 0:00 \_ /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
avahi 2249 0.0 0.0 2568 1328 ? Ss Mar23 0:00 avahi-daemon: running [s2.local]
avahi 2250 0.0 0.0 2568 304 ? Ss Mar23 0:00 \_ avahi-daemon: chroot helper
68 2265 0.0 0.1 5620 3756 ? Ss Mar23 0:00 hald
root 2266 0.0 0.0 3128 976 ? S Mar23 0:00 \_ hald-runner
68 2273 0.0 0.0 1992 796 ? S Mar23 0:00 \_ hald-addon-acpi: listening on acpid socket /var/run/acpid.socke
root 2412 0.0 0.5 26616 11996 ? SN Mar23 0:56 /usr/bin/python -tt /usr/sbin/yum-updatesd
root 2414 0.0 0.1 4808 3404 ? SN Mar23 0:00 /usr/libexec/gam_server
root 2418 0.0 0.4 21236 9820 ? Ss Mar23 0:00 /root/ispconfig/httpd/bin/ispconfig_httpd -DSSL
103 2422 0.0 0.5 24064 12200 ? S Mar23 0:28 \_ /root/ispconfig/httpd/bin/ispconfig_httpd -DSSL
103 19576 0.0 0.5 24140 12376 ? S Mar23 0:26 \_ /root/ispconfig/httpd/bin/ispconfig_httpd -DSSL
root 2419 0.0 0.0 4520 1148 ? S Mar23 0:40 /bin/bash /root/ispconfig/sv/ispconfig_wconf
root 1698 0.0 0.0 3704 468 ? S 01:01 0:00 \_ sleep 10
root 2628 0.0 0.0 1984 524 ? S Mar23 0:00 /usr/sbin/smartd -q never
root 2632 0.0 0.0 1656 432 tty1 Ss+ Mar23 0:00 /sbin/mingetty tty1
root 2636 0.0 0.0 1660 428 tty2 Ss+ Mar23 0:00 /sbin/mingetty tty2
root 2637 0.0 0.0 1652 428 tty3 Ss+ Mar23 0:00 /sbin/mingetty tty3
root 2645 0.0 0.0 1652 428 tty4 Ss+ Mar23 0:00 /sbin/mingetty tty4
root 2648 0.0 0.0 1652 428 tty5 Ss+ Mar23 0:00 /sbin/mingetty tty5
root 2649 0.0 0.0 1652 428 tty6 Ss+ Mar23 0:00 /sbin/mingetty tty6
root 19540 0.0 0.0 1868 532 ? Ss Mar23 0:00 /usr/sbin/dovecot
root 19543 0.0 0.0 7992 1856 ? S Mar23 0:00 \_ dovecot-auth
dovecot 19550 0.0 0.0 4816 1460 ? S Mar23 0:00 \_ imap-login
dovecot 19552 0.0 0.0 4816 1464 ? S Mar23 0:00 \_ imap-login
dovecot 28842 0.0 0.0 4820 1464 ? S Mar26 0:00 \_ imap-login
dovecot 22378 0.0 0.0 4812 1456 ? S May10 0:00 \_ pop3-login
dovecot 28304 0.0 0.0 4812 1464 ? S May11 0:00 \_ pop3-login
dovecot 30066 0.0 0.0 4816 1460 ? S May11 0:00 \_ pop3-login
root 10275 0.0 0.5 24696 11760 ? Ss Apr24 0:00 /usr/sbin/httpd
root 30564 0.0 0.0 1708 444 ? S May11 0:00 \_ /root/ispconfig/cronolog --symlink=/var/log/httpd/ispconfig_access_
root 30565 0.0 0.0 1704 440 ? S May11 0:00 \_ /root/ispconfig/cronolog --symlink=/var/log/httpd/ispconfig_access_
root 30567 0.0 0.0 1700 444 ? S May11 0:00 \_ /root/ispconfig/cronolog --symlink=/var/log/httpd/ispconfig_access_
apache 30573 0.0 0.6 27476 13900 ? S May11 0:00 \_ /usr/sbin/httpd
apache 30574 0.0 0.6 26912 13596 ? S May11 0:00 \_ /usr/sbin/httpd
apache 30575 0.0 0.6 27772 14340 ? S May11 0:00 \_ /usr/sbin/httpd
apache 30576 0.0 0.6 27524 13880 ? S May11 0:00 \_ /usr/sbin/httpd
apache 30577 0.0 0.6 27524 13900 ? S May11 0:00 \_ /usr/sbin/httpd
apache 30578 0.0 0.6 27244 13804 ? S May11 0:00 \_ /usr/sbin/httpd
apache 30579 0.0 0.6 26980 13668 ? S May11 0:00 \_ /usr/sbin/httpd
apache 30580 0.0 0.6 27772 14328 ? S May11 0:00 \_ /usr/sbin/httpd
apache 684 0.0 0.6 27236 13808 ? S 00:22 0:00 \_ /usr/sbin/httpd
root 31999 0.0 0.0 6744 1768 ? Ss May11 0:00 /usr/libexec/postfix/master
postfix 32002 0.0 0.0 6804 1724 ? S May11 0:00 \_ pickup -l -t fifo -u
postfix 32003 0.0 0.1 7764 2696 ? S May11 0:00 \_ qmgr -l -t fifo -u
postfix 32006 0.0 0.1 7196 2212 ? S May11 0:00 \_ tlsmgr -l -t unix -u
nobody 32123 0.0 0.0 2884 1140 ? Ss May11 0:00 proftpd: (accepting connections)

namit · 05-14-2009, 03:44 AM

set-up your servers with some form of authentication for users to send email most likely if you do not get your users to login or authenticate then your server is open to relay. While your at it might as well implement encryption for email transfer at same time.

mr_git · 05-14-2009, 03:56 AM

Do you need to have postfix listening on port 25 for SMTP connections from anywhere on the internet? because it looks like it is.

If you do need this, as namit says, have a look at setting up authentication:

http://www.google.com/search?hl=en&q=postfix+smtp+auth

You might also want to think about using a different port number rather than the standard 25 for SMTP (this is not much protection, but makes you a slightly less easy target).

billymayday · 05-14-2009, 04:19 AM

Can you show

postconf -n

bzzik · 05-14-2009, 05:24 AM

Thanks guys for so quick replies - I really appreciate your help!
Unfortunately I cannot provide postconf -n now, I will do it today later. But I can provide now my main.cf:

Quote:

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_owner = postfix
mydomain = mydomain.lv
inet_interfaces = all
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.3.3/samples
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
smtpd_sasl_local_domain = s2.mydomain.lv
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject _unauth_destination
mynetworks = 127.0.0.0/8
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
myhostname = s2.mydomain.lv
home_mailbox = Maildir/
mailbox_command =

virtual_maps = hash:/etc/postfix/virtusertable

mydestination = /etc/postfix/local-host-names

message_size_limit = 40960000

I have AUTH enabled. All my customers have own username and password for authentication on SMTP server. May be one of accounts is hacked? How do I check it?

billymayday · 05-14-2009, 06:01 AM

Don't worry about postconf -n then, main.cf is OK. Doesn't look like an open relay.

I think you will need to trawl through the logs and work out what connection is sending those mails. I think your guess of a hacked customer is probably correct.

bzzik · 05-14-2009, 08:31 AM

Is this correct that someone is using one of my customers username and password to send spam through my mail server? I did trawl through logs, but I can not understand, how to work out, what connection is sending those mails. Is there should be login attempts to SMTP?

lthorne · 05-22-2009, 08:09 AM

I had this problem last year with a non-profit client. One of their 'volunteers' had answered a nigerian spam - their password was their first name and the nigerian took over thier email account and started sending spam off of our mail servers, which got our entire cluster blacklisted for a day.

I actually found out which email account was sending the offending spam from the blacklist provider themselves. The various ISP's (Verizon, Earthlink, etc) were all very helpful in helping us nail down the spammer as well, so don't be afraid to ask them for help on which account is sending the spam.

It took about 24 hours to resolve the issue and get removed from the blacklists, so keep at it and don't be afraid to ask the ISP or the blacklist moderator for info on the spam. They will gladly help you stem the tide of spam.

bzzik · 05-25-2009, 03:51 PM

Thanks! I will do so!

billymayday · 05-25-2009, 04:53 PM

If they are authenticating, the authentication is surely being recorded in the appropriate log, whichever that may be, and if it's spam, there will be plenty of them.

Try

grep auth /var/log/*

or similar to determine what and where.