[SOLVED] Postfix -- hacked??

bulls_i3 · 10-18-2010, 12:56 AM

Hello.

This is a postfix related question.

I have postfix setup to use gmail as a relay host. My postfix accepts mail to my domain (say foo.org).

Everything works fine, I'm able to send email through google no problem.

I THOUGHT I was not an open-relay, but I found my "Sent" folder in google flooded with sent junk (chinese), my mailq had over 200,000 msgs, and postfix went crazy (basically I was DoS'd).

postfix/main.cf

Code:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (WuZzY)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
#smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
#smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
#smtpd_use_tls=yes
#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
#smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

#home_mailbox = /var/mail/maildir/ #Maildir/ 
mail_spool_directory = /var/mail/maildir/

# SASL stuff
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,check_relay_domains
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
broken_sasl_auth_clients = yes

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = wuzzy.foo.org
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = foo.org
mydestination = foo.org, localhost.localdomain, localhost
relayhost = [smtp.gmail.com]:587
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_tls_cert_file = /etc/postfix/example_gmail-cert.pem
smtp_tls_key_file = /etc/postfix/example_gmail-key.pem
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
mynetworks = 0.0.0.0/0 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

When I telnet to the server

Code:

Connected to wuzzy.
Escape character is '^]'.
220 wuzzy.foo.org ESMTP Postfix (WuZzY)
EHLO bar.org
250-wuzzy.foo.org
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Sample from log file:

Code:

Oct 17 21:12:57 wuzzy postfix/smtp[2805]: C07141C1854: to=<qs_ying@yahoo.com.tw>, relay=smtp.gmail.com[74.125.157.109]:587, delay=16, delays=15/0.01/1.1/0.05, dsn=4.7.0, status=deferred (host smtp.gmail.com[74.125.157.109] said: 421 4.7.0 Try again later, closing connection. (MAIL) p1sm3750463ybn.5 (in reply to MAIL FROM command))

Any ideas why postfix accepted these messages?

Thanks.

Noway2 · 10-18-2010, 05:11 AM

See the following: http://www.postfix.org/postconf.5.ht...t_restrictions

I would look very carefully at how you configured your relay host (gmail). I would also suggest running one of the tests on the open relay test web sites to be sure.

bulls_i3 · 10-18-2010, 04:35 PM

Hello Noway2. Thanks for the response.

I have already setup smtpd_recipient_restrictions (in main.cf) to "permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,check_relay_domains" .

But I have just noticed that

mynetworks = 0.0.0.0/0 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

Which obviously doesn't look correct. I will fix this and see if it helps, but I'm not sure what a good way to test this would be (I had already tested my configuration before and failed to send without being authenticated. Not sure how the attackers did it..but then again I'm kind of a mail-server noob). I will look for a open-relay testing site.

bulls_i3 · 10-18-2010, 04:53 PM

OK, I used http://www.abuse.net/relay.html to test my server before making any changes. It reported that my message was accepted (but may have been discarded by postfix still), so it MAY be an open relay. I checked the log and it was NOT discarded.

It definitely seemed like the "mynetworks" thing. I removed the "permit_mynetworks" from the recipient restrictions, and re-ran the test:

All tests performed, no relays accepted.

So that solves the problem.

As a side note, postfix claims to be a non-open-relay by "default" (I read that in their documentation somewhere), but I find having smtpd_recipient_restrictions = permit_mynetworks and mynetworks = 0.0.0.0/0 by default to be a contradiction.

Noway2 · 10-19-2010, 03:59 AM

That is a good find. If I am not mistaken, my networks = 0.0.0.0/0 means accept ALL networks. Naturally, you would want to permit your networks and include localhost (127.0.0.1) and this was probably a mistaken attempt to do that. Out of curiosity, you mention this being a default. Was this a default from the install or from a how to document?

bulls_i3 · 10-24-2010, 03:49 AM

I just installed postfix on another machine (running the same OS, Fedora13), and the default config file did NOT contain mynetworks=0.0.0.0, so it must have been a howto I've followed.

I guess it's my fault. I should check to see what I'm following.

Noway2 · 10-24-2010, 09:43 AM

Thank you for following up on this. This is good information that might also help someone else in the future. If you are able to find the how-to that contains this, you might want to contact the author or at least make a comment on their blog regarding the 'mistake'.