LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-12-2007, 05:55 PM   #1
namit
Member
 
Registered: Aug 2005
Distribution: Debian
Posts: 355

Rep: Reputation: 30
Postfix lockdown


I have a mail server sending and receiving emails back and forth no problem but i am getting off my logwatcher and it says i am sending around 300 messages a day but i only send around 10 or so.

How can i lockdown my mail server to stop people from sending emails threw it?

I tried just taking off port forwarding to my email server on post 25 but that of course just stoped all emails coming in also.

Can anyway help or point me in the right direction.
 
Old 01-12-2007, 07:48 PM   #2
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
First of all, are you sure that you are sending out so many mails? You might post your mail logs as proof. Second, where do those emails originate? Are they local or remote? If remote, then you are an open relay, but you would have really had to screw up your postfix config for that to be the case. You might also post the output of postfix -n.
 
Old 01-12-2007, 08:04 PM   #3
namit
Member
 
Registered: Aug 2005
Distribution: Debian
Posts: 355

Original Poster
Rep: Reputation: 30
I think its because i am an open relay
yes am positive am not sending that many emails


Quote:
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
alias_maps = hash:/etc/aliases
myorigin = $mydomain
mydestination = mydomainname
relayhost = myIspmailserver
mailbox_command = /usr/bin/procmail
mailbox_size_limit = 0
recipient_delimiter = +
home_mailbox = Maildir/
postfix -n does this
postfix: invalid option -- n
postfix: fatal: usage: postfix [-c config_dir] [-Dv] command
 
Old 01-12-2007, 08:13 PM   #4
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
Quote:
I think its because i am an open relay
That's terrible, namit. But, show proof. Post or verify your maillog.

Quote:
postfix: invalid option -- n
Sorry, that should be
Code:
postconf -n

Last edited by Berhanie; 01-12-2007 at 08:15 PM.
 
Old 01-12-2007, 08:16 PM   #5
namit
Member
 
Registered: Aug 2005
Distribution: Debian
Posts: 355

Original Poster
Rep: Reputation: 30
Quote:
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
home_mailbox = Maildir/
mailbox_command = /usr/bin/procmail
mailbox_size_limit = 0
mydestination = mydomainname.com, localhost.localdomain, localhost.localdomain, localhost
myorigin = $mydomain
recipient_delimiter = +
relayhost = mail.esat.net
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
Here is the output of that

Thanks for the help
 
Old 01-12-2007, 08:51 PM   #6
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
Good news: you're not an open relay. Now, take a look at your mail logs to see whether you are really sending out 300 emails per day and where they are coming from. The only possible source is something local (worst-case scenario: your web server).
 
Old 01-13-2007, 07:57 AM   #7
Fadoksi
Member
 
Registered: Apr 2006
Location: Finland
Distribution: Ubuntu, Gentoo, Debian
Posts: 88

Rep: Reputation: 15
Remove the machine from network.
Check for rootkits with chkrootkit and/or rkhunter

If you want to be sure your server is not used for spamming. Format and reinstall... And harden.
 
Old 01-13-2007, 08:26 AM   #8
namit
Member
 
Registered: Aug 2005
Distribution: Debian
Posts: 355

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by Berhanie
Good news: you're not an open relay. Now, take a look at your mail logs to see whether you are really sending out 300 emails per day and where they are coming from. The only possible source is something local (worst-case scenario: your web server).
stupid question where do i check this i only know this is happening because logwatcher sends me an email and says so

Thanks guys for real help
 
Old 01-13-2007, 11:48 AM   #9
Fadoksi
Member
 
Registered: Apr 2006
Location: Finland
Distribution: Ubuntu, Gentoo, Debian
Posts: 88

Rep: Reputation: 15
the mail logs are (at least in my Debian Sarge server)
/var/log/mail.log
/var/log/mail.err
/var/log/mail.info
 
Old 01-26-2007, 06:15 AM   #10
namit
Member
 
Registered: Aug 2005
Distribution: Debian
Posts: 355

Original Poster
Rep: Reputation: 30
So i have port forwarding to 25

How else can i check to see if spammers are using my mail server?

My Mailserver
Router port forwarding 25 143
Internet

var/log/mail.log
Quote:
Jan 26 11:43:30 localhost spamd[17884]: Creating default_prefs [/var/www/.spamassassin/user_prefs]
Jan 26 11:43:30 localhost spamd[17884]: Cannot write to /var/www/.spamassassin/user_prefs: No such file or directory
Jan 26 11:43:30 localhost spamd[17884]: Couldn't create readable default_prefs for [/var/www/.spamassassin/user_prefs]
Jan 26 11:43:30 localhost spamd[17884]: processing message <20070126114330.56252E7DA1@localhost.localdomain> for www-data:33.
Jan 26 11:43:30 localhost spamd[17884]: Failed to run FUZZY_OCR SpamAssassin test, skipping:__(Can't locate object method "new" via package "Mail::SpamAssassin::Timeout" (perhaps you forgot to load "Mail::SpamAssassin::Timeout"?) at /etc/spamassassin/FuzzyOcr.pm line 229, <GEN157> line 75._)
Jan 26 11:43:30 localhost spamd[17884]: clean message (-2.8/3.0) for www-data:33 in 0.2 seconds, 2482 bytes.
Jan 26 11:43:30 localhost spamd[17884]: result: . -2 - ALL_TRUSTED scantime=0.2,size=2482,mid=<20070126114330.56252E7DA1@localhost.localdomain>,autolearn=failed
Jan 26 11:43:30 localhost postfix/local[11668]: 56252E7DA1: to=<www-data@localhost.localdomain>, relay=local, delay=0, status=sent (delivered to command: /usr/bin/procmail)
Jan 26 11:43:30 localhost postfix/qmgr[4761]: 56252E7DA1: removed
Jan 26 11:44:16 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:44:44 localhost imap-login: Login: namit [83.70.232.219]
Jan 26 11:44:45 localhost last message repeated 3 times
Jan 26 11:45:16 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:46:19 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:47:16 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:48:16 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:49:17 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:49:43 localhost postfix/smtpd[12028]: connect from mindfields.own-hero.net[85.214.51.57]
Jan 26 11:49:43 localhost postfix/smtpd[12028]: E9398E7D8C: client=mindfields.own-hero.net[85.214.51.57]
Jan 26 11:49:44 localhost postfix/cleanup[12031]: E9398E7D8C: message-id=<mailman.1.1169809201.27972.devel-spam@lists.own-hero.net>
Jan 26 11:49:44 localhost postfix/smtpd[12028]: disconnect from mindfields.own-hero.net[85.214.51.57]
Jan 26 11:49:44 localhost postfix/qmgr[4761]: E9398E7D8C: from=<devel-spam-bounces@lists.own-hero.net>, size=19051, nrcpt=1 (queue active)
Jan 26 11:49:44 localhost spamd[26268]: connection from localhost.localdomain [127.0.0.1] at port 37576
Jan 26 11:49:44 localhost spamd[26268]: info: setuid to forum succeeded
Jan 26 11:49:44 localhost spamd[26268]: processing message <mailman.1.1169809201.27972.devel-spam@lists.own-hero.net> for forum:1006.
Jan 26 11:49:45 localhost spamd[26268]: Failed to run FUZZY_OCR SpamAssassin test, skipping:__(Can't locate object method "new" via package "Mail::SpamAssassin::Timeout" (perhaps you forgot to load "Mail::SpamAssassin::Timeout"?) at /etc/spamassassin/FuzzyOcr.pm line 229._)
Jan 26 11:49:45 localhost spamd[26268]: clean message (0.7/3.0) for forum:1006 in 1.4 seconds, 18809 bytes.
Jan 26 11:49:45 localhost spamd[26268]: result: . 0 - AWL,BAYES_50,NO_REAL_NAME scantime=1.4,size=18809,mid=<mailman.1.1169809201.27972.devel-spam@lists.own-hero.net>,bayes=0.50171286127229,autolearn=no
Jan 26 11:49:45 localhost postfix/local[12033]: E9398E7D8C: to=<forum@namit.org>, relay=local, delay=2, status=sent (delivered to command: /usr/bin/procmail)
Jan 26 11:49:45 localhost postfix/qmgr[4761]: E9398E7D8C: removed
Jan 26 11:50:16 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:51:17 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:52:17 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:53:17 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:54:17 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:54:58 localhost postfix/pickup[10187]: 8C5C3E7D8E: uid=0 from=<root>
Jan 26 11:54:58 localhost postfix/cleanup[12624]: 8C5C3E7D8E: message-id=<20070126115458.8C5C3E7D8E@localhost.localdomain>
Jan 26 11:54:58 localhost postfix/qmgr[4761]: 8C5C3E7D8E: from=<root@localhost.localdomain>, size=4233, nrcpt=1 (queue active)
Jan 26 11:54:58 localhost spamd[11684]: connection from localhost.localdomain [127.0.0.1] at port 37579
Jan 26 11:54:58 localhost spamd[11684]: info: setuid to forum succeeded
Jan 26 11:54:58 localhost spamd[11684]: processing message <20070126115458.8C5C3E7D8E@localhost.localdomain> for forum:1006.
Jan 26 11:54:59 localhost spamd[11684]: Failed to run FUZZY_OCR SpamAssassin test, skipping:__(Can't locate object method "new" via package "Mail::SpamAssassin::Timeout" (perhaps you forgot to load "Mail::SpamAssassin::Timeout"?) at /etc/spamassassin/FuzzyOcr.pm line 229._)
Jan 26 11:54:59 localhost spamd[11684]: clean message (-5.3/3.0) for forum:1006 in 0.7 seconds, 4260 bytes.
Jan 26 11:54:59 localhost spamd[11684]: result: . -5 - ALL_TRUSTED,AWL,BAYES_00 scantime=0.7,size=4260,mid=<20070126115458.8C5C3E7D8E@localhost.localdomain>,bayes=1.11022302462516e-16,autolearn=ham
Jan 26 11:54:59 localhost postfix/local[12627]: 8C5C3E7D8E: to=<forum@namit.org>, relay=local, delay=1, status=sent (delivered to command: /usr/bin/procmail)
Jan 26 11:54:59 localhost postfix/qmgr[4761]: 8C5C3E7D8E: removed
Jan 26 11:55:17 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:56:17 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:57:17 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:58:17 localhost pop3-login: Login: forum [83.70.232.219]
/var/log/mail.err
Quote:
blank
/var/log/mail.info
Quote:
Jan 26 11:43:30 localhost spamd[17884]: Cannot write to /var/www/.spamassassin/user_prefs: No such file or directory
Jan 26 11:43:30 localhost spamd[17884]: Couldn't create readable default_prefs for [/var/www/.spamassassin/user_prefs]
Jan 26 11:43:30 localhost spamd[17884]: processing message <20070126114330.56252E7DA1@localhost.localdomain> for www-data:33.
Jan 26 11:43:30 localhost spamd[17884]: Failed to run FUZZY_OCR SpamAssassin test, skipping:__(Can't locate object method "new" via package "Mail::SpamAssassin::Timeout" (perhaps you forgot to load "Mail::SpamAssassin::Timeout"?) at /etc/spamassassin/FuzzyOcr.pm line 229, <GEN157> line 75._)
Jan 26 11:43:30 localhost spamd[17884]: clean message (-2.8/3.0) for www-data:33 in 0.2 seconds, 2482 bytes.
Jan 26 11:43:30 localhost spamd[17884]: result: . -2 - ALL_TRUSTED scantime=0.2,size=2482,mid=<20070126114330.56252E7DA1@localhost.localdomain>,autolearn=failed
Jan 26 11:43:30 localhost postfix/local[11668]: 56252E7DA1: to=<www-data@localhost.localdomain>, relay=local, delay=0, status=sent (delivered to command: /usr/bin/procmail)
Jan 26 11:43:30 localhost postfix/qmgr[4761]: 56252E7DA1: removed
Jan 26 11:44:16 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:44:44 localhost imap-login: Login: namit [83.70.232.219]
Jan 26 11:44:45 localhost last message repeated 3 times
Jan 26 11:45:16 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:46:19 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:47:16 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:48:16 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:49:17 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:49:43 localhost postfix/smtpd[12028]: connect from mindfields.own-hero.net[85.214.51.57]
Jan 26 11:49:43 localhost postfix/smtpd[12028]: E9398E7D8C: client=mindfields.own-hero.net[85.214.51.57]
Jan 26 11:49:44 localhost postfix/cleanup[12031]: E9398E7D8C: message-id=<mailman.1.1169809201.27972.devel-spam@lists.own-hero.net>
Jan 26 11:49:44 localhost postfix/smtpd[12028]: disconnect from mindfields.own-hero.net[85.214.51.57]
Jan 26 11:49:44 localhost postfix/qmgr[4761]: E9398E7D8C: from=<devel-spam-bounces@lists.own-hero.net>, size=19051, nrcpt=1 (queue active)
Jan 26 11:49:44 localhost spamd[26268]: connection from localhost.localdomain [127.0.0.1] at port 37576
Jan 26 11:49:44 localhost spamd[26268]: info: setuid to forum succeeded
Jan 26 11:49:44 localhost spamd[26268]: processing message <mailman.1.1169809201.27972.devel-spam@lists.own-hero.net> for forum:1006.
Jan 26 11:49:45 localhost spamd[26268]: Failed to run FUZZY_OCR SpamAssassin test, skipping:__(Can't locate object method "new" via package "Mail::SpamAssassin::Timeout" (perhaps you forgot to load "Mail::SpamAssassin::Timeout"?) at /etc/spamassassin/FuzzyOcr.pm line 229._)
Jan 26 11:49:45 localhost spamd[26268]: clean message (0.7/3.0) for forum:1006 in 1.4 seconds, 18809 bytes.
Jan 26 11:49:45 localhost spamd[26268]: result: . 0 - AWL,BAYES_50,NO_REAL_NAME scantime=1.4,size=18809,mid=<mailman.1.1169809201.27972.devel-spam@lists.own-hero.net>,bayes=0.50171286127229,autolearn=no
Jan 26 11:49:45 localhost postfix/local[12033]: E9398E7D8C: to=<forum@namit.org>, relay=local, delay=2, status=sent (delivered to command: /usr/bin/procmail)
Jan 26 11:49:45 localhost postfix/qmgr[4761]: E9398E7D8C: removed
Jan 26 11:50:16 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:51:17 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:52:17 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:53:17 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:54:17 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:54:58 localhost postfix/pickup[10187]: 8C5C3E7D8E: uid=0 from=<root>
Jan 26 11:54:58 localhost postfix/cleanup[12624]: 8C5C3E7D8E: message-id=<20070126115458.8C5C3E7D8E@localhost.localdomain>
Jan 26 11:54:58 localhost postfix/qmgr[4761]: 8C5C3E7D8E: from=<root@localhost.localdomain>, size=4233, nrcpt=1 (queue active)
Jan 26 11:54:58 localhost spamd[11684]: connection from localhost.localdomain [127.0.0.1] at port 37579
Jan 26 11:54:58 localhost spamd[11684]: info: setuid to forum succeeded
Jan 26 11:54:58 localhost spamd[11684]: processing message <20070126115458.8C5C3E7D8E@localhost.localdomain> for forum:1006.
Jan 26 11:54:59 localhost spamd[11684]: Failed to run FUZZY_OCR SpamAssassin test, skipping:__(Can't locate object method "new" via package "Mail::SpamAssassin::Timeout" (perhaps you forgot to load "Mail::SpamAssassin::Timeout"?) at /etc/spamassassin/FuzzyOcr.pm line 229._)
Jan 26 11:54:59 localhost spamd[11684]: clean message (-5.3/3.0) for forum:1006 in 0.7 seconds, 4260 bytes.
Jan 26 11:54:59 localhost spamd[11684]: result: . -5 - ALL_TRUSTED,AWL,BAYES_00 scantime=0.7,size=4260,mid=<20070126115458.8C5C3E7D8E@localhost.localdomain>,bayes=1.11022302462516e-16,autolearn=ham
Jan 26 11:54:59 localhost postfix/local[12627]: 8C5C3E7D8E: to=<forum@namit.org>, relay=local, delay=1, status=sent (delivered to command: /usr/bin/procmail)
Jan 26 11:54:59 localhost postfix/qmgr[4761]: 8C5C3E7D8E: removed
Jan 26 11:55:17 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:56:17 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:57:17 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:58:17 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:59:18 localhost pop3-login: Login: forum [83.70.232.219]
 
Old 01-26-2007, 06:24 AM   #11
namit
Member
 
Registered: Aug 2005
Distribution: Debian
Posts: 355

Original Poster
Rep: Reputation: 30
maybe i could setup smtp authorizations?
 
Old 01-26-2007, 10:29 AM   #12
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 76
It looks like you may have some forum software sending out e-mail. It's also possible the logwatch is simply not very smart and it's counting bounce messages that you return to sender as "sent e-mails". If you receive a lot of e-mails each day for users who don't exist, they're going to generate bounce messages going back to the sender.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
lockdown program daven1 Programming 9 02-04-2009 02:50 PM
Desktop Lockdown jjfate Linux - Enterprise 8 02-07-2007 04:37 PM
FreeBSD lockdown?? fatum112 *BSD 12 08-03-2006 07:59 AM
Lockdown Obie Linux - Security 10 07-30-2004 04:07 AM
Lockdown or not? neil Linux - Security 5 04-08-2002 03:31 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:41 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration