Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
01-12-2007, 05:55 PM
|
#1
|
Member
Registered: Aug 2005
Distribution: Debian
Posts: 355
Rep:
|
Postfix lockdown
I have a mail server sending and receiving emails back and forth no problem but i am getting off my logwatcher and it says i am sending around 300 messages a day but i only send around 10 or so.
How can i lockdown my mail server to stop people from sending emails threw it?
I tried just taking off port forwarding to my email server on post 25 but that of course just stoped all emails coming in also.
Can anyway help or point me in the right direction.
|
|
|
01-12-2007, 07:48 PM
|
#2
|
Senior Member
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625
Rep: 
|
First of all, are you sure that you are sending out so many mails? You might post your mail logs as proof. Second, where do those emails originate? Are they local or remote? If remote, then you are an open relay, but you would have really had to screw up your postfix config for that to be the case. You might also post the output of postfix -n.
|
|
|
01-12-2007, 08:04 PM
|
#3
|
Member
Registered: Aug 2005
Distribution: Debian
Posts: 355
Original Poster
Rep:
|
I think its because i am an open relay
yes am positive am not sending that many emails
Quote:
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
alias_maps = hash:/etc/aliases
myorigin = $mydomain
mydestination = mydomainname
relayhost = myIspmailserver
mailbox_command = /usr/bin/procmail
mailbox_size_limit = 0
recipient_delimiter = +
home_mailbox = Maildir/
|
postfix -n does this
postfix: invalid option -- n
postfix: fatal: usage: postfix [-c config_dir] [-Dv] command
|
|
|
01-12-2007, 08:13 PM
|
#4
|
Senior Member
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625
Rep: 
|
Quote:
I think its because i am an open relay
|
That's terrible, namit. But, show proof. Post or verify your maillog.
Quote:
postfix: invalid option -- n
|
Sorry, that should be
Last edited by Berhanie; 01-12-2007 at 08:15 PM.
|
|
|
01-12-2007, 08:16 PM
|
#5
|
Member
Registered: Aug 2005
Distribution: Debian
Posts: 355
Original Poster
Rep:
|
Quote:
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
home_mailbox = Maildir/
mailbox_command = /usr/bin/procmail
mailbox_size_limit = 0
mydestination = mydomainname.com, localhost.localdomain, localhost.localdomain, localhost
myorigin = $mydomain
recipient_delimiter = +
relayhost = mail.esat.net
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
|
Here is the output of that
Thanks for the help
|
|
|
01-12-2007, 08:51 PM
|
#6
|
Senior Member
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625
Rep: 
|
Good news: you're not an open relay. Now, take a look at your mail logs to see whether you are really sending out 300 emails per day and where they are coming from. The only possible source is something local (worst-case scenario: your web server).
|
|
|
01-13-2007, 07:57 AM
|
#7
|
Member
Registered: Apr 2006
Location: Finland
Distribution: Ubuntu, Gentoo, Debian
Posts: 88
Rep:
|
Remove the machine from network.
Check for rootkits with chkrootkit and/or rkhunter
If you want to be sure your server is not used for spamming. Format and reinstall... And harden.
|
|
|
01-13-2007, 08:26 AM
|
#8
|
Member
Registered: Aug 2005
Distribution: Debian
Posts: 355
Original Poster
Rep:
|
Quote:
Originally Posted by Berhanie
Good news: you're not an open relay. Now, take a look at your mail logs to see whether you are really sending out 300 emails per day and where they are coming from. The only possible source is something local (worst-case scenario: your web server).
|
stupid question where do i check this i only know this is happening because logwatcher sends me an email and says so
Thanks guys for real help
|
|
|
01-13-2007, 11:48 AM
|
#9
|
Member
Registered: Apr 2006
Location: Finland
Distribution: Ubuntu, Gentoo, Debian
Posts: 88
Rep:
|
the mail logs are (at least in my Debian Sarge server)
/var/log/mail.log
/var/log/mail.err
/var/log/mail.info
|
|
|
01-26-2007, 06:15 AM
|
#10
|
Member
Registered: Aug 2005
Distribution: Debian
Posts: 355
Original Poster
Rep:
|
So i have port forwarding to 25
How else can i check to see if spammers are using my mail server?
My Mailserver
Router port forwarding 25 143
Internet
var/log/mail.log
Quote:
Jan 26 11:43:30 localhost spamd[17884]: Creating default_prefs [/var/www/.spamassassin/user_prefs]
Jan 26 11:43:30 localhost spamd[17884]: Cannot write to /var/www/.spamassassin/user_prefs: No such file or directory
Jan 26 11:43:30 localhost spamd[17884]: Couldn't create readable default_prefs for [/var/www/.spamassassin/user_prefs]
Jan 26 11:43:30 localhost spamd[17884]: processing message <20070126114330.56252E7DA1@localhost.localdomain> for www-data:33.
Jan 26 11:43:30 localhost spamd[17884]: Failed to run FUZZY_OCR SpamAssassin test, skipping:__(Can't locate object method "new" via package "Mail::SpamAssassin::Timeout" (perhaps you forgot to load "Mail::SpamAssassin::Timeout"?) at /etc/spamassassin/FuzzyOcr.pm line 229, <GEN157> line 75._)
Jan 26 11:43:30 localhost spamd[17884]: clean message (-2.8/3.0) for www-data:33 in 0.2 seconds, 2482 bytes.
Jan 26 11:43:30 localhost spamd[17884]: result: . -2 - ALL_TRUSTED scantime=0.2,size=2482,mid=<20070126114330.56252E7DA1@localhost.localdomain>,autolearn=failed
Jan 26 11:43:30 localhost postfix/local[11668]: 56252E7DA1: to=<www-data@localhost.localdomain>, relay=local, delay=0, status=sent (delivered to command: /usr/bin/procmail)
Jan 26 11:43:30 localhost postfix/qmgr[4761]: 56252E7DA1: removed
Jan 26 11:44:16 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:44:44 localhost imap-login: Login: namit [83.70.232.219]
Jan 26 11:44:45 localhost last message repeated 3 times
Jan 26 11:45:16 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:46:19 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:47:16 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:48:16 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:49:17 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:49:43 localhost postfix/smtpd[12028]: connect from mindfields.own-hero.net[85.214.51.57]
Jan 26 11:49:43 localhost postfix/smtpd[12028]: E9398E7D8C: client=mindfields.own-hero.net[85.214.51.57]
Jan 26 11:49:44 localhost postfix/cleanup[12031]: E9398E7D8C: message-id=<mailman.1.1169809201.27972.devel-spam@lists.own-hero.net>
Jan 26 11:49:44 localhost postfix/smtpd[12028]: disconnect from mindfields.own-hero.net[85.214.51.57]
Jan 26 11:49:44 localhost postfix/qmgr[4761]: E9398E7D8C: from=<devel-spam-bounces@lists.own-hero.net>, size=19051, nrcpt=1 (queue active)
Jan 26 11:49:44 localhost spamd[26268]: connection from localhost.localdomain [127.0.0.1] at port 37576
Jan 26 11:49:44 localhost spamd[26268]: info: setuid to forum succeeded
Jan 26 11:49:44 localhost spamd[26268]: processing message <mailman.1.1169809201.27972.devel-spam@lists.own-hero.net> for forum:1006.
Jan 26 11:49:45 localhost spamd[26268]: Failed to run FUZZY_OCR SpamAssassin test, skipping:__(Can't locate object method "new" via package "Mail::SpamAssassin::Timeout" (perhaps you forgot to load "Mail::SpamAssassin::Timeout"?) at /etc/spamassassin/FuzzyOcr.pm line 229._)
Jan 26 11:49:45 localhost spamd[26268]: clean message (0.7/3.0) for forum:1006 in 1.4 seconds, 18809 bytes.
Jan 26 11:49:45 localhost spamd[26268]: result: . 0 - AWL,BAYES_50,NO_REAL_NAME scantime=1.4,size=18809,mid=<mailman.1.1169809201.27972.devel-spam@lists.own-hero.net>,bayes=0.50171286127229,autolearn=no
Jan 26 11:49:45 localhost postfix/local[12033]: E9398E7D8C: to=<forum@namit.org>, relay=local, delay=2, status=sent (delivered to command: /usr/bin/procmail)
Jan 26 11:49:45 localhost postfix/qmgr[4761]: E9398E7D8C: removed
Jan 26 11:50:16 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:51:17 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:52:17 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:53:17 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:54:17 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:54:58 localhost postfix/pickup[10187]: 8C5C3E7D8E: uid=0 from=<root>
Jan 26 11:54:58 localhost postfix/cleanup[12624]: 8C5C3E7D8E: message-id=<20070126115458.8C5C3E7D8E@localhost.localdomain>
Jan 26 11:54:58 localhost postfix/qmgr[4761]: 8C5C3E7D8E: from=<root@localhost.localdomain>, size=4233, nrcpt=1 (queue active)
Jan 26 11:54:58 localhost spamd[11684]: connection from localhost.localdomain [127.0.0.1] at port 37579
Jan 26 11:54:58 localhost spamd[11684]: info: setuid to forum succeeded
Jan 26 11:54:58 localhost spamd[11684]: processing message <20070126115458.8C5C3E7D8E@localhost.localdomain> for forum:1006.
Jan 26 11:54:59 localhost spamd[11684]: Failed to run FUZZY_OCR SpamAssassin test, skipping:__(Can't locate object method "new" via package "Mail::SpamAssassin::Timeout" (perhaps you forgot to load "Mail::SpamAssassin::Timeout"?) at /etc/spamassassin/FuzzyOcr.pm line 229._)
Jan 26 11:54:59 localhost spamd[11684]: clean message (-5.3/3.0) for forum:1006 in 0.7 seconds, 4260 bytes.
Jan 26 11:54:59 localhost spamd[11684]: result: . -5 - ALL_TRUSTED,AWL,BAYES_00 scantime=0.7,size=4260,mid=<20070126115458.8C5C3E7D8E@localhost.localdomain>,bayes=1.11022302462516e-16,autolearn=ham
Jan 26 11:54:59 localhost postfix/local[12627]: 8C5C3E7D8E: to=<forum@namit.org>, relay=local, delay=1, status=sent (delivered to command: /usr/bin/procmail)
Jan 26 11:54:59 localhost postfix/qmgr[4761]: 8C5C3E7D8E: removed
Jan 26 11:55:17 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:56:17 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:57:17 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:58:17 localhost pop3-login: Login: forum [83.70.232.219]
|
/var/log/mail.err
/var/log/mail.info
Quote:
Jan 26 11:43:30 localhost spamd[17884]: Cannot write to /var/www/.spamassassin/user_prefs: No such file or directory
Jan 26 11:43:30 localhost spamd[17884]: Couldn't create readable default_prefs for [/var/www/.spamassassin/user_prefs]
Jan 26 11:43:30 localhost spamd[17884]: processing message <20070126114330.56252E7DA1@localhost.localdomain> for www-data:33.
Jan 26 11:43:30 localhost spamd[17884]: Failed to run FUZZY_OCR SpamAssassin test, skipping:__(Can't locate object method "new" via package "Mail::SpamAssassin::Timeout" (perhaps you forgot to load "Mail::SpamAssassin::Timeout"?) at /etc/spamassassin/FuzzyOcr.pm line 229, <GEN157> line 75._)
Jan 26 11:43:30 localhost spamd[17884]: clean message (-2.8/3.0) for www-data:33 in 0.2 seconds, 2482 bytes.
Jan 26 11:43:30 localhost spamd[17884]: result: . -2 - ALL_TRUSTED scantime=0.2,size=2482,mid=<20070126114330.56252E7DA1@localhost.localdomain>,autolearn=failed
Jan 26 11:43:30 localhost postfix/local[11668]: 56252E7DA1: to=<www-data@localhost.localdomain>, relay=local, delay=0, status=sent (delivered to command: /usr/bin/procmail)
Jan 26 11:43:30 localhost postfix/qmgr[4761]: 56252E7DA1: removed
Jan 26 11:44:16 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:44:44 localhost imap-login: Login: namit [83.70.232.219]
Jan 26 11:44:45 localhost last message repeated 3 times
Jan 26 11:45:16 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:46:19 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:47:16 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:48:16 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:49:17 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:49:43 localhost postfix/smtpd[12028]: connect from mindfields.own-hero.net[85.214.51.57]
Jan 26 11:49:43 localhost postfix/smtpd[12028]: E9398E7D8C: client=mindfields.own-hero.net[85.214.51.57]
Jan 26 11:49:44 localhost postfix/cleanup[12031]: E9398E7D8C: message-id=<mailman.1.1169809201.27972.devel-spam@lists.own-hero.net>
Jan 26 11:49:44 localhost postfix/smtpd[12028]: disconnect from mindfields.own-hero.net[85.214.51.57]
Jan 26 11:49:44 localhost postfix/qmgr[4761]: E9398E7D8C: from=<devel-spam-bounces@lists.own-hero.net>, size=19051, nrcpt=1 (queue active)
Jan 26 11:49:44 localhost spamd[26268]: connection from localhost.localdomain [127.0.0.1] at port 37576
Jan 26 11:49:44 localhost spamd[26268]: info: setuid to forum succeeded
Jan 26 11:49:44 localhost spamd[26268]: processing message <mailman.1.1169809201.27972.devel-spam@lists.own-hero.net> for forum:1006.
Jan 26 11:49:45 localhost spamd[26268]: Failed to run FUZZY_OCR SpamAssassin test, skipping:__(Can't locate object method "new" via package "Mail::SpamAssassin::Timeout" (perhaps you forgot to load "Mail::SpamAssassin::Timeout"?) at /etc/spamassassin/FuzzyOcr.pm line 229._)
Jan 26 11:49:45 localhost spamd[26268]: clean message (0.7/3.0) for forum:1006 in 1.4 seconds, 18809 bytes.
Jan 26 11:49:45 localhost spamd[26268]: result: . 0 - AWL,BAYES_50,NO_REAL_NAME scantime=1.4,size=18809,mid=<mailman.1.1169809201.27972.devel-spam@lists.own-hero.net>,bayes=0.50171286127229,autolearn=no
Jan 26 11:49:45 localhost postfix/local[12033]: E9398E7D8C: to=<forum@namit.org>, relay=local, delay=2, status=sent (delivered to command: /usr/bin/procmail)
Jan 26 11:49:45 localhost postfix/qmgr[4761]: E9398E7D8C: removed
Jan 26 11:50:16 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:51:17 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:52:17 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:53:17 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:54:17 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:54:58 localhost postfix/pickup[10187]: 8C5C3E7D8E: uid=0 from=<root>
Jan 26 11:54:58 localhost postfix/cleanup[12624]: 8C5C3E7D8E: message-id=<20070126115458.8C5C3E7D8E@localhost.localdomain>
Jan 26 11:54:58 localhost postfix/qmgr[4761]: 8C5C3E7D8E: from=<root@localhost.localdomain>, size=4233, nrcpt=1 (queue active)
Jan 26 11:54:58 localhost spamd[11684]: connection from localhost.localdomain [127.0.0.1] at port 37579
Jan 26 11:54:58 localhost spamd[11684]: info: setuid to forum succeeded
Jan 26 11:54:58 localhost spamd[11684]: processing message <20070126115458.8C5C3E7D8E@localhost.localdomain> for forum:1006.
Jan 26 11:54:59 localhost spamd[11684]: Failed to run FUZZY_OCR SpamAssassin test, skipping:__(Can't locate object method "new" via package "Mail::SpamAssassin::Timeout" (perhaps you forgot to load "Mail::SpamAssassin::Timeout"?) at /etc/spamassassin/FuzzyOcr.pm line 229._)
Jan 26 11:54:59 localhost spamd[11684]: clean message (-5.3/3.0) for forum:1006 in 0.7 seconds, 4260 bytes.
Jan 26 11:54:59 localhost spamd[11684]: result: . -5 - ALL_TRUSTED,AWL,BAYES_00 scantime=0.7,size=4260,mid=<20070126115458.8C5C3E7D8E@localhost.localdomain>,bayes=1.11022302462516e-16,autolearn=ham
Jan 26 11:54:59 localhost postfix/local[12627]: 8C5C3E7D8E: to=<forum@namit.org>, relay=local, delay=1, status=sent (delivered to command: /usr/bin/procmail)
Jan 26 11:54:59 localhost postfix/qmgr[4761]: 8C5C3E7D8E: removed
Jan 26 11:55:17 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:56:17 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:57:17 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:58:17 localhost pop3-login: Login: forum [83.70.232.219]
Jan 26 11:59:18 localhost pop3-login: Login: forum [83.70.232.219]
|
|
|
|
01-26-2007, 06:24 AM
|
#11
|
Member
Registered: Aug 2005
Distribution: Debian
Posts: 355
Original Poster
Rep:
|
maybe i could setup smtp authorizations?
|
|
|
01-26-2007, 10:29 AM
|
#12
|
Senior Member
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
|
It looks like you may have some forum software sending out e-mail. It's also possible the logwatch is simply not very smart and it's counting bounce messages that you return to sender as "sent e-mails". If you receive a lot of e-mails each day for users who don't exist, they're going to generate bounce messages going back to the sender.
|
|
|
All times are GMT -5. The time now is 11:41 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|