Postfix sending spam from unknow localhost

mattiapascal · 11-23-2014, 04:27 AM

Hi all, this is my first post here
My Centos 6.6 server seems to send out large amount of spam: i've been got blacklisted from google and many other rbl checks, and i can't figure out where the mails are sent from.

here's a short part of my maillog

Code:

Nov 23 10:18:20 vmi13057 postfix/smtpd[28944]: warning: unknown[183.80.63.1]: SASL PLAIN authentication failed:
Nov 23 10:18:21 vmi13057 postfix/smtpd[29084]: E7140A002EF: client=207.63.205.77.rev.sfr.net[77.205.63.207]
Nov 23 10:18:22 vmi13057 postfix/cleanup[29093]: E7140A002EF: message-id=<>
Nov 23 10:18:22 vmi13057 postfix/qmgr[26950]: E7140A002EF: from=<communicationproprod@sfr.fr>, size=15586, nrcpt=1 (queue active)
Nov 23 10:18:22 vmi13057 amavis[27159]: (27159-07) ESMTP::10024 /var/spool/amavisd/tmp/amavis-20141123T091950-27159-lrqDpkOZ: <communicationproprod@sfr.fr> -> <info@****.com> SIZE=15586 Received: from mail.***.it ([127.0.0.1]) by localhost (mail.i99.it [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <info@*****.com>; Sun, 23 Nov 2014 10:18:22 +0100 (CET)
Nov 23 10:18:22 vmi13057 postfix/smtpd[29084]: disconnect from 207.63.205.77.rev.sfr.net[77.205.63.207]
Nov 23 10:18:22 vmi13057 amavis[27159]: (27159-07) Checking: eQrxDFf2cAdQ [77.205.63.207] <communicationproprod@sfr.fr> -> <info@*****.com>
Nov 23 10:18:22 vmi13057 amavis[27159]: (27159-07) Open relay? Nonlocal recips but not originating: info@*****.com
Nov 23 10:18:22 vmi13057 postfix/smtpd[29101]: connect from unknown[127.0.0.1]
Nov 23 10:18:22 vmi13057 postfix/smtpd[29101]: CCFCFA002F1: client=unknown[127.0.0.1]
Nov 23 10:18:22 vmi13057 postfix/cleanup[29093]: CCFCFA002F1: message-id=<DSNeQrxDFf2cAdQ@mail.***.it>
Nov 23 10:18:22 vmi13057 postfix/smtpd[29101]: disconnect from unknown[127.0.0.1]
Nov 23 10:18:22 vmi13057 amavis[27159]: (27159-07) 0fPzsX10ardu(eQrxDFf2cAdQ) SEND from <> -> <communicationproprod@sfr.fr>, ENVID=AM.0fPzsX10ardu.20141123T091822Z@mail.***.it 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as CCFCFA002F1
Nov 23 10:18:22 vmi13057 amavis[27159]: (27159-07) Blocked BAD-HEADER-0 {BouncedOpenRelay,Quarantined}, [77.205.63.207]:4010 [77.205.63.207] <communicationproprod@sfr.fr> -> <info@*****.com>, mail_id: eQrxDFf2cAdQ, Hits: -, size: 15552, 407 ms
Nov 23 10:18:22 vmi13057 postfix/smtp[29097]: E7140A002EF: to=<info@*****.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=4.1, delays=3.6/0.04/0.01/0.41, dsn=2.5.0, status=sent (250 2.5.0 Ok, id=27159-07, BOUNCE)
Nov 23 10:18:22 vmi13057 postfix/qmgr[26950]: CCFCFA002F1: from=<>, size=2808, nrcpt=1 (queue active)
Nov 23 10:18:22 vmi13057 postfix/qmgr[26950]: E7140A002EF: removed
Nov 23 10:18:23 vmi13057 postfix/smtp[29103]: CCFCFA002F1: to=<communicationproprod@sfr.fr>, relay=smtp-in.sfr.fr[93.17.128.25]:25, delay=0.69, delays=0.1/0.03/0.14/0.42, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 73D161C00085)
Nov 23 10:18:23 vmi13057 postfix/qmgr[26950]: CCFCFA002F1: removed

...

Nov 23 09:12:47 vmi13057 postfix/smtpd[27129]: 1F816A002EF: client=outmail013.prn2.facebook.com[66.220.144.140]
Nov 23 09:12:47 vmi13057 postfix/cleanup[27138]: 1F816A002EF: message-id=<ea7333aa6e3e10573f32f7763901f1eb@async.facebook.com>
Nov 23 09:12:47 vmi13057 postfix/qmgr[26950]: 1F816A002EF: from=<notification+zj4oz9oo9=sy@facebookmail.com>, size=12424, nrcpt=1 (queue active)
Nov 23 09:12:47 vmi13057 amavis[20944]: (20944-16) ESMTP::10024 /var/spool/amavisd/tmp/amavis-20141122T232409-20944-aaNtFqTA: <notification+zj4oz9oo9=sy@facebookmail.com> -> <barbara@fuoriorario.pg.it> SIZE=12424 BODY=8BITMIME Received: from mail.****.it ([127.0.0.1]) by localhost (mail.***.it [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <barbara@*******.it>; Sun, 23 Nov 2014 09:12:47 +0100 (CET)
Nov 23 09:12:47 vmi13057 amavis[20944]: (20944-16) Checking: qQE3CIclhW2O [66.220.144.140] <notification+zj4oz9oo9=sy@facebookmail.com> -> <barbara@*******.it>
Nov 23 09:12:47 vmi13057 amavis[20944]: (20944-16) Open relay? Nonlocal recips but not originating: barbara@*******.it
Nov 23 09:12:47 vmi13057 clamd[1419]: SelfCheck: Database status OK.

...

Nov 23 11:22:49 vmi13057 amavis[27818]: (27818-10) Checking: XLmhKaGnfeka [195.154.80.168] <info@risparmiadem.eu> -> <info@cartagraf.com>
Nov 23 11:22:49 vmi13057 amavis[27818]: (27818-10) Open relay? Nonlocal recips but not originating: info@*******
Nov 23 11:22:51 vmi13057 postfix/smtpd[31203]: connect from unknown[127.0.0.1]
Nov 23 11:22:51 vmi13057 postfix/smtpd[31203]: 10483A002F1: client=unknown[127.0.0.1]
Nov 23 11:22:51 vmi13057 postfix/cleanup[31195]: 10483A002F1: message-id=<8ffbd2418bc456bf0fb9ea07feb476c9@risparmiadem.eu>
Nov 23 11:22:51 vmi13057 postfix/smtpd[31203]: disconnect from unknown[127.0.0.1]
Nov 23 11:22:51 vmi13057 amavis[27818]: (27818-10) XLmhKaGnfeka FWD from <info@risparmiadem.eu> -> <info@*******>, BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 10483A002F1
Nov 23 11:22:51 vmi13057 amavis[27818]: (27818-10) Passed SPAMMY {RelayedOpenRelay}, [195.154.80.168]:47490 [195.154.80.168] <info@risparmiadem.eu> -> <info@*******>, Message-ID: <8ffbd2418bc456bf0fb9ea07feb476c9@risparmiadem.eu>, mail_id: XLmhKaGnfeka, Hits: 8.476, size: 3995, queued_as: 10483A002F1, 1652 ms
Nov 23 11:22:51 vmi13057 postfix/smtp[31197]: 4369BA002EF: to=<info@*******>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.9, delays=0.22/0.06/0.01/1.7, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 10483A002F1)
Nov 23 11:22:51 vmi13057 postfix/qmgr[26950]: 10483A002F1: from=<info@risparmiadem.eu>, size=4406, nrcpt=1 (queue active)
Nov 23 11:22:51 vmi13057 postfix/qmgr[26950]: 4369BA002EF: removed
Nov 23 11:22:51 vmi13057 postfix/pipe[31205]: 10483A002F1: to=<info@*******>, relay=dovecot, delay=0.56, delays=0.07/0.03/0/0.46, dsn=2.0.0, status=sent (delivered via dovecot service)
Nov 23 11:22:51 vmi13057 postfix/qmgr[26950]: 10483A002F1: removed
Nov 23 11:26:09 vmi13057 postfix/anvil[31188]: statistics: max connection rate 1/60s for (smtp:195.154.80.168) at Nov 23 11:22:49

it seems that normal mails sent from localhost report "client=localhost" instead of "unknow"
and i can't totally get rid of messages sent from=<> (this is bad, isn't it?)

and why amavis says "Open relay? Nonlocal recips but not originating: "

here's my main.cf

Code:

# postfix config file

# uncomment for debugging if needed
#soft_bounce=yes

# postfix main
mail_owner = postfix
setgid_group = postdrop
delay_warning_time = 4
smtpd_recipient_limit = 100
smtp_host_lookup = native

# aggiunti da ICT Valle Umbra
smtpd_error_sleep_time = 0s
smtpd_soft_error_limit = 5
smtpd_hard_error_limit = 10
smtpd_timeout = 30s
notify_classes = 2bounce, delay, resource, software
local_destination_concurrency_limit = 2
default_destination_concurrency_limit = 10

# postfix paths
html_directory = no
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
queue_directory = /var/spool/postfix
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man

# network settings
inet_interfaces = all
mydomain = ***.it
myhostname = mail.***.it
mynetworks = $config_directory/mynetworks
mydestination = $myhostname, localhost.$mydomain, localhost
relay_domains = proxy:mysql:/etc/postfix/mysql-relay_domains_maps.cf

# mail delivery
recipient_delimiter = +

# mappings
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
transport_maps = hash:/etc/postfix/transport
local_recipient_maps = mysql:/etc/postfix/mysql-virtual_mailbox_maps.cf

# virtual setup
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_alias_maps.cf,
                     regexp:/etc/postfix/virtual_regexp
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains_maps.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_maps.cf
virtual_mailbox_limit_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_limit_maps.cf
virtual_minimum_uid = 101
virtual_uid_maps = static:101
virtual_gid_maps = static:12
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1

# debugging
debug_peer_level = 2
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         xxgdb $daemon_directory/$process_name $process_id & sleep 5

# authentication
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

# tls config
smtp_use_tls = yes
smtpd_use_tls = yes
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
# Change mail.example.com.* to your host name
smtpd_tls_key_file = /etc/pki/tls/certs/mail.***.it.key
smtpd_tls_cert_file = /etc/pki/tls/certs/mail.***.it.crt
# smtpd_tls_CAfile = /etc/pki/tls/root.crt

# rules restrictions
smtpd_client_restrictions =
        reject_non_fqdn_recipient,
        reject_unknown_recipient_domain
# uncomment for realtime black list checks
#       ,reject_rbl_client zen.spamhaus.org
#       ,reject_rbl_client bl.spamcop.net
#       ,reject_rbl_client dnsbl.sorbs.net

smtpd_helo_required = yes
unknown_local_recipient_reject_code = 550
unverified_sender_reject_code = 550
unknown_local_recipient_reject_code = 550
smtpd_data_restrictions = reject_unauth_pipelining

# Other options
# email size limit ~20Meg
#message_size_limit = 19800000

mailbox_size_limit = 52428800
# email size limit 50 MB
message_size_limit = 52428800

readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
sample_directory = /usr/share/doc/postfix-2.6.6/samples
data_directory = /var/lib/postfix
smtpd_recipient_restrictions =  permit_mynetworks,
                                reject_unauth_destination,
                                reject_non_fqdn_sender,
                                reject_non_fqdn_recipient,
                                reject_unknown_recipient_domain,
                                reject_unknown_sender_domain,
                                reject_unverified_recipient,
                                reject_invalid_hostname


disable_vrfy_command = yes

is my server being compromised? how can i stop this?

Thanks

mattiapascal · 11-23-2014, 02:45 PM

anyone?

TB0ne · 11-23-2014, 03:33 PM

Quote:

Originally Posted by mattiapascal

anyone?

Please read the LQ Rules. Bumping your own thread after less than 24 hours is plain rude..this is a volunteer forum, and people answer when they can, and if they want to. So bumping your own thread does NOTHING to get you an answer faster. In fact, all you succeeded in doing is REMOVING your post from the zero reply list, making it LESS VISIBLE, and LESS LIKELY to be answered..

There are many how-to guides you can find on hardening and securing Postfix. That said, you are set to reject invalid hostnames...but where do those hostnames COME from, in your case? How many users/domains are on this email system? How many users? You may want to check out some of the postfix hardening guides:
http://www.howtoforge.com/hardening-...or-ispconfig-3

That's one, and you may not have to follow all of those steps, depending on your environment.

And I'd suggest that you be sure to add/modify these two rules in main.cf:

Code:

        reject_unauth_destination, 
        check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf,

Many open relay problems are caused by having an access table before reject_unauth_destination.

mattiapascal · 11-23-2014, 03:52 PM

Quote:

Originally Posted by TB0ne

Please read the LQ Rules. Bumping your own thread after less than 24 hours is plain rude..this is a volunteer forum, and people answer when they can, and if they want to. So bumping your own thread does NOTHING to get you an answer faster. In fact, all you succeeded in doing is REMOVING your post from the zero reply list, making it LESS VISIBLE, and LESS LIKELY to be answered..

Code:

        reject_unauth_destination, 
        check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf,

Many open relay problems are caused by having an access table before reject_unauth_destination.

I do apologize for that, i didn't mean to.
anyway thanks for reply, i'm following the link you provided me.
on this server i have about 50 virtual domains (and about 30 apache web sites)

in my /etc/postfix/ folder i have mysql-virtual_mailbox_maps.cf instead of mysql-virtual_recipient.cf - is it the same thing?

sorry for my bad english

TB0ne · 11-23-2014, 04:20 PM

Quote:

Originally Posted by mattiapascal

I do apologize for that, i didn't mean to. anyway thanks for reply, i'm following the link you provided me. on this server i have about 50 virtual domains (and about 30 apache web sites)

in my /etc/postfix/ folder i have mysql-virtual_mailbox_maps.cf instead of mysql-virtual_recipient.cf - is it the same thing?

I believe so, although someone with more experience may have a different answer. Check out the postfix docs, they may be able to guide you in that respect. And is this a recent issue? How long has your postfix box been up and running? And if it IS recent...which users/domains did you add recently, and have you tried to block them, or at least look at them more closely?

Quote:

sorry for my bad english

No worries at all...your English is better than a lot of others!

SAbhi · 11-24-2014, 01:12 AM

Quote:

Originally Posted by mattiapascal

I do apologize for that, i didn't mean to.
anyway thanks for reply, i'm following the link you provided me.
on this server i have about 50 virtual domains (and about 30 apache web sites)

in my /etc/postfix/ folder i have mysql-virtual_mailbox_maps.cf instead of mysql-virtual_recipient.cf - is it the same thing?

sorry for my bad english

Dont know much on postfix-mysql integration but this http://www.postfixvirtual.net/postfixconf.html may help ?

mattiapascal · 11-24-2014, 04:25 AM

Well, i've applied some configuration changes from TB0one's link, and things seems are getting better.
however, i still can find some odd messages in my maillog like this:

NB: info@fpmobili.com exist on my server

Quote:

# grep "52809A002F2" /var/log/maillog
Nov 24 11:09:36 vmi13057 postfix/smtpd[10654]: 52809A002F2: client=unknown[127.0.0.1]
Nov 24 11:09:36 vmi13057 postfix/cleanup[10642]: 52809A002F2: message-id=<546F1368008A92A7@smtp205.alice.it>
Nov 24 11:09:36 vmi13057 amavis[10383]: (10383-09) oVwMGA0xn0Rl FWD from <> -> <info@*******.com>, BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 52809A002F2
Nov 24 11:09:36 vmi13057 amavis[10383]: (10383-09) Passed CLEAN {RelayedOpenRelay}, [82.57.200.101]:56262 [82.57.200.101] <> -> <info@*******.com>, Message-ID: <546F1368008A92A7@smtp205.alice.it>, mail_id: oVwMGA0xn0Rl, Hits: -1.899, size: 2714, queued_as: 52809A002F2, 2354 ms
Nov 24 11:09:36 vmi13057 postfix/smtp[10644]: DDB3EA00305: to=<info@*******.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.5, delays=0.16/0/0.01/2.4, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 52809A002F2)
Nov 24 11:09:36 vmi13057 postfix/qmgr[22221]: 52809A002F2: from=<>, size=3123, nrcpt=1 (queue active)
Nov 24 11:09:36 vmi13057 postfix/pipe[10656]: 52809A002F2: to=<info@*******.com>, relay=dovecot, delay=0.19, delays=0.13/0/0/0.06, dsn=2.0.0, status=sent (delivered via dovecot service)
Nov 24 11:09:36 vmi13057 postfix/qmgr[22221]: 52809A002F2: removed

why do i receive mails from client=unknown[127.0.0.1] (instead of localhost[127.0.0.1]) and from <>
and those mails are being passed by amavis and postfix?

is it normal to have such logs?