I'm an open relay some how

classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|

I'm an open relay some how

Stephen Atkins-2
I've been administering the same postfix server for years so I'm a
little confused as to how this happened.  Granted postifx hasn't been
updated in a year or so.

This morning I came in to a mailq of over 93000 messages all destine to
@yahoo.com.tw

For now I'm just blocking all email destined for this domain but I would
really like to find out what happened.  I haven't changed my main.cf
file for over a year.    I can post it if needed.

Thanks for the help.
--
Stephen Atkins
Reply | Threaded
Open this post in threaded view
|

RE: I'm an open relay some how

Gary Smith-20
> I've been administering the same postfix server for years so I'm a little
> confused as to how this happened.  Granted postifx hasn't been updated in a
> year or so.
>
> This morning I came in to a mailq of over 93000 messages all destine to
> @yahoo.com.tw
>
> For now I'm just blocking all email destined for this domain but I would
> really like to find out what happened.  I haven't changed my main.cf
> file for over a year.    I can post it if needed.


Are you an open relay or did one of your user accounts get hacked.  I'd check the envelope of one of the messages, cross that with where it originated and go from there.  Just a shoot from the hip guess with little information.
Reply | Threaded
Open this post in threaded view
|

Re: I'm an open relay some how

Stephen Atkins-2
On 12/30/2011 10:17 AM, Gary Smith wrote:

>> I've been administering the same postfix server for years so I'm a little
>> confused as to how this happened.  Granted postifx hasn't been updated in a
>> year or so.
>>
>> This morning I came in to a mailq of over 93000 messages all destine to
>> @yahoo.com.tw
>>
>> For now I'm just blocking all email destined for this domain but I would
>> really like to find out what happened.  I haven't changed my main.cf
>> file for over a year.    I can post it if needed.
>
>
> Are you an open relay or did one of your user accounts get hacked.  I'd check the envelope of one of the messages, cross that with where it originated and go from there.  Just a shoot from the hip guess with little information.

I'm pretty sure.  I'm watching the connections coming in and they are
from external IP addresses.  A who is shows them as being from south
America and Europe.

--
Stephen Atkins
Information Systems
Resorts of the Canadian Rockies INC.
http://www.skircr.com
[hidden email]
Voice: (403) 209-3367
Cell: (403) 510-8333
Fax: (403) 244-3774
Reply | Threaded
Open this post in threaded view
|

Re: I'm an open relay some how

Reindl Harald-2


Am 30.12.2011 18:19, schrieb Stephen Atkins:

> On 12/30/2011 10:17 AM, Gary Smith wrote:
>>> I've been administering the same postfix server for years so I'm a little
>>> confused as to how this happened.  Granted postifx hasn't been updated in a
>>> year or so.
>>>
>>> This morning I came in to a mailq of over 93000 messages all destine to
>>> @yahoo.com.tw
>>>
>>> For now I'm just blocking all email destined for this domain but I would
>>> really like to find out what happened.  I haven't changed my main.cf
>>> file for over a year.    I can post it if needed.
if you are really an open realy this is idiotic and
the only soltuion is fix it or stop the service!

> I'm pretty sure.  I'm watching the connections coming in and they are from external IP addresses.  
> A who is shows them as being from south America and Europe.

without providing logs nobody can help you
however "pretty sure" does mean nothing
you/we need a COMPLETE log-part of a message from connection to relay

* you do not show logs
* you do not provide "postconf-n"

you simply provide nothing
what help do you expect with no informations?


signature.asc (270 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: I'm an open relay some how

Noel Jones-2
In reply to this post by Stephen Atkins-2
On 12/30/2011 11:19 AM, Stephen Atkins wrote:

> On 12/30/2011 10:17 AM, Gary Smith wrote:
>>> I've been administering the same postfix server for years so I'm
>>> a little
>>> confused as to how this happened.  Granted postifx hasn't been
>>> updated in a
>>> year or so.
>>>
>>> This morning I came in to a mailq of over 93000 messages all
>>> destine to
>>> @yahoo.com.tw
>>>
>>> For now I'm just blocking all email destined for this domain but
>>> I would
>>> really like to find out what happened.  I haven't changed my main.cf
>>> file for over a year.    I can post it if needed.
>>
>>
>> Are you an open relay or did one of your user accounts get
>> hacked.  I'd check the envelope of one of the messages, cross that
>> with where it originated and go from there.  Just a shoot from the
>> hip guess with little information.
>
> I'm pretty sure.  I'm watching the connections coming in and they
> are from external IP addresses.  A who is shows them as being from
> south America and Europe.
>


Show all the postfix logging for one of the suspect transactions.
Show your "postconf -n" output.

http://www.postfix.org/DEBUG_README.html#mail



  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: I'm an open relay some how

Stephen Atkins-2
In reply to this post by Stephen Atkins-2
On 12/30/2011 10:19 AM, Stephen Atkins wrote:

> On 12/30/2011 10:17 AM, Gary Smith wrote:
>>> I've been administering the same postfix server for years so I'm a
>>> little
>>> confused as to how this happened. Granted postifx hasn't been updated
>>> in a
>>> year or so.
>>>
>>> This morning I came in to a mailq of over 93000 messages all destine to
>>> @yahoo.com.tw
>>>
>>> For now I'm just blocking all email destined for this domain but I would
>>> really like to find out what happened. I haven't changed my main.cf
>>> file for over a year. I can post it if needed.
>>
>>
>> Are you an open relay or did one of your user accounts get hacked. I'd
>> check the envelope of one of the messages, cross that with where it
>> originated and go from there. Just a shoot from the hip guess with
>> little information.
>
> I'm pretty sure. I'm watching the connections coming in and they are
> from external IP addresses. A who is shows them as being from south
> America and Europe.
>

Okay sorry now that I look a little more closely at the messages coming
in, it seems they are using postmaster@ my domain to send from.  So
sorry for the inconvenience.  Looks like I just have to fix that.
Here's the log of a couple:

Dec 30 10:29:02 mta5 postfix/smtpd[3679]: E6F13186001: reject: RCPT from
unknown[113.94.89.26]: 554 5.7.1 <[hidden email]>: Recipient
address rejected: 521; from=<[hidden email]>
to=<[hidden email]> proto=ESMTP helo=<nsizfwnsj>

Dec 30 10:29:02 mta5 postfix/smtpd[3679]: E6F13186001: reject: RCPT from
unknown[113.94.89.26]: 554 5.7.1 <[hidden email]>: Recipient
address rejected: 521; from=<[hidden email]>
to=<[hidden email]> proto=ESMTP helo=<nsizfwnsj>

--
Stephen Atkins
Reply | Threaded
Open this post in threaded view
|

Re: I'm an open relay some how

Stephen Atkins-2
In reply to this post by Noel Jones-2
On 12/30/2011 10:26 AM, Noel Jones wrote:

> On 12/30/2011 11:19 AM, Stephen Atkins wrote:
>> On 12/30/2011 10:17 AM, Gary Smith wrote:
>>>> I've been administering the same postfix server for years so I'm
>>>> a little
>>>> confused as to how this happened.  Granted postifx hasn't been
>>>> updated in a
>>>> year or so.
>>>>
>>>> This morning I came in to a mailq of over 93000 messages all
>>>> destine to
>>>> @yahoo.com.tw
>>>>
>>>> For now I'm just blocking all email destined for this domain but
>>>> I would
>>>> really like to find out what happened.  I haven't changed my main.cf
>>>> file for over a year.    I can post it if needed.
>>>
>>>
>>> Are you an open relay or did one of your user accounts get
>>> hacked.  I'd check the envelope of one of the messages, cross that
>>> with where it originated and go from there.  Just a shoot from the
>>> hip guess with little information.
>>
>> I'm pretty sure.  I'm watching the connections coming in and they
>> are from external IP addresses.  A who is shows them as being from
>> south America and Europe.
>>
>
>
> Show all the postfix logging for one of the suspect transactions.
> Show your "postconf -n" output.
>
> http://www.postfix.org/DEBUG_README.html#mail
>
>
>
>    -- Noel Jones

Here is the output of my postconf -n

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
hash:/etc/postfix/majordomo/majoraliases
allow_untrusted_routing = no
bounce_queue_lifetime = 2h
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/lib/postfix
debug_peer_level = 1
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks
home_mailbox = Maildir/
in_flow_delay = 5s
inet_interfaces = all
local_recipient_maps =
mail_owner = postfix
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
maximal_queue_lifetime = 1d
message_size_limit = 26214400
mydestination = localhost.localdomain, localhost, mta1.rcr.inc
mta2.rcr.inc, ridelouise.com, canadiarockiessummer.com,         rcr.west
rcr.inc
mydomain = skircr.com
myhostname = smtp.skircr.com
mynetworks = 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24,
192.168.4.0/24, 192.168.5.0/24, 192.168.6.0/24,         192.168.7.0/24,
209.91.64.21, 127.0.0.0/8, 10.0.100.0/24,             10.0.6.0/24,
192.168.10.0/24, 192.168.80.0/23, 192.168.142.0/24,
216.133.52.45, 216.113.43.184, 192.168.143.0/24,     69.70.230.206,
207.96.243.24, 207.96.243.25, 24.37.1.234,       10.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
owner_request_special = no
queue_directory = /var/spool/postfix
readme_directory = no
recipient_delimiter = +
sample_directory = /usr/share/doc/postfix-2.0.11/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_helo_name = skircr.com
smtpd_banner = $myhostname ESMTP $mail_name.  We block/report all
spam/spammers.
smtpd_client_restrictions = permit_mynetworks
smtpd_delay_reject = no
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,                      permit
smtpd_recipient_restrictions = hash:/etc/postfix/access,
check_client_access hash:/etc/postfix/client_checks,
check_recipient_access hash:/etc/postfix/sender_checks,
check_sender_access hash:/etc/postfix/sender_checks,  permit_mynetworks,
  permit_sasl_authenticated,  reject_non_fqdn_recipient,
reject_unknown_recipient_domain,  reject_unauth_destination,
reject_invalid_hostname,  check_client_access
cidr:/etc/postfix/dnswl-header,  check_client_access
cidr:/etc/postfix/dnswl-permit,  check_client_access
hash:/etc/postfix/rbl_override,  reject_rbl_client zen.spamhaus.org,
reject_rbl_client combined.njabl.org,  reject_rbl_client
dbl.spamhaus.org,  check_policy_service inet:127.0.0.1:60000,  permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = hash:/etc/postfix/access,
check_client_access hash:/etc/postfix/client_checks,
check_sender_access hash:/etc/postfix/sender_checks,
permit_sasl_authenticated,  permit_mynetworks,
reject_unauth_pipelining,  permit
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
smtpd_tls_key_file = /etc/ssl/private/smtpd.key
smtpd_tls_loglevel = 9
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = mysql:/etc/postfix/mysql/virtual_alias_maps.cf
virtual_gid_maps = static:119
virtual_mailbox_base = /usr/local/virtual
virtual_mailbox_domains = mysql:/etc/postfix/mysql/virtual_domains_maps.cf
virtual_mailbox_limit = 0
virtual_mailbox_maps = mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
virtual_minimum_uid = 109
virtual_transport = virtual
virtual_uid_maps = static:109


--
Stephen Atkins
Information Systems
Resorts of the Canadian Rockies INC.
http://www.skircr.com
[hidden email]
Voice: (403) 209-3367
Cell: (403) 510-8333
Fax: (403) 244-3774
Reply | Threaded
Open this post in threaded view
|

RE: I'm an open relay some how

Paul A-2
Without knowing for sure I would say that one of your accounts has been
compromised and is being used to send out spam.

Look at your messages on the postfix queue, usually under
/var/spool/postfix. Use the strings command to search through the queued
email and look for common patterns like the same username, from address etc
and determine the problem that way.

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Stephen Atkins
Sent: Friday, December 30, 2011 12:31 PM
To: postfix users
Cc: Noel Jones
Subject: Re: I'm an open relay some how

On 12/30/2011 10:26 AM, Noel Jones wrote:

> On 12/30/2011 11:19 AM, Stephen Atkins wrote:
>> On 12/30/2011 10:17 AM, Gary Smith wrote:
>>>> I've been administering the same postfix server for years so I'm
>>>> a little
>>>> confused as to how this happened.  Granted postifx hasn't been
>>>> updated in a
>>>> year or so.
>>>>
>>>> This morning I came in to a mailq of over 93000 messages all
>>>> destine to
>>>> @yahoo.com.tw
>>>>
>>>> For now I'm just blocking all email destined for this domain but
>>>> I would
>>>> really like to find out what happened.  I haven't changed my main.cf
>>>> file for over a year.    I can post it if needed.
>>>
>>>
>>> Are you an open relay or did one of your user accounts get
>>> hacked.  I'd check the envelope of one of the messages, cross that
>>> with where it originated and go from there.  Just a shoot from the
>>> hip guess with little information.
>>
>> I'm pretty sure.  I'm watching the connections coming in and they
>> are from external IP addresses.  A who is shows them as being from
>> south America and Europe.
>>
>
>
> Show all the postfix logging for one of the suspect transactions.
> Show your "postconf -n" output.
>
> http://www.postfix.org/DEBUG_README.html#mail
>
>
>
>    -- Noel Jones

Here is the output of my postconf -n

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
hash:/etc/postfix/majordomo/majoraliases
allow_untrusted_routing = no
bounce_queue_lifetime = 2h
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/lib/postfix
debug_peer_level = 1
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks
home_mailbox = Maildir/
in_flow_delay = 5s
inet_interfaces = all
local_recipient_maps =
mail_owner = postfix
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
maximal_queue_lifetime = 1d
message_size_limit = 26214400
mydestination = localhost.localdomain, localhost, mta1.rcr.inc
mta2.rcr.inc, ridelouise.com, canadiarockiessummer.com,         rcr.west
rcr.inc
mydomain = skircr.com
myhostname = smtp.skircr.com
mynetworks = 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24,
192.168.4.0/24, 192.168.5.0/24, 192.168.6.0/24,         192.168.7.0/24,
209.91.64.21, 127.0.0.0/8, 10.0.100.0/24,             10.0.6.0/24,
192.168.10.0/24, 192.168.80.0/23, 192.168.142.0/24,
216.133.52.45, 216.113.43.184, 192.168.143.0/24,     69.70.230.206,
207.96.243.24, 207.96.243.25, 24.37.1.234,       10.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
owner_request_special = no
queue_directory = /var/spool/postfix
readme_directory = no
recipient_delimiter = +
sample_directory = /usr/share/doc/postfix-2.0.11/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_helo_name = skircr.com
smtpd_banner = $myhostname ESMTP $mail_name.  We block/report all
spam/spammers.
smtpd_client_restrictions = permit_mynetworks
smtpd_delay_reject = no
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,                      permit
smtpd_recipient_restrictions = hash:/etc/postfix/access,
check_client_access hash:/etc/postfix/client_checks,
check_recipient_access hash:/etc/postfix/sender_checks,
check_sender_access hash:/etc/postfix/sender_checks,  permit_mynetworks,
  permit_sasl_authenticated,  reject_non_fqdn_recipient,
reject_unknown_recipient_domain,  reject_unauth_destination,
reject_invalid_hostname,  check_client_access
cidr:/etc/postfix/dnswl-header,  check_client_access
cidr:/etc/postfix/dnswl-permit,  check_client_access
hash:/etc/postfix/rbl_override,  reject_rbl_client zen.spamhaus.org,
reject_rbl_client combined.njabl.org,  reject_rbl_client
dbl.spamhaus.org,  check_policy_service inet:127.0.0.1:60000,  permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = hash:/etc/postfix/access,
check_client_access hash:/etc/postfix/client_checks,
check_sender_access hash:/etc/postfix/sender_checks,
permit_sasl_authenticated,  permit_mynetworks,
reject_unauth_pipelining,  permit
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
smtpd_tls_key_file = /etc/ssl/private/smtpd.key
smtpd_tls_loglevel = 9
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = mysql:/etc/postfix/mysql/virtual_alias_maps.cf
virtual_gid_maps = static:119
virtual_mailbox_base = /usr/local/virtual
virtual_mailbox_domains = mysql:/etc/postfix/mysql/virtual_domains_maps.cf
virtual_mailbox_limit = 0
virtual_mailbox_maps = mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
virtual_minimum_uid = 109
virtual_transport = virtual
virtual_uid_maps = static:109


--
Stephen Atkins
Information Systems
Resorts of the Canadian Rockies INC.
http://www.skircr.com
[hidden email]
Voice: (403) 209-3367
Cell: (403) 510-8333
Fax: (403) 244-3774

Reply | Threaded
Open this post in threaded view
|

Re: I'm an open relay some how

Wietse Venema
In reply to this post by Stephen Atkins-2
Stephen Atkins:

> sorry for the inconvenience.  Looks like I just have to fix that.
> Here's the log of a couple:
>
> Dec 30 10:29:02 mta5 postfix/smtpd[3679]: E6F13186001: reject: RCPT from
> unknown[113.94.89.26]: 554 5.7.1 <[hidden email]>: Recipient
> address rejected: 521; from=<[hidden email]>
> to=<[hidden email]> proto=ESMTP helo=<nsizfwnsj>
>
> Dec 30 10:29:02 mta5 postfix/smtpd[3679]: E6F13186001: reject: RCPT from
> unknown[113.94.89.26]: 554 5.7.1 <[hidden email]>: Recipient
> address rejected: 521; from=<[hidden email]>
> to=<[hidden email]> proto=ESMTP helo=<nsizfwnsj>

Show evidence that Postfix RELAYS the mail.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: I'm an open relay some how

Noel Jones-2
In reply to this post by Stephen Atkins-2
On 12/30/2011 11:31 AM, Stephen Atkins wrote:

>
> Here is the output of my postconf -n
>
> bounce_queue_lifetime = 2h

Instead of covering up the problem of a queue full of bounces, don't
accept mail you aren't able to deliver.  This usually means don't
use wildcard aliases, do correctly populate the appropriate valid
recipient maps.


> content_filter = smtp-amavis:[127.0.0.1]:10024

Your content filter should never reject (bounce) unwanted mail.
Make sure it's set to either tag or quarantine.

> in_flow_delay = 5s

Don't shoot yourself in the foot by randomly changing parameters.

> local_recipient_maps =

This must be set to a list of valid users or your queue will be
filled with undeliverable bounces.
http://www.postfix.org/LOCAL_RECIPIENT_README.html
http://www.postfix.org/ADDRESS_CLASS_README.html

> maximal_queue_lifetime = 1d

That's unreasonably short; 3 days is considered the minimum, 5 days
is the accepted standard.  Usually a sign of trying to work around
queue problems.


> mynetworks = 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24,
> 192.168.4.0/24, 192.168.5.0/24, 192.168.6.0/24,        
> 192.168.7.0/24, 209.91.64.21, 127.0.0.0/8,
> 10.0.100.0/24,             10.0.6.0/24, 192.168.10.0/24,
> 192.168.80.0/23, 192.168.142.0/24, 216.133.52.45, 216.113.43.184,
> 192.168.143.0/24,     69.70.230.206, 207.96.243.24, 207.96.243.25,
> 24.37.1.234,       10.0.0.0/8

Lots of networks, but OK.  Make sure all the external IPs are ones
you directly control.

> smtpd_delay_reject = no

This is usually a mistake.  Leave this at the default "yes" unless
you fully understand what it does and why.

> smtpd_helo_restrictions = permit_mynetworks,                    
> permit

This is basically a no-op.  Might as well remove it.

> smtpd_recipient_restrictions = hash:/etc/postfix/access,
> check_client_access hash:/etc/postfix/client_checks,
> check_recipient_access hash:/etc/postfix/sender_checks,
> check_sender_access hash:/etc/postfix/sender_checks,

If you really are an open relay (not yet determined), the problem is
likely in one of the maps listed above.

It's very dangerous to use access maps before
reject_unauth_destination.  These should either be moved to
smtpd_sender_restrictions or moved after reject_unauth_destination.

http://www.postfix.org/SMTPD_ACCESS_README.html#danger


> permit_mynetworks,  permit_sasl_authenticated,
> reject_non_fqdn_recipient, reject_unknown_recipient_domain,
> reject_unauth_destination, reject_invalid_hostname,
> check_client_access cidr:/etc/postfix/dnswl-header,
> check_client_access cidr:/etc/postfix/dnswl-permit,
> check_client_access hash:/etc/postfix/rbl_override,
> reject_rbl_client zen.spamhaus.org, reject_rbl_client
> combined.njabl.org,  reject_rbl_client dbl.spamhaus.org,
> check_policy_service inet:127.0.0.1:60000,  permit

OK.

> smtpd_sender_restrictions = hash:/etc/postfix/access,

Deprecated syntax.  Use
  check_sender_access hash:/etc/postfix/access

> check_client_access hash:/etc/postfix/client_checks,
> check_sender_access hash:/etc/postfix/sender_checks,

Looks like a lot of these are duplicated from
smtpd_recipient_restrictions.  No need to do them in both places.

> permit_sasl_authenticated,  permit_mynetworks,
> reject_unauth_pipelining,  permit

> smtpd_tls_loglevel = 9

Using a tls loglevel above 1 is unlikely to give you any useful
information, and will hide the important information in a flood of
irrelevant drivel.



> Dec 30 10:29:02 mta5 postfix/smtpd[3679]: E6F13186001: reject: RCPT from unknown[113.94.89.26]: 554 5.7.1 <[hidden email]>: Recipient address rejected: 521; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<nsizfwnsj>
>
> Dec 30 10:29:02 mta5 postfix/smtpd[3679]: E6F13186001: reject: RCPT from unknown[113.94.89.26]: 554 5.7.1 <[hidden email]>: Recipient address rejected: 521; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<nsizfwnsj>

These are rejected and not useful to our discussion.  Please show
ALL the postfix logging of a suspect transaction that makes it to
your queue.  In particular, we want to see if there is a
sasl_username= line logged for a suspicious QUEUEID.





  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: I'm an open relay some how

Lorens Kockum-2
On Fri, Dec 30, 2011 at 12:51:27PM -0600, Noel Jones wrote:
> These are rejected and not useful to our discussion.  Please show
> ALL the postfix logging of a suspect transaction that makes it to
> your queue.  In particular, we want to see if there is a
> sasl_username= line logged for a suspicious QUEUEID.

Stephen, you say that you have a lot of mail in the queue. I
suppose you use `mailq` to see that? You need to take the queue
ID of a suspect mail from there, grep /var/log/maillog for that,
and send us the output.

HTH
Reply | Threaded
Open this post in threaded view
|

Re: I'm an open relay some how

/dev/rob0
On Friday 30 December 2011 14:46:46 Lorens Kockum wrote:

> On Fri, Dec 30, 2011 at 12:51:27PM -0600, Noel Jones wrote:
> > These are rejected and not useful to our discussion.  Please
> > show ALL the postfix logging of a suspect transaction that
> > makes it to your queue.  In particular, we want to see if
> > there is a sasl_username= line logged for a suspicious QUEUEID.
>
> Stephen, you say that you have a lot of mail in the queue. I
> suppose you use `mailq` to see that? You need to take the queue
> ID of a suspect mail from there, grep /var/log/maillog for that,
> and send us the output.

Specifically, we would be most interested in how the message first
entered the queue. Arrival via smtpd(8) means you (Stephen) have an
access maps problem, or, as Noel surmised, exploited SASL user
credentials. Arrival via pickup(8) means you have some other kind of
exploit, such as a compromised HTTP-PHP script.

I'll also take this opportunity to nitpick in some ways that Noel
spared you. :)

> > smtpd_recipient_restrictions = hash:/etc/postfix/access,

"access" is a terrible name for an access lookup, believe it or not!
And here you are using it as an implied check_recipient_access lookup,
which as Noel pointed out, should not be done. What is this lookup
doing? (Do you know?)

> > check_client_access hash:/etc/postfix/client_checks,

This one is named appropriately, but possibly not *used* in a safe,
reasonable manner. What is this one doing?

> > check_recipient_access hash:/etc/postfix/sender_checks,
> > check_sender_access hash:/etc/postfix/sender_checks,

Same file, named "sender_checks", being used for both sender and
recipient lookups? That might be reasonable, but "sender_checks" is
not a good name in that case.

In general, check_sender_access is not a good tool. Sure, it does
exactly what it claims to do, but most spam has forged sender
addresses. Therefore check_sender_access is reasonable neither for
whitelisting nor for blacklisting.

My bet is on this file; you have done something in "sender_checks"
that you should not have done.
--
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Reply | Threaded
Open this post in threaded view
|

Re: I'm an open relay some how

Stephen Atkins-2
On 12/30/2011 2:12 PM, /dev/rob0 wrote:

> On Friday 30 December 2011 14:46:46 Lorens Kockum wrote:
>> On Fri, Dec 30, 2011 at 12:51:27PM -0600, Noel Jones wrote:
>>> These are rejected and not useful to our discussion.  Please
>>> show ALL the postfix logging of a suspect transaction that
>>> makes it to your queue.  In particular, we want to see if
>>> there is a sasl_username= line logged for a suspicious QUEUEID.
>>
>> Stephen, you say that you have a lot of mail in the queue. I
>> suppose you use `mailq` to see that? You need to take the queue
>> ID of a suspect mail from there, grep /var/log/maillog for that,
>> and send us the output.
>
> Specifically, we would be most interested in how the message first
> entered the queue. Arrival via smtpd(8) means you (Stephen) have an
> access maps problem, or, as Noel surmised, exploited SASL user
> credentials. Arrival via pickup(8) means you have some other kind of
> exploit, such as a compromised HTTP-PHP script.
>
> I'll also take this opportunity to nitpick in some ways that Noel
> spared you. :)
>
>>> smtpd_recipient_restrictions = hash:/etc/postfix/access,
>
> "access" is a terrible name for an access lookup, believe it or not!
> And here you are using it as an implied check_recipient_access lookup,
> which as Noel pointed out, should not be done. What is this lookup
> doing? (Do you know?)
>
>>> check_client_access hash:/etc/postfix/client_checks,
>
> This one is named appropriately, but possibly not *used* in a safe,
> reasonable manner. What is this one doing?
>
>>> check_recipient_access hash:/etc/postfix/sender_checks,
>>> check_sender_access hash:/etc/postfix/sender_checks,
>
> Same file, named "sender_checks", being used for both sender and
> recipient lookups? That might be reasonable, but "sender_checks" is
> not a good name in that case.
>
> In general, check_sender_access is not a good tool. Sure, it does
> exactly what it claims to do, but most spam has forged sender
> addresses. Therefore check_sender_access is reasonable neither for
> whitelisting nor for blacklisting.
>
> My bet is on this file; you have done something in "sender_checks"
> that you should not have done.

So it turns out my replacement while I was on vacation modified my
main.cf.  I went back to an back up I have a few weeks ago and changed
it back.  Now I don't have that problem any more.  What it came down to
was "check_relay_domains" had been removed for some reason.

While I'm no where near an expert on Postfix, usually the Ubuntu virtual
mail server guide is a pretty good place to start.  That's what I used
to first set this server up years ago.

This is my current version of a postconf -n

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
hash:/etc/postfix/majordomo/majoraliases
allow_untrusted_routing = no
bounce_queue_lifetime = 2h
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/lib/postfix
debug_peer_level = 1
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks
home_mailbox = Maildir/
in_flow_delay = 5s
inet_interfaces = all
mail_owner = postfix
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
maximal_queue_lifetime = 1d
message_size_limit = 26214400
mydestination = localhost.localdomain, localhost, mta1.rcr.inc
mta2.rcr.inc, ridelouise.com, canadiarockiessummer.com,         rcr.west
rcr.inc
mydomain = skircr.com
myhostname = smtp.skircr.com
mynetworks = 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24,
192.168.4.0/24, 192.168.5.0/24, 192.168.6.0/24,         192.168.7.0/24,
209.91.64.21, 127.0.0.0/8, 10.0.100.0/24,             10.0.6.0/24,
192.168.10.0/24, 192.168.80.0/23, 192.168.142.0/24,
216.133.52.45, 216.113.43.184, 192.168.143.0/24,     69.70.230.206,
207.96.243.24, 207.96.243.25, 24.37.1.234,       10.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
owner_request_special = no
queue_directory = /var/spool/postfix
readme_directory = no
recipient_delimiter = +
sample_directory = /usr/share/doc/postfix-2.0.11/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_helo_name = skircr.com
smtpd_banner = $myhostname ESMTP $mail_name.  We block/report all
spam/spammers.
smtpd_client_restrictions = permit_mynetworks
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,                      permit
smtpd_recipient_restrictions = check_relay_domains,  permit_mynetworks,
  permit_sasl_authenticated,  reject_unauth_destination,
reject_invalid_hostname,  reject_unauth_pipelining,
reject_non_fqdn_sender,  reject_unknown_sender_domain,
reject_non_fqdn_recipient,  reject_unknown_recipient_domain,
reject_rbl_client zen.spamhaus.org,  reject_rbl_client
combined.njabl.org,  reject_rbl_client dbl.spamhaus.org,
check_policy_service inet:127.0.0.1:60000,  permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = hash:/etc/postfix/sender_restrictions,
permit_sasl_authenticated,  permit_mynetworks,
reject_unauth_pipelining,  permit
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
smtpd_tls_key_file = /etc/ssl/private/smtpd.key
smtpd_tls_loglevel = 9
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = mysql:/etc/postfix/mysql/virtual_alias_maps.cf
virtual_gid_maps = static:119
virtual_mailbox_base = /usr/local/virtual
virtual_mailbox_domains = mysql:/etc/postfix/mysql/virtual_domains_maps.cf
virtual_mailbox_limit = 0
virtual_mailbox_maps = mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
virtual_minimum_uid = 109
virtual_transport = virtual
virtual_uid_maps = static:109

--
Stephen Atkins
Reply | Threaded
Open this post in threaded view
|

Re: I'm an open relay some how

Wietse Venema
Stephen Atkins:
> So it turns out my replacement while I was on vacation modified my
> main.cf.  I went back to an back up I have a few weeks ago and changed
> it back.  Now I don't have that problem any more.  What it came down to
> was "check_relay_domains" had been removed for some reason.

Use "permit_mynetworks, reject_unauth_destination" instead of
"check_relay_domains". I am about to remove "check_relay_domains"
from Postfix.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: I'm an open relay some how

Stephen Atkins-2
On 12/30/2011 3:59 PM, Wietse Venema wrote:
> Stephen Atkins:
>> So it turns out my replacement while I was on vacation modified my
>> main.cf.  I went back to an back up I have a few weeks ago and changed
>> it back.  Now I don't have that problem any more.  What it came down to
>> was "check_relay_domains" had been removed for some reason.
>
> Use "permit_mynetworks, reject_unauth_destination" instead of
> "check_relay_domains". I am about to remove "check_relay_domains"
> from Postfix.

Thanks.  I see that in the log file now.  I will remove it as
reject_unauth_destination is also in there.

--
Stephen Atkins
Reply | Threaded
Open this post in threaded view
|

Re: I'm an open relay some how

Wietse Venema
Stephen Atkins:

> On 12/30/2011 3:59 PM, Wietse Venema wrote:
> > Stephen Atkins:
> >> So it turns out my replacement while I was on vacation modified my
> >> main.cf.  I went back to an back up I have a few weeks ago and changed
> >> it back.  Now I don't have that problem any more.  What it came down to
> >> was "check_relay_domains" had been removed for some reason.
> >
> > Use "permit_mynetworks, reject_unauth_destination" instead of
> > "check_relay_domains". I am about to remove "check_relay_domains"
> > from Postfix.
>
> Thanks.  I see that in the log file now.  I will remove it as
> reject_unauth_destination is also in there.

No, you need to replace the check_relay_domains AT THE BEGINNING
of smtpd_recipient_restrictions by

"permit_mynetworks, reject_unauth_destination" AT THE BEGINNING
of smtpd_recipient_restrictions

otherwise you are at risk of becoming an open relay again.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: I'm an open relay some how

Stephen Atkins-2
On 12/30/2011 4:11 PM, Wietse Venema wrote:

> Stephen Atkins:
>> On 12/30/2011 3:59 PM, Wietse Venema wrote:
>>> Stephen Atkins:
>>>> So it turns out my replacement while I was on vacation modified my
>>>> main.cf.  I went back to an back up I have a few weeks ago and changed
>>>> it back.  Now I don't have that problem any more.  What it came down to
>>>> was "check_relay_domains" had been removed for some reason.
>>>
>>> Use "permit_mynetworks, reject_unauth_destination" instead of
>>> "check_relay_domains". I am about to remove "check_relay_domains"
>>> from Postfix.
>>
>> Thanks.  I see that in the log file now.  I will remove it as
>> reject_unauth_destination is also in there.
>
> No, you need to replace the check_relay_domains AT THE BEGINNING
> of smtpd_recipient_restrictions by
>
> "permit_mynetworks, reject_unauth_destination" AT THE BEGINNING
> of smtpd_recipient_restrictions
>
> otherwise you are at risk of becoming an open relay again.

So is this valid or bad?

smtpd_recipient_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_unauth_destination,

if not where should the permit_sasl_authenticated go?

--
Stephen Atkins
Information Systems
Resorts of the Canadian Rockies INC.
http://www.skircr.com
[hidden email]
Voice: (403) 209-3367
Cell: (403) 510-8333
Fax: (403) 244-3774
Reply | Threaded
Open this post in threaded view
|

Re: I'm an open relay some how

Wietse Venema
Stephen Atkins:
> So is this valid or bad?
>
> smtpd_recipient_restrictions =
>    permit_mynetworks,
>    permit_sasl_authenticated,
>    reject_unauth_destination,

This is safe. When you put the access table lookups after these,
then you can't become an open relay.

        Wietse