Limiting mail relay

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Limiting mail relay

Patrick Mahan
All,

I am trying to understand how I am being a mail relay for (what I believe) are unauthorized users.  I have the following postfix config set -

smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authentication, reject_unauth_destination

mynetworks_style = subnet

However, an account seemingly seems to be used as a relay.  The user is complaining about seeing tons of MAIL REJECT messages.  The logs are showing -

Oct  5 00:00:02 ns postfix/smtpd[65859]: BB829A32C24: client=unknown[37.114.181.42], sasl_method=LOGIN, sasl_username=tracy
Oct  5 00:00:03 ns postfix/cleanup[65877]: BB829A32C24: message-id=<[hidden email]>
Oct  5 00:00:03 ns postfix/qmgr[1159]: BB829A32C24: from=<[hidden email]>, size=772, nrcpt=1 (queue active)
Oct  5 00:00:04 ns postfix/smtpd[65859]: 56778A32C28: client=unknown[37.114.181.42], sasl_method=LOGIN, sasl_username=tracy
Oct  5 00:00:04 ns postfix/smtp[65958]: BB829A32C24: to=<[hidden email]>, relay=in.hes.trendmicro.com[54.219.191.21]:25, delay=1.9, delays=1/0/0.54/0.33, dsn=5.7.1, status=bounced (host in.hes.trendmicro.com[54.219.191.21] said: 550 5.7.1 <[hidden email]>: Recipient address rejected: ERS-RBL. (in reply to RCPT TO command))
Oct  5 00:00:04 ns postfix/cleanup[65994]: A949BA32C39: message-id=<[hidden email]>
Oct  5 00:00:04 ns postfix/bounce[65883]: BB829A32C24: sender non-delivery notification: A949BA32C39
Oct  5 00:00:04 ns postfix/qmgr[1159]: A949BA32C39: from=<>, size=2793, nrcpt=1 (queue active)
Oct  5 00:00:04 ns postfix/qmgr[1159]: BB829A32C24: removed

And in the mail queue I am seeing messages like the following -

-Queue ID-  --Size-- ----Arrival Time---- -Sender/Recipient-------
E21FBA2E08E*    4104 Sat Oct  5 23:01:33  [hidden email]
                                         [hidden email]

07DA9A2E084     2581 Sat Oct  5 22:09:16  [hidden email]
(host mx.tiscali.co.uk[62.24.139.42] refused to talk to me: 554 cm9gb1 mx.talktalk.net GzNGiJaFdim2n IP Blacklisted (TT104) http://csi.cloudmark.com/reset-request/?ip=23.24.207.145)
                                         [hidden email]

0633AA2E117     1942 Sat Oct  5 22:51:06  [hidden email]
(host mxa-00002a01.gslb.pphosted.com[208.84.65.123] refused to talk to me: 554 Blocked - see https://ipcheck.proofpoint.com/?ip=23.24.207.145)
                                         [hidden email]

07483A2E094     1319 Sat Oct  5 22:31:58  [hidden email]
(host newsmtp1.sabah.com.tr[194.36.160.8] refused to talk to me: 554 Blocked - see https://support.proofpoint.com/dnsbl-lookup.cgi?ip=23.24.207.145)
                                         [hidden email]

0D34CA2E093      776 Sat Oct  5 22:15:26  [hidden email]
(lost connection with mx201.skynet.be[195.238.20.25] while receiving the initial server greeting)
                                         [hidden email]


None of those usernames at mahan.org exists.

It looks like I am being used as a spam relay, but thought I had closed that hole.

Pointers?  Documentation?  I have obviously mis-configured it.

My environment is FreeBSD 11.2-RELEASE-p7 amd64. Postfix 3.3.2.

Thanks,

Patrick Mahan
Reply | Threaded
Open this post in threaded view
|

Re: Limiting mail relay

Viktor Dukhovni
> On Oct 6, 2019, at 2:09 AM, Patrick Mahan <[hidden email]> wrote:
>
> I am trying to understand how I am being a mail relay for (what I believe) are unauthorized users.
> I have the following postfix config set:
>
> smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authentication, reject_unauth_destination

The second of these is presumably actually "permit_sasl_authenticated"...

> The logs are showing -
>
> Oct  5 00:00:02 ns postfix/smtpd[65859]: BB829A32C24: client=unknown[37.114.181.42], sasl_method=LOGIN, sasl_username=tracy

A successful login as "tracy" was completed from a system at [37.114.181.42],
which GeoIP on my system reports as:

        37.114.181.42: AZ, Azerbaijan

If the real "tracy" is not logging in from Azerbaijan, her account
password has been compromised, and the compromise might affect more
than the password for your mailserver, perhaps remote control of her
computer, ...

The rest is just consequences of the account takeover.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Limiting mail relay

Patrick Mahan
Many thanks.  Especially for the GeoIP reference.  I will take steps to clean up that account.

Again, thanks.

Patrick

On Sat, Oct 5, 2019 at 11:45 PM Viktor Dukhovni <[hidden email]> wrote:
> On Oct 6, 2019, at 2:09 AM, Patrick Mahan <[hidden email]> wrote:
>
> I am trying to understand how I am being a mail relay for (what I believe) are unauthorized users.
> I have the following postfix config set:
>
> smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authentication, reject_unauth_destination

The second of these is presumably actually "permit_sasl_authenticated"...

> The logs are showing -
>
> Oct  5 00:00:02 ns postfix/smtpd[65859]: BB829A32C24: client=unknown[37.114.181.42], sasl_method=LOGIN, sasl_username=tracy

A successful login as "tracy" was completed from a system at [37.114.181.42],
which GeoIP on my system reports as:

        37.114.181.42: AZ, Azerbaijan

If the real "tracy" is not logging in from Azerbaijan, her account
password has been compromised, and the compromise might affect more
than the password for your mailserver, perhaps remote control of her
computer, ...

The rest is just consequences of the account takeover.

--
        Viktor.