Limiting mail relay

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Limiting mail relay

Patrick Mahan
All,

I am trying to understand how I am being a mail relay for (what I believe) are unauthorized users.  I have the following postfix config set -

smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authentication, reject_unauth_destination

mynetworks_style = subnet

However, an account seemingly seems to be used as a relay.  The user is complaining about seeing tons of MAIL REJECT messages.  The logs are showing -

Oct  5 00:00:02 ns postfix/smtpd[65859]: BB829A32C24: client=unknown[37.114.181.42], sasl_method=LOGIN, sasl_username=tracy
Oct  5 00:00:03 ns postfix/cleanup[65877]: BB829A32C24: message-id=<[hidden email]>
Oct  5 00:00:03 ns postfix/qmgr[1159]: BB829A32C24: from=<[hidden email]>, size=772, nrcpt=1 (queue active)
Oct  5 00:00:04 ns postfix/smtpd[65859]: 56778A32C28: client=unknown[37.114.181.42], sasl_method=LOGIN, sasl_username=tracy
Oct  5 00:00:04 ns postfix/smtp[65958]: BB829A32C24: to=<[hidden email]>, relay=in.hes.trendmicro.com[54.219.191.21]:25, delay=1.9, delays=1/0/0.54/0.33, dsn=5.7.1, status=bounced (host in.hes.trendmicro.com[54.219.191.21] said: 550 5.7.1 <[hidden email]>: Recipient address rejected: ERS-RBL. (in reply to RCPT TO command))
Oct  5 00:00:04 ns postfix/cleanup[65994]: A949BA32C39: message-id=<[hidden email]>
Oct  5 00:00:04 ns postfix/bounce[65883]: BB829A32C24: sender non-delivery notification: A949BA32C39
Oct  5 00:00:04 ns postfix/qmgr[1159]: A949BA32C39: from=<>, size=2793, nrcpt=1 (queue active)
Oct  5 00:00:04 ns postfix/qmgr[1159]: BB829A32C24: removed

And in the mail queue I am seeing messages like the following -

-Queue ID-  --Size-- ----Arrival Time---- -Sender/Recipient-------
E21FBA2E08E*    4104 Sat Oct  5 23:01:33  [hidden email]
                                         [hidden email]

07DA9A2E084     2581 Sat Oct  5 22:09:16  [hidden email]
(host mx.tiscali.co.uk[62.24.139.42] refused to talk to me: 554 cm9gb1 mx.talktalk.net GzNGiJaFdim2n IP Blacklisted (TT104) http://csi.cloudmark.com/reset-request/?ip=23.24.207.145)
                                         [hidden email]

0633AA2E117     1942 Sat Oct  5 22:51:06  [hidden email]
(host mxa-00002a01.gslb.pphosted.com[208.84.65.123] refused to talk to me: 554 Blocked - see https://ipcheck.proofpoint.com/?ip=23.24.207.145)
                                         [hidden email]

07483A2E094     1319 Sat Oct  5 22:31:58  [hidden email]
(host newsmtp1.sabah.com.tr[194.36.160.8] refused to talk to me: 554 Blocked - see https://support.proofpoint.com/dnsbl-lookup.cgi?ip=23.24.207.145)
                                         [hidden email]

0D34CA2E093      776 Sat Oct  5 22:15:26  [hidden email]
(lost connection with mx201.skynet.be[195.238.20.25] while receiving the initial server greeting)
                                         [hidden email]


None of those usernames at mahan.org exists.

It looks like I am being used as a spam relay, but thought I had closed that hole.

Pointers?  Documentation?  I have obviously mis-configured it.

My environment is FreeBSD 11.2-RELEASE-p7 amd64. Postfix 3.3.2.

Thanks,

Patrick Mahan
Reply | Threaded
Open this post in threaded view
|

Re: Limiting mail relay

Viktor Dukhovni
> On Oct 6, 2019, at 2:09 AM, Patrick Mahan <[hidden email]> wrote:
>
> I am trying to understand how I am being a mail relay for (what I believe) are unauthorized users.
> I have the following postfix config set:
>
> smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authentication, reject_unauth_destination

The second of these is presumably actually "permit_sasl_authenticated"...

> The logs are showing -
>
> Oct  5 00:00:02 ns postfix/smtpd[65859]: BB829A32C24: client=unknown[37.114.181.42], sasl_method=LOGIN, sasl_username=tracy

A successful login as "tracy" was completed from a system at [37.114.181.42],
which GeoIP on my system reports as:

        37.114.181.42: AZ, Azerbaijan

If the real "tracy" is not logging in from Azerbaijan, her account
password has been compromised, and the compromise might affect more
than the password for your mailserver, perhaps remote control of her
computer, ...

The rest is just consequences of the account takeover.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Limiting mail relay

Patrick Mahan
Many thanks.  Especially for the GeoIP reference.  I will take steps to clean up that account.

Again, thanks.

Patrick

On Sat, Oct 5, 2019 at 11:45 PM Viktor Dukhovni <[hidden email]> wrote:
> On Oct 6, 2019, at 2:09 AM, Patrick Mahan <[hidden email]> wrote:
>
> I am trying to understand how I am being a mail relay for (what I believe) are unauthorized users.
> I have the following postfix config set:
>
> smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authentication, reject_unauth_destination

The second of these is presumably actually "permit_sasl_authenticated"...

> The logs are showing -
>
> Oct  5 00:00:02 ns postfix/smtpd[65859]: BB829A32C24: client=unknown[37.114.181.42], sasl_method=LOGIN, sasl_username=tracy

A successful login as "tracy" was completed from a system at [37.114.181.42],
which GeoIP on my system reports as:

        37.114.181.42: AZ, Azerbaijan

If the real "tracy" is not logging in from Azerbaijan, her account
password has been compromised, and the compromise might affect more
than the password for your mailserver, perhaps remote control of her
computer, ...

The rest is just consequences of the account takeover.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Limiting mail relay

Atnakus Arzah
In reply to this post by Patrick Mahan
On Sat, Oct 05, 2019 at 11:09:35PM -0700, Patrick Mahan wrote:

>All,
>
>I am trying to understand how I am being a mail relay for (what I believe)
>are unauthorized users.  I have the following postfix config set -
>
>smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authentication,
>reject_unauth_destination
>
>mynetworks_style = subnet
>
>However, an account seemingly seems to be used as a relay.  The user is
>complaining about seeing tons of MAIL REJECT messages.  The logs are
>showing -
>
>Oct  5 00:00:02 ns postfix/smtpd[65859]: BB829A32C24:
>client=unknown[37.114.181.42], sasl_method=LOGIN, sasl_username=tracy
>Oct  5 00:00:03 ns postfix/cleanup[65877]: BB829A32C24: message-id=<
>[hidden email]>
>Oct  5 00:00:03 ns postfix/qmgr[1159]: BB829A32C24: from=<
>[hidden email]>, size=772, nrcpt=1 (queue active)
>Oct  5 00:00:04 ns postfix/smtpd[65859]: 56778A32C28:
>client=unknown[37.114.181.42], sasl_method=LOGIN, sasl_username=tracy

Hazarding a guess here : potentially the sender/spammer has access to the sasl credentials of
tracy?

You could verify whether your postfix MTA is open relay using the following
tool : https://mxtoolbox.com/diagnostic.aspx

- Atnakus
Reply | Threaded
Open this post in threaded view
|

Re: Limiting mail relay

Patrick Mahan
On Sat, Oct 26, 2019 at 6:11 AM Atnakus Arzah <[hidden email]> wrote:
On Sat, Oct 05, 2019 at 11:09:35PM -0700, Patrick Mahan wrote:
>All,
>
>I am trying to understand how I am being a mail relay for (what I believe)
>are unauthorized users.  I have the following postfix config set -
>
>smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authentication,
>reject_unauth_destination
>
>mynetworks_style = subnet
>
>However, an account seemingly seems to be used as a relay.  The user is
>complaining about seeing tons of MAIL REJECT messages.  The logs are
>showing -
>
>Oct  5 00:00:02 ns postfix/smtpd[65859]: BB829A32C24:
>client=unknown[37.114.181.42], sasl_method=LOGIN, sasl_username=tracy
>Oct  5 00:00:03 ns postfix/cleanup[65877]: BB829A32C24: message-id=<
>[hidden email]>
>Oct  5 00:00:03 ns postfix/qmgr[1159]: BB829A32C24: from=<
>[hidden email]>, size=772, nrcpt=1 (queue active)
>Oct  5 00:00:04 ns postfix/smtpd[65859]: 56778A32C28:
>client=unknown[37.114.181.42], sasl_method=LOGIN, sasl_username=tracy

Hazarding a guess here : potentially the sender/spammer has access to the sasl credentials of
tracy?

You could verify whether your postfix MTA is open relay using the following
tool : https://mxtoolbox.com/diagnostic.aspx


Once I reset tracy's login credentials the relaying stopped.  It turns out this particular user had used the same password on many websites and had undoubtedly been compromised.  I have required that this password remain private to our mail server.
 
The mxtoolbox reports that the mail server is not an open relay.

Thanks,

Patrick
Reply | Threaded
Open this post in threaded view
|

Re: Limiting mail relay

Atnakus Arzah
On Sat, Oct 26, 2019 at 10:48:08AM -0700, Patrick Mahan wrote:

>On Sat, Oct 26, 2019 at 6:11 AM Atnakus Arzah <[hidden email]>
>wrote:
>
>> On Sat, Oct 05, 2019 at 11:09:35PM -0700, Patrick Mahan wrote:
>> >All,
>> >
>> >I am trying to understand how I am being a mail relay for (what I believe)
>> >are unauthorized users.  I have the following postfix config set -
>> >
>> >smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authentication,
>> >reject_unauth_destination
>> >
>> >mynetworks_style = subnet
>> >
>> >However, an account seemingly seems to be used as a relay.  The user is
>> >complaining about seeing tons of MAIL REJECT messages.  The logs are
>> >showing -
>> >
>> >Oct  5 00:00:02 ns postfix/smtpd[65859]: BB829A32C24:
>> >client=unknown[37.114.181.42], sasl_method=LOGIN, sasl_username=tracy
>> >Oct  5 00:00:03 ns postfix/cleanup[65877]: BB829A32C24: message-id=<
>> >[hidden email]>
>> >Oct  5 00:00:03 ns postfix/qmgr[1159]: BB829A32C24: from=<
>> >[hidden email]>, size=772, nrcpt=1 (queue active)
>> >Oct  5 00:00:04 ns postfix/smtpd[65859]: 56778A32C28:
>> >client=unknown[37.114.181.42], sasl_method=LOGIN, sasl_username=tracy
>>
>> Hazarding a guess here : potentially the sender/spammer has access to the
>> sasl credentials of
>> tracy?
>>
>> You could verify whether your postfix MTA is open relay using the following
>> tool : https://mxtoolbox.com/diagnostic.aspx
>>
>>
>Once I reset tracy's login credentials the relaying stopped.  It turns out
>this particular user had used the same password on many websites and had
>undoubtedly been compromised.  I have required that this password remain
>private to our mail server.
>
>The mxtoolbox reports that the mail server is not an open relay.
>
>Thanks,
>
>Patrick

You could also use a tool like fail2ban to detect multiple failed logins
(during scans) and block the IP address.

- Atnakus