Open relay or compromised user?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Open relay or compromised user?

Guy-749
Hi guys,

I've got some mail in the queue that's clearly spam. The from address
is [hidden email] and the source server is
"7c.91.5746.static.theplanet.com [70.87.145.124]" The recipient
addresses are random domains that do not belong to me. The server is
supposed to be a gateway and outgoing server for our users.

I've tried telnet to port 25 on the box and get relay access denied
trying to send to a non local domain (gmail.com). So either my config
is completely screwed (which is very possible) or I've got a
compromised user. If it's a compromised user, is it possible for
postfix to include the authenticated username in the message headers?

Below is a postconf -n from the gateway/smtp server. Any advice on
what I'm missing or bad settings would be great. Also, which of the
standard config examples would cover what I'm trying to do with this
server? Or should I just start reading through the base configuration?
Or should I just hurry up and get the Book of Postfix? :P

Thanks
Guy

root@aardvark:/var/spool/postfix/hold# postconf -n
2bounce_notice_recipient = [hidden email]
anvil_rate_time_unit = 60s
bounce_notice_recipient = [hidden email]
bounce_template_file = /etc/postfix/bounce.cf
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
cyrus_sasl_config_path = /etc/postfix/sasl/
daemon_directory = /usr/lib/postfix
debug_peer_level = 2
default_destination_concurrency_limit = 30
delay_notice_recipient = [hidden email]
error_notice_recipient = [hidden email]
home_mailbox = .maildir/
html_directory = /usr/share/doc/postfix-2.2.10/html
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maps_rbl_domains = sbl-xbl.spamhaus.org
message_size_limit = 31240000
mynetworks = 127.0.0.0/8, 72.9.230.26
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
rbl_reply_maps = hash:/etc/postfix/rbl_reply
readme_directory = /usr/share/doc/postfix-2.2.10/readme
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd_client_connection_count_limit = 30
smtpd_client_connection_rate_limit = 100
smtpd_client_message_rate_limit = 100
smtpd_client_recipient_rate_limit = 100
smtpd_error_sleep_time = 1s
smtpd_hard_error_limit = 20
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,      reject_invalid_hostname,
reject_non_fqdn_sender, reject_unknown_sender_domain,
reject_unauth_destination,      check_recipient_access
hash:/etc/postfix/spamlovers,      check_client_access
cidr:/etc/postfix/postfix-dnswl-permit,     reject_rbl_client
zen.spamhaus.org,     reject_rbl_client bl.spamcop.net,
reject_rbl_client psbl.surriel.com,       reject_rhsbl_client
zen.spamhaus.org,   reject_rhsbl_client bl.spamcop.net,
check_policy_service inet:127.0.0.1:10031,      permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_soft_error_limit = 10
smtpd_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
smtpd_tls_cert_file = /etc/ssl/certs/imapd.pem
smtpd_tls_key_file = /etc/ssl/private/imapd.pem
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
mysql:/etc/postfix/mysql_virtual_catchall_maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_transport = smtp:barracuda.aluminati.org


--
Don't just do something...sit there!
Reply | Threaded
Open this post in threaded view
|

Re: Open relay or compromised user?

Noel Jones-2
Guy wrote:

> Hi guys,
>
> I've got some mail in the queue that's clearly spam. The from address
> is [hidden email] and the source server is
> "7c.91.5746.static.theplanet.com [70.87.145.124]" The recipient
> addresses are random domains that do not belong to me. The server is
> supposed to be a gateway and outgoing server for our users.
>
> I've tried telnet to port 25 on the box and get relay access denied
> trying to send to a non local domain (gmail.com). So either my config
> is completely screwed (which is very possible) or I've got a
> compromised user. If it's a compromised user, is it possible for
> postfix to include the authenticated username in the message headers?
>
> Below is a postconf -n from the gateway/smtp server. Any advice on
> what I'm missing or bad settings would be great. Also, which of the
> standard config examples would cover what I'm trying to do with this
> server? Or should I just start reading through the base configuration?
> Or should I just hurry up and get the Book of Postfix? :P
>
> Thanks
> Guy
>

You don't appear to have any errors in your postconf -n that
could possibly cause an open relay.

To find the source of the spam, grep your logs for the QUEUEID
displayed by the mailq command.  If the mail has been in the
logs a couple days, you may need to examine logs that have
been rotated out.  The objective is to find the first entry
referring to the unwanted mail and determine how it entered
postfix.  If it was SASL authenticated, that will be logged.
Another common point of abuse is web scripts.  If your server
has www software on it, that could be the problem.

Postfix 2.3 and later can report the sasl user in the headers;
http://www.postfix.org/postconf.5.html#smtpd_sasl_authenticated_header

Postfix 2.5 and newer also support RFC 3848 to report
authentication/encryption status in the Received: header, but
this doesn't record the user name.

--
Noel Jones


> root@aardvark:/var/spool/postfix/hold# postconf -n
> 2bounce_notice_recipient = [hidden email]
> anvil_rate_time_unit = 60s
> bounce_notice_recipient = [hidden email]
> bounce_template_file = /etc/postfix/bounce.cf
> broken_sasl_auth_clients = yes
> command_directory = /usr/sbin
> config_directory = /etc/postfix
> content_filter = smtp-amavis:[127.0.0.1]:10024
> cyrus_sasl_config_path = /etc/postfix/sasl/
> daemon_directory = /usr/lib/postfix
> debug_peer_level = 2
> default_destination_concurrency_limit = 30
> delay_notice_recipient = [hidden email]
> error_notice_recipient = [hidden email]
> home_mailbox = .maildir/
> html_directory = /usr/share/doc/postfix-2.2.10/html
> mail_owner = postfix
> mailq_path = /usr/bin/mailq
> manpage_directory = /usr/share/man
> maps_rbl_domains = sbl-xbl.spamhaus.org
> message_size_limit = 31240000
> mynetworks = 127.0.0.0/8, 72.9.230.26
> newaliases_path = /usr/bin/newaliases
> queue_directory = /var/spool/postfix
> rbl_reply_maps = hash:/etc/postfix/rbl_reply
> readme_directory = /usr/share/doc/postfix-2.2.10/readme
> sample_directory = /etc/postfix
> sendmail_path = /usr/sbin/sendmail
> setgid_group = postdrop
> smtpd_client_connection_count_limit = 30
> smtpd_client_connection_rate_limit = 100
> smtpd_client_message_rate_limit = 100
> smtpd_client_recipient_rate_limit = 100
> smtpd_error_sleep_time = 1s
> smtpd_hard_error_limit = 20
> smtpd_recipient_restrictions = permit_mynetworks,
> permit_sasl_authenticated,      reject_invalid_hostname,
> reject_non_fqdn_sender, reject_unknown_sender_domain,
> reject_unauth_destination,      check_recipient_access
> hash:/etc/postfix/spamlovers,      check_client_access
> cidr:/etc/postfix/postfix-dnswl-permit,     reject_rbl_client
> zen.spamhaus.org,     reject_rbl_client bl.spamcop.net,
> reject_rbl_client psbl.surriel.com,       reject_rhsbl_client
> zen.spamhaus.org,   reject_rhsbl_client bl.spamcop.net,
> check_policy_service inet:127.0.0.1:10031,      permit
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_local_domain =
> smtpd_sasl_path = smtpd
> smtpd_sasl_security_options = noanonymous
> smtpd_soft_error_limit = 10
> smtpd_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
> smtpd_tls_cert_file = /etc/ssl/certs/imapd.pem
> smtpd_tls_key_file = /etc/ssl/private/imapd.pem
> smtpd_tls_session_cache_timeout = 3600s
> smtpd_use_tls = yes
> tls_random_source = dev:/dev/urandom
> unknown_local_recipient_reject_code = 550
> virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
> mysql:/etc/postfix/mysql_virtual_catchall_maps.cf
> virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
> virtual_transport = smtp:barracuda.aluminati.org
>
>

Reply | Threaded
Open this post in threaded view
|

Re: Open relay or compromised user?

Guy-749
Hi Noel

2008/11/19 Noel Jones <[hidden email]>:
> You don't appear to have any errors in your postconf -n that could possibly
> cause an open relay.

Thanks for looking.

> To find the source of the spam, grep your logs for the QUEUEID displayed by
> the mailq command.  If the mail has been in the logs a couple days, you may
> need to examine logs that have been rotated out.  The objective is to find
> the first entry referring to the unwanted mail and determine how it entered
> postfix.  If it was SASL authenticated, that will be logged.
> Another common point of abuse is web scripts.  If your server has www
> software on it, that could be the problem.

There is no web server on the machine. Apparently my brain is switched
off though, not looking for the sasl line in the logs.
Feel just a leeetle stupid right now. :P

Thanks
Guy

--
Don't just do something...sit there!
Reply | Threaded
Open this post in threaded view
|

Re: Open relay or compromised user?

mouss-2
In reply to this post by Guy-749
Guy a écrit :

> Hi guys,
>
> I've got some mail in the queue that's clearly spam. The from address
> is [hidden email] and the source server is
> "7c.91.5746.static.theplanet.com [70.87.145.124]" The recipient
> addresses are random domains that do not belong to me. The server is
> supposed to be a gateway and outgoing server for our users.
>
> I've tried telnet to port 25 on the box and get relay access denied
> trying to send to a non local domain (gmail.com). So either my config
> is completely screwed (which is very possible) or I've got a
> compromised user. If it's a compromised user, is it possible for
> postfix to include the authenticated username in the message headers?
>


your logs should tell you whether the transaction was authenticated.
look for sasl_username.

if you want headers to contain submission infos, set:

smtpd_sasl_authenticated_header = yes
smtpd_tls_received_header = yes



> [snip]