Open relay

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
43 messages Options
123
Reply | Threaded
Open this post in threaded view
|

Re: Open relay

Ansgar Wiechers
On 2016-10-23 Paul van der Vlis wrote:
> Op 22-10-16 om 18:23 schreef /dev/rob0:
>> The only actual conclusion is that you have failed to put forth the
>> necessary information, as Bill [I think] pointed you to the
>> http://www.postfix.org/DEBUG_README.html#mail link.
>
> The problem is that somebody did send spam using port 587 with a not
> excisting username, and I am interested how that is possible.
>
> sigmund:/var/log# postconf -Mf

So you finally decided to show the output of "postconf -Mf" and
"saslfinger -s". Good. Now you just need to provide the rest of the
information Bill Cole asked of you 2 days ago:

- Full output of "postconf -nf".
- Full headers of a sample message (you may obfuscate personal
  information about the recipient).
- All log lines associated with that particular message. At the very
  least the output of "grep <QUEUE_ID> /var/log/mail.log".

  In case you don't know how to find the queue ID in a log message, it's
  this part of the log line:

  <date> <host> postfix/smtpd[<pid>]: 2758BBF4062: ...
                                      ^^^^^^^^^^^

And did you already investigate why the authentication backend considers
"[hidden email]" a valid user, as Noel Jones asked? What did you find out?

Without all of the information mentioned above you're just wasting
everyone's time.

---

Probably unrelated, because the messages in question apparently are
received via submission, but still: you may want to disable verbose
logging for the smtpd on port 25. Remove the "-v" from this line in
master.cf:

> smtp       inet  n       -       -       -       -       smtpd -v

Verbose logging is only required in very specific debugging scenarios
and wont do you any good for regular operations or troubleshooting.

Regards
Ansgar Wiechers
Reply | Threaded
Open this post in threaded view
|

Re: Open relay, found it

Paul van der Vlis
Op 23-10-16 om 13:32 schreef Ansgar Wiechers:

> On 2016-10-23 Paul van der Vlis wrote:
>> Op 22-10-16 om 18:23 schreef /dev/rob0:
>>> The only actual conclusion is that you have failed to put forth the
>>> necessary information, as Bill [I think] pointed you to the
>>> http://www.postfix.org/DEBUG_README.html#mail link.
>>
>> The problem is that somebody did send spam using port 587 with a not
>> excisting username, and I am interested how that is possible.
>>
>> sigmund:/var/log# postconf -Mf
>
> So you finally decided to show the output of "postconf -Mf" and
> "saslfinger -s". Good. Now you just need to provide the rest of the
> information Bill Cole asked of you 2 days ago:
>
> - Full output of "postconf -nf".
> - Full headers of a sample message (you may obfuscate personal
>   information about the recipient).
> - All log lines associated with that particular message. At the very
>   least the output of "grep <QUEUE_ID> /var/log/mail.log".

I am sorry when I did not give the right information. I did read the
link, and did what was asked there.

>   In case you don't know how to find the queue ID in a log message, it's
>   this part of the log line:
>
>   <date> <host> postfix/smtpd[<pid>]: 2758BBF4062: ...
>                                       ^^^^^^^^^^^
> And did you already investigate why the authentication backend considers
> "[hidden email]" a valid user, as Noel Jones asked? What did you find out?

Yes, and I found out that when the username is "[hidden email]" SASL
actually checks on "piet":
----------
saslauthd[19855] :do_auth         : auth success: [user=piet]
[service=smtp] [realm=puk.nl] [mech=pam]
----------

I did some more tests, and it seems to be that the spammer actually did
know the password. After changing the password, the logging changed:
----------
saslauthd[20161] :do_auth         : auth failure: [user=piet]
[service=smtp] [realm=puk.nl] [mech=pam]
---------

<cut>

With regards,
Paul van der Vlis.



--
Paul van der Vlis Linux systeembeheer Groningen
https://www.vandervlis.nl/
Reply | Threaded
Open this post in threaded view
|

RE: Open relay, found it

L.P.H. van Belle
Hai Paul,

I saw you got it fixed, comprimized pass as i suspected.  ;-)

I saw also this in you log.
from [127.0.0.1] (87-92-55-206.bb.dnainternet.fi [87.92.55.206]

This should never be allowed. ( from 127.0.0.1 ) ( on the external ip )
Thats impossible imo.

To fix that you can use something like below.
Just make sure every known hostname and ipnumber of the server is listed here.

Beware with these 3, these can give false positives.
    reject_invalid_helo_hostname,
    reject_non_fqdn_helo_hostname,
    reject_unknown_helo_hostname,


(pcre:/etc/postfix/helo.pcre)
## Namebase
/^ip6-localhost$/               554 Don't use my own hostname
/^localhost$/                   554 Don't use my own hostname
/^localhost\.localdomain$/      554 Don't use my own hostname
/^localhost\.yourdomain\.tld$/       554 Don't use my own hostname
/^localhost\.subdom\.yourdomain\.tld$/    554 Don't use my own hostname

/^yourdomain\.tld$/                  554 Don't use my own domainname
/^hostname\.yourdomain\.tld$/      554 Don't use my own hostname
/^hostname\.subdom\.yourdomain\.tld$/   554 Don't use my own hostname

## IP Based
/^127\.0\.0\.1$/                554 Don't use my own IP address
/^\[127\.0\.0\.1\]$/            554 Don't use my own IP address
/^\:\:1$/                       554 Don't use my own IP address
/^\[\:\:1\]$/                   554 Don't use my own IP address
/^\1\.2\.3\.4$/         554 Don't use my own IP address
/^\[1\.2\.3\.4]$/       554 Don't use my own IP address
# and add ipv6 ip if you use it.

## Optional, but can gives false blocks.
#/^[0-9.]+$/                     554 Your software is not RFC 2821 compliant: EHLO/HELO must be a hostname.domain.tld or an address-literal (IP enclosed in brackets)
#/^[0-9]+(\.[0-9]+){3}$/         554 Your software is not RFC 2821 compliant: EHLO/HELO must be a hostname.domain.tld or an address-literal (IP enclosed in brackets)
# /^[0-9.-]+$/                   550 Your software is not RFC 2821 compliant: EHLO/HELO must be a hostname.domain.tld or an address-literal (IP enclosed in brackets)
# /^[0-9]+(\.[0-9]+){3}$/       REJECT Invalid hostname


# added in main.cf
smtpd_helo_required = yes
smtpd_helo_restrictions =
    permit_mynetworks,
    check_helo_access hash:/etc/postfix/overrule/allow_helo_access.map
    check_helo_access pcre:/etc/postfix/pcre/helo.pcre,
    permit_sasl_authenticated,
   reject_invalid_helo_hostname,
   reject_non_fqdn_helo_hostname,
   reject_unknown_helo_hostname,
    reject_unauth_destination,
    reject_unauth_pipelining


Greetz,

Louis



> -----Oorspronkelijk bericht-----
> Van: [hidden email] [mailto:[hidden email]] Namens
> Paul van der Vlis
> Verzonden: zondag 23 oktober 2016 13:51
> Aan: [hidden email]
> Onderwerp: Re: Open relay, found it
>
> Op 23-10-16 om 13:32 schreef Ansgar Wiechers:
> > On 2016-10-23 Paul van der Vlis wrote:
> >> Op 22-10-16 om 18:23 schreef /dev/rob0:
> >>> The only actual conclusion is that you have failed to put forth the
> >>> necessary information, as Bill [I think] pointed you to the
> >>> http://www.postfix.org/DEBUG_README.html#mail link.
> >>
> >> The problem is that somebody did send spam using port 587 with a not
> >> excisting username, and I am interested how that is possible.
> >>
> >> sigmund:/var/log# postconf -Mf
> >
> > So you finally decided to show the output of "postconf -Mf" and
> > "saslfinger -s". Good. Now you just need to provide the rest of the
> > information Bill Cole asked of you 2 days ago:
> >
> > - Full output of "postconf -nf".
> > - Full headers of a sample message (you may obfuscate personal
> >   information about the recipient).
> > - All log lines associated with that particular message. At the very
> >   least the output of "grep <QUEUE_ID> /var/log/mail.log".
>
> I am sorry when I did not give the right information. I did read the
> link, and did what was asked there.
>
> >   In case you don't know how to find the queue ID in a log message, it's
> >   this part of the log line:
> >
> >   <date> <host> postfix/smtpd[<pid>]: 2758BBF4062: ...
> >                                       ^^^^^^^^^^^
> > And did you already investigate why the authentication backend considers
> > "[hidden email]" a valid user, as Noel Jones asked? What did you find out?
>
> Yes, and I found out that when the username is "[hidden email]" SASL
> actually checks on "piet":
> ----------
> saslauthd[19855] :do_auth         : auth success: [user=piet]
> [service=smtp] [realm=puk.nl] [mech=pam]
> ----------
>
> I did some more tests, and it seems to be that the spammer actually did
> know the password. After changing the password, the logging changed:
> ----------
> saslauthd[20161] :do_auth         : auth failure: [user=piet]
> [service=smtp] [realm=puk.nl] [mech=pam]
> ---------
>
> <cut>
>
> With regards,
> Paul van der Vlis.
>
>
>
> --
> Paul van der Vlis Linux systeembeheer Groningen
> https://www.vandervlis.nl/


123