Postfix is not open relay but send spam

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

Postfix is not open relay but send spam

Julien Michaux

Hi everyone,

I have a problem with postfix.

I use OBM as a mail server (postfix + cyrus + ldap, etc...). My postfix is not openrelay :

220 xxxxxx ESMTP Postfix (Debian/GNU) [706 ms]
EHLO keeper-us-east-1c.mxtoolbox.com
250-xxxxxx
250-PIPELINING
250-SIZE 52428800
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN [702 ms]
MAIL FROM:[hidden email]
250 2.1.0 Ok [700 ms]
RCPT TO:[hidden email]
454 4.7.1 [hidden email]: Relay access denied [719 ms]

LookupServer 3927ms


Time to time, my server is attack and he sends spam. All spam are from a specific address [hidden email].
I tried many things but nothing works. I have to stop postfix for some hours and attack ends until next time.

Can you provide me advice or corrections to my config to ensure this attack can't success please ?

Here is master.cf :
smtp      inet  n       -       n       -       -       smtpd -v
  -o receive_override_options=no_address_mappings
  -o content_filter=smtp-amavis:127.0.0.1:10024
submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_client_restrictions=$mua_client_restrictions
  -o smtpd_helo_restrictions=$mua_helo_restrictions
  -o smtpd_sender_restrictions=$mua_sender_restrictions
  -o smtpd_recipient_restrictions=$mua_recipient_restrictions
  -o milter_macro_daemon_name=ORIGINATING
  -o receive_override_options=no_address_mappings
  -o content_filter=smtp-amavis:127.0.0.1:10024
smtps     inet  n       -       n       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_client_restrictions=$mua_client_restrictions
  -o smtpd_helo_restrictions=$mua_helo_restrictions
  -o smtpd_sender_restrictions=$mua_sender_restrictions
  -o smtpd_recipient_restrictions=$mua_recipient_restrictions
  -o milter_macro_daemon_name=ORIGINATING
  -o receive_override_options=no_address_mappings
  -o content_filter=smtp-amavis:127.0.0.1:10024
pickup    unix  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
smtp-amavis  unix  -    -       y       -       2       smtp
 -o smtp_data_done_timeout=1200
 -o disable_dns_lookups=yes
 -o smtp_send_xforward_command=yes
127.0.0.1:10025 inet n  -       y       -       -       smtpd
 -o content_filter=
 -o smtpd_helo_restrictions=
 -o smtpd_sender_restrictions=$mua_sender_restrictions

Here is main.cf :

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
myhostname = xxxxxxxx
myorigin = $myhostname
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
local_recipient_maps = $alias_maps
mydestination = localhost
virtual_transport = error:mailbox does not exist
virtual_mailbox_domains = hash:/etc/postfix/virtual_domains
virtual_mailbox_maps = hash:/etc/postfix/virtual_mailbox
virtual_alias_maps = hash:/etc/postfix/virtual_alias hash:/etc/postfix/virtual_alias_1pour1 pcre:/etc/postfix/virtual_alias_catchall
transport_maps = hash:/etc/postfix/transport
recipient_delimiter = +
smtp_use_tls = yes
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/obm/certs/fullchain.pem
smtpd_tls_key_file = /etc/obm/certs/privkey.pem
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
message_size_limit = 52428800
mua_sender_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_unknown_reverse_client_hostname,
   check_sender_access hash:/etc/postfix/sender_access
smtpd_helo_required = yes
mua_helo_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_non_fqdn_helo_hostname,
    reject_unknown_helo_hostname
mua_recipient_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_sender_login_mismatch,
   reject_invalid_helo_hostname,
   reject_non_fqdn_helo_hostname,
   reject_non_fqdn_sender,
   reject_non_fqdn_recipient,
   reject_unknown_sender_domain,
   reject_unknown_recipient_domain,
   reject_rhsbl_helo dbl.spamhaus.org,
   reject_rhsbl_reverse_client dbl.spamhaus.org,
   reject_rhsbl_sender dbl.spamhaus.org,
   reject_rbl_client zen.spamhaus.org
smtpd_sender_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_unknown_reverse_client_hostname,
   check_sender_access hash:/etc/postfix/sender_access
smtpd_helo_required = yes
smtpd_helo_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_non_fqdn_helo_hostname,
    reject_unknown_helo_hostname
smtpd_recipient_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_sender_login_mismatch,
   reject_invalid_helo_hostname,
   reject_non_fqdn_helo_hostname,
   reject_non_fqdn_sender,
   reject_non_fqdn_recipient,
   reject_unknown_sender_domain,
   reject_unknown_recipient_domain,
   reject_rhsbl_helo dbl.spamhaus.org,
   reject_rhsbl_reverse_client dbl.spamhaus.org,
   reject_rhsbl_sender dbl.spamhaus.org,
   reject_rbl_client zen.spamhaus.org
smtp_sender_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_unknown_reverse_client_hostname,
   check_sender_access hash:/etc/postfix/sender_access
smtp_helo_required = yes
smtp_helo_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_non_fqdn_helo_hostname,
    reject_unknown_helo_hostname
smtp_recipient_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_sender_login_mismatch,
   reject_invalid_helo_hostname,
   reject_non_fqdn_helo_hostname,
   reject_non_fqdn_sender,
   reject_non_fqdn_recipient,
   reject_unknown_sender_domain,
   reject_unknown_recipient_domain,
   reject_rhsbl_helo dbl.spamhaus.org,
   reject_rhsbl_reverse_client dbl.spamhaus.org,
   reject_rhsbl_sender dbl.spamhaus.org,
   reject_rbl_client zen.spamhaus.org

Thanks for your help


Michaux Julien
Courriel : [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Postfix is not open relay but send spam

Jaroslaw Rafa
Dnia 15.10.2019 o godz. 09:27:42 Julien Michaux pisze:
>
> Time to time, my server is attack and he sends spam. All spam are from a
> specific address "[hidden email]" <[hidden email]>.
> I tried many things but nothing works. I have to stop postfix for some
> hours and attack ends until next time.

Do you have a webmail on this server? Maybe the webmail is vulnerable and
gets abused?
--
Regards,
   Jaroslaw Rafa
   [hidden email]
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
Reply | Threaded
Open this post in threaded view
|

Re: Postfix is not open relay but send spam

Bjoern Franke-2
In reply to this post by Julien Michaux
Am 15.10.19 um 09:27 schrieb Julien Michaux:
> Hi everyone,
>
> I have a problem with postfix.
>
> I use OBM as a mail server (postfix + cyrus + ldap, etc...). My postfix
> is not openrelay :
>

Do you see something in the logs how the spam enters your system?
Possibly a authenticated user or something via localhost?

Regards

Reply | Threaded
Open this post in threaded view
|

Re: Postfix is not open relay but send spam

@lbutlr
In reply to this post by Julien Michaux
On Oct 15, 2019, at 1:27 AM, Julien Michaux <[hidden email]> wrote:
> smtpd_helo_restrictions =
>     permit_mynetworks,

> smtpd_recipient_restrictions =
>    permit_mynetworks,

> smtp_sender_restrictions =
>    permit_mynetworks,

> smtp_helo_restrictions =
>     permit_mynetworks,

> smtp_recipient_restrictions =
>    permit_mynetworks,

(Etc etc)

There is no instance of permit_mynetworks in my main.cf not in my master.cf file.

Something on your networks that you have implicitly trusted is misbehaving. There is no reason to trust your network, instead make sure everything uses authentication.



Reply | Threaded
Open this post in threaded view
|

Re: Postfix is not open relay but send spam

@lbutlr
On Oct 15, 2019, at 5:22 AM, @lbutlr <[hidden email]> wrote:
> There is no instance of permit_mynetworks in my main.cf not in my master.cf file.

There is no instance of permit_mynetworks in my main.cf *nor* in my master.cf file.



--
'It is always useful to face an enemy who is prepared to die for his
country,' he read. 'This means that both you and he have exactly the
same aim in mind.’

Reply | Threaded
Open this post in threaded view
|

Re: Postfix is not open relay but send spam

Shawn Heisey-2
In reply to this post by Julien Michaux
On 10/15/2019 1:27 AM, Julien Michaux wrote:
> Time to time, my server is attack and he sends spam. All spam are from a
> specific address "[hidden email]" <mailto:[hidden email]>.
> I tried many things but nothing works. I have to stop postfix for some
> hours and attack ends until next time.

You would need to provide the mail log where postfix is logging during
the timeframe where the spam is being sent, so we can look for the
method that they are using to get through your defenses.

One of the most common methods that spammers use is to find out the
username and password of one of your users, and simply authenticate as
that user and send their spam using that connection.

I work for a large hosting provider.  I have only seen two methods that
spammers are using when they manage to send spam using one of our
servers.  In most cases, they discover somebody's password and simply
authenticate.  Sometimes they find a vulnerability in a PHP package,
typically some poorly written WordPress plugin, upload a script, and
then call that script to send mail via the local server.

Your main.cf does have permit_mynetworks as lbutlr noted, but I don't
see a definition for mynetworks, so my guess is that it's not as much of
a problem as lbutlr thought.

Thanks,
Shawn
Reply | Threaded
Open this post in threaded view
|

Re: Postfix is not open relay but send spam

Tobi
In reply to this post by Julien Michaux
Hi

shot me if I'm wrong ;-) but I think your smtp service is an open
relay?! I don't see reject_unauth_destination after your
permit_mynetwork and permit_sasl_authenticated. Thats means (at least
afaik) that any mail will be accepted as long as it does not hit one of
your reject_* statements.
So for your submission/smtps service I'd recommend to add a final reject
to the restrictions and for the smtpd_recipient_restrictions I'd
recommend to add reject_unauth_destination directly after
permit_sasl_authenticated. Imho it would be preferable to disable AUTH
on port 25 anyway (but that might start "religious" discussions here ;-))

I wonder a bit that your postfix allows processing mail at all because
the man says:

> IMPORTANT: Either the smtpd_relay_restrictions or the
> smtpd_recipient_restrictions parameter must specify at least one of
> the following restrictions. Otherwise Postfix will refuse to receive
> mail:
>
>    reject, reject_unauth_destination
>
>    defer, defer_if_permit, defer_unauth_destination

Another thing I wonder about is your output from mxtoolbox test. It
shows your server rejects with a 4xx temporary reject. That should be a
5xx. I think postfix complains about something in its logs.

Cheers

--

tobi

Am 15.10.19 um 09:27 schrieb Julien Michaux:

> Hi everyone,
>
> I have a problem with postfix.
>
> I use OBM as a mail server (postfix + cyrus + ldap, etc...). My postfix is
> not openrelay :
>
> 220 xxxxxx ESMTP Postfix (Debian/GNU) [706 ms]
> EHLO keeper-us-east-1c.mxtoolbox.com
> 250-xxxxxx
> 250-PIPELINING
> 250-SIZE 52428800
> 250-VRFY
> 250-ETRN
> 250-STARTTLS
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN [702 ms]
> MAIL FROM:<[hidden email]> <[hidden email]>
> 250 2.1.0 Ok [700 ms]
> RCPT TO:<[hidden email]> <[hidden email]>
> 454 4.7.1 <[hidden email]> <[hidden email]>: Relay
> access denied [719 ms]
>
> LookupServer 3927ms
>
> Time to time, my server is attack and he sends spam. All spam are from a
> specific address "[hidden email]" <[hidden email]>.
> I tried many things but nothing works. I have to stop postfix for some
> hours and attack ends until next time.
>
> Can you provide me advice or corrections to my config to ensure this attack
> can't success please ?
>
> Here is master.cf :
> smtp      inet  n       -       n       -       -       smtpd -v
>   -o receive_override_options=no_address_mappings
>   -o content_filter=smtp-amavis:127.0.0.1:10024
> submission inet n       -       n       -       -       smtpd
>   -o syslog_name=postfix/submission
>   -o smtpd_tls_security_level=encrypt
>   -o smtpd_sasl_auth_enable=yes
>   -o smtpd_reject_unlisted_recipient=no
>   -o smtpd_client_restrictions=$mua_client_restrictions
>   -o smtpd_helo_restrictions=$mua_helo_restrictions
>   -o smtpd_sender_restrictions=$mua_sender_restrictions
>   -o smtpd_recipient_restrictions=$mua_recipient_restrictions
>   -o milter_macro_daemon_name=ORIGINATING
>   -o receive_override_options=no_address_mappings
>   -o content_filter=smtp-amavis:127.0.0.1:10024
> smtps     inet  n       -       n       -       -       smtpd
>   -o syslog_name=postfix/smtps
>   -o smtpd_tls_wrappermode=yes
>   -o smtpd_sasl_auth_enable=yes
>   -o smtpd_reject_unlisted_recipient=no
>   -o smtpd_client_restrictions=$mua_client_restrictions
>   -o smtpd_helo_restrictions=$mua_helo_restrictions
>   -o smtpd_sender_restrictions=$mua_sender_restrictions
>   -o smtpd_recipient_restrictions=$mua_recipient_restrictions
>   -o milter_macro_daemon_name=ORIGINATING
>   -o receive_override_options=no_address_mappings
>   -o content_filter=smtp-amavis:127.0.0.1:10024
> pickup    unix  n       -       n       60      1       pickup
> cleanup   unix  n       -       n       -       0       cleanup
> qmgr      unix  n       -       n       300     1       qmgr
> tlsmgr    unix  -       -       n       1000?   1       tlsmgr
> rewrite   unix  -       -       n       -       -       trivial-rewrite
> bounce    unix  -       -       n       -       0       bounce
> defer     unix  -       -       n       -       0       bounce
> trace     unix  -       -       n       -       0       bounce
> verify    unix  -       -       n       -       1       verify
> flush     unix  n       -       n       1000?   0       flush
> proxymap  unix  -       -       n       -       -       proxymap
> proxywrite unix -       -       n       -       1       proxymap
> smtp      unix  -       -       n       -       -       smtp
> relay     unix  -       -       n       -       -       smtp
> showq     unix  n       -       n       -       -       showq
> error     unix  -       -       n       -       -       error
> retry     unix  -       -       n       -       -       error
> discard   unix  -       -       n       -       -       discard
> local     unix  -       n       n       -       -       local
> virtual   unix  -       n       n       -       -       virtual
> lmtp      unix  -       -       n       -       -       lmtp
> anvil     unix  -       -       n       -       1       anvil
> scache    unix  -       -       n       -       1       scache
> smtp-amavis  unix  -    -       y       -       2       smtp
>  -o smtp_data_done_timeout=1200
>  -o disable_dns_lookups=yes
>  -o smtp_send_xforward_command=yes
> 127.0.0.1:10025 inet n  -       y       -       -       smtpd
>  -o content_filter=
>  -o smtpd_helo_restrictions=
>  -o smtpd_sender_restrictions=$mua_sender_restrictions
>
> Here is main.cf :
>
> smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
> biff = no
> append_dot_mydomain = no
> myhostname = xxxxxxxx
> myorigin = $myhostname
> alias_maps = hash:/etc/aliases
> alias_database = hash:/etc/aliases
> local_recipient_maps = $alias_maps
> mydestination = localhost
> virtual_transport = error:mailbox does not exist
> virtual_mailbox_domains = hash:/etc/postfix/virtual_domains
> virtual_mailbox_maps = hash:/etc/postfix/virtual_mailbox
> virtual_alias_maps = hash:/etc/postfix/virtual_alias
> hash:/etc/postfix/virtual_alias_1pour1
> pcre:/etc/postfix/virtual_alias_catchall
> transport_maps = hash:/etc/postfix/transport
> recipient_delimiter = +
> smtp_use_tls = yes
> smtpd_use_tls = yes
> smtpd_tls_cert_file = /etc/obm/certs/fullchain.pem
> smtpd_tls_key_file = /etc/obm/certs/privkey.pem
> smtp_tls_security_level = may
> smtpd_tls_security_level = may
> smtp_tls_note_starttls_offer = yes
> smtpd_tls_loglevel = 1
> smtpd_tls_received_header = yes
> message_size_limit = 52428800
> mua_sender_restrictions =
>    permit_mynetworks,
>    permit_sasl_authenticated,
>    reject_unknown_reverse_client_hostname,
>    check_sender_access hash:/etc/postfix/sender_access
> smtpd_helo_required = yes
> mua_helo_restrictions =
>     permit_mynetworks,
>     permit_sasl_authenticated,
>     reject_non_fqdn_helo_hostname,
>     reject_unknown_helo_hostname
> mua_recipient_restrictions =
>    permit_mynetworks,
>    permit_sasl_authenticated,
>    reject_sender_login_mismatch,
>    reject_invalid_helo_hostname,
>    reject_non_fqdn_helo_hostname,
>    reject_non_fqdn_sender,
>    reject_non_fqdn_recipient,
>    reject_unknown_sender_domain,
>    reject_unknown_recipient_domain,
>    reject_rhsbl_helo dbl.spamhaus.org,
>    reject_rhsbl_reverse_client dbl.spamhaus.org,
>    reject_rhsbl_sender dbl.spamhaus.org,
>    reject_rbl_client zen.spamhaus.org
> smtpd_sender_restrictions =
>    permit_mynetworks,
>    permit_sasl_authenticated,
>    reject_unknown_reverse_client_hostname,
>    check_sender_access hash:/etc/postfix/sender_access
> smtpd_helo_required = yes
> smtpd_helo_restrictions =
>     permit_mynetworks,
>     permit_sasl_authenticated,
>     reject_non_fqdn_helo_hostname,
>     reject_unknown_helo_hostname
> smtpd_recipient_restrictions =
>    permit_mynetworks,
>    permit_sasl_authenticated,
>    reject_sender_login_mismatch,
>    reject_invalid_helo_hostname,
>    reject_non_fqdn_helo_hostname,
>    reject_non_fqdn_sender,
>    reject_non_fqdn_recipient,
>    reject_unknown_sender_domain,
>    reject_unknown_recipient_domain,
>    reject_rhsbl_helo dbl.spamhaus.org,
>    reject_rhsbl_reverse_client dbl.spamhaus.org,
>    reject_rhsbl_sender dbl.spamhaus.org,
>    reject_rbl_client zen.spamhaus.org
> smtp_sender_restrictions =
>    permit_mynetworks,
>    permit_sasl_authenticated,
>    reject_unknown_reverse_client_hostname,
>    check_sender_access hash:/etc/postfix/sender_access
> smtp_helo_required = yes
> smtp_helo_restrictions =
>     permit_mynetworks,
>     permit_sasl_authenticated,
>     reject_non_fqdn_helo_hostname,
>     reject_unknown_helo_hostname
> smtp_recipient_restrictions =
>    permit_mynetworks,
>    permit_sasl_authenticated,
>    reject_sender_login_mismatch,
>    reject_invalid_helo_hostname,
>    reject_non_fqdn_helo_hostname,
>    reject_non_fqdn_sender,
>    reject_non_fqdn_recipient,
>    reject_unknown_sender_domain,
>    reject_unknown_recipient_domain,
>    reject_rhsbl_helo dbl.spamhaus.org,
>    reject_rhsbl_reverse_client dbl.spamhaus.org,
>    reject_rhsbl_sender dbl.spamhaus.org,
>    reject_rbl_client zen.spamhaus.org
>
> Thanks for your help
>
>
> Michaux Julien
> Courriel : [hidden email]
>
Reply | Threaded
Open this post in threaded view
|

Re: Postfix is not open relay but send spam

allenc
In reply to this post by Julien Michaux


On 15/10/2019 08:27, Julien Michaux wrote:
> Time to time, my server is attack and he sends spam. All spam are from a
> specific address "[hidden email]" I tried many things but nothing works> I have to stop postfix for some hours and attack ends until next time.
>

Have you tried putting "[hidden email] reject" into your sender_access file?

It is a crude quick-fix, and would also put a marker in your log-file.

hope this helps

allen C
Reply | Threaded
Open this post in threaded view
|

Re: Postfix is not open relay but send spam

Julien Michaux
Hi,

Here is a log :

Oct 13 19:41:28 mail postfix/qmgr[15506]: 8F189379357: removed
Oct 13 19:41:28 mail postfix/smtps/smtpd[25100]: warning: hostname server-185-153-197-48.cloudedic.net does not resolve to address 185.153.197.48
Oct 13 19:41:28 mail postfix/smtps/smtpd[25100]: connect from unknown[185.153.197.48]
Oct 13 19:41:28 mail postfix/smtps/smtpd[25100]: Anonymous TLS connection established from unknown[185.153.197.48]: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Oct 13 19:41:29 mail postfix/smtps/smtpd[25100]: 5A064379357: client=unknown[185.153.197.48], sasl_method=LOGIN, sasl_username=[hidden email]
Oct 13 19:41:32 mail postfix/cleanup[25103]: 5A064379357: message-id=<>
Oct 13 19:41:32 mail postfix/qmgr[15506]: 5A064379357: from=<[hidden email]>, size=727, nrcpt=50 (queue active)
Oct 13 19:41:32 mail postfix/smtps/smtpd[25100]: disconnect from unknown[185.153.197.48]
Oct 13 19:41:33 mail postfix/smtpd[25140]: connect from unknown[127.0.0.1]
Oct 13 19:41:33 mail postfix/smtpd[25140]: 215EB37B4A0: client=unknown[127.0.0.1]
Oct 13 19:41:33 mail postfix/cleanup[25103]: 215EB37B4A0: message-id=<[hidden email]>
Oct 13 19:41:33 mail postfix/smtpd[25140]: disconnect from unknown[127.0.0.1]
Oct 13 19:41:33 mail postfix/qmgr[15506]: 215EB37B4A0: from=<[hidden email]>, size=1151, nrcpt=50 (queue active)
Oct 13 19:41:33 mail amavis[10290]: (10290-20) Passed SPAM {RelayedOpenRelay,Quarantined}, [185.153.197.48]:58902 [185.153.197.48] <[hidden email]> -> <[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<frankbot184...
Oct 13 19:41:33 mail amavis[10290]: (10290-20) ...@podbot.com>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>, Queue-ID: 5A064379357, mail_id: 1Gke7LvbPH2x, Hits: 22.384, size: 727, queued_as: 215EB37B4A0, 695 ms

Yes, I did put cyrus in my sender_access :
#cat sender_access
cyrus REJECT
[hidden email] REJECT

Michaux Julien
Courriel : [hidden email]


Le mar. 15 oct. 2019 à 15:30, Allen Coates <[hidden email]> a écrit :


On 15/10/2019 08:27, Julien Michaux wrote:
> Time to time, my server is attack and he sends spam. All spam are from a
> specific address "[hidden email]" I tried many things but nothing works> I have to stop postfix for some hours and attack ends until next time.
>

Have you tried putting "[hidden email] reject" into your sender_access file?

It is a crude quick-fix, and would also put a marker in your log-file.

hope this helps

allen C
Reply | Threaded
Open this post in threaded view
|

Re: Postfix is not open relay but send spam

Jaroslaw Rafa
Dnia 15.10.2019 o godz. 16:47:59 Julien Michaux pisze:
> Oct 13 19:41:29 mail postfix/smtps/smtpd[25100]: 5A064379357:
> client=unknown[185.153.197.48], sasl_method=LOGIN, sasl_username=
> [hidden email]

This line says that the client at IP address 185.153.197.48 managed to
authenticate to your server as "[hidden email]" and started to send
mail.

Are you sure your authentication is working OK?
--
Regards,
   Jaroslaw Rafa
   [hidden email]
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
Reply | Threaded
Open this post in threaded view
|

Re: Postfix is not open relay but send spam

Julien Michaux
Do you have a way to test authentification with smtps ?

AUTH LOGIN over smtp is disabled so postfix reply : 503 5.5.1 Error: authentication not enabled

Michaux Julien
Courriel : [hidden email]


Le mar. 15 oct. 2019 à 16:57, Jaroslaw Rafa <[hidden email]> a écrit :
Dnia 15.10.2019 o godz. 16:47:59 Julien Michaux pisze:
> Oct 13 19:41:29 mail postfix/smtps/smtpd[25100]: 5A064379357:
> client=unknown[185.153.197.48], sasl_method=LOGIN, sasl_username=
> [hidden email]

This line says that the client at IP address 185.153.197.48 managed to
authenticate to your server as "[hidden email]" and started to send
mail.

Are you sure your authentication is working OK?
--
Regards,
   Jaroslaw Rafa
   [hidden email]
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
Reply | Threaded
Open this post in threaded view
|

Re: Postfix is not open relay but send spam

Bill Cole-3
On 15 Oct 2019, at 11:15, Julien Michaux wrote:

> Do you have a way to test authentification with smtps ?


openssl s_client -connect <hostname or IP>:465

That will negotiate an SSL/TLS connection with the given host on port
465 (smtps) and leave you inside the encrypted session as if you'd used
'telnet <hostname>:25'

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Reply | Threaded
Open this post in threaded view
|

Re: Postfix is not open relay but send spam

Thilo Molitor
Or use
openssl s_client -starttls smtp -connect <hostname or IP>:25
for tls on port 25 (in case port 465 is not configured on your server or the
configuration differs from port 25)


Am Dienstag, 15. Oktober 2019, 11:30:42 CEST schrieb Bill Cole:
> On 15 Oct 2019, at 11:15, Julien Michaux wrote:
> > Do you have a way to test authentification with smtps ?
>
> openssl s_client -connect <hostname or IP>:465
>
> That will negotiate an SSL/TLS connection with the given host on port
> 465 (smtps) and leave you inside the encrypted session as if you'd used
> 'telnet <hostname>:25'
Reply | Threaded
Open this post in threaded view
|

Re: Postfix is not open relay but send spam

Viktor Dukhovni
In reply to this post by Julien Michaux
On Tue, Oct 15, 2019 at 05:15:38PM +0200, Julien Michaux wrote:

> Do you have a way to test authentification with smtps ?

Why bother?  Your "cyrus" account has a password that is weak,
leaked or perhaps even empty.  Disable logins by "cyrus", you surely
don't need them.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Postfix is not open relay but send spam

Bill Cole-3
In reply to this post by Thilo Molitor
On 15 Oct 2019, at 13:24, Thilo Molitor wrote:

> Or use
> openssl s_client -starttls smtp -connect <hostname or IP>:25
> for tls on port 25 (in case port 465 is not configured on your server
> or the
> configuration differs from port 25)

See the original poster's earlier message: his issue is specifically
with a spammer authenticating on port 465, auth is disabled on port 25.
(As it should be.)


> Am Dienstag, 15. Oktober 2019, 11:30:42 CEST schrieb Bill Cole:
>> On 15 Oct 2019, at 11:15, Julien Michaux wrote:
>>> Do you have a way to test authentification with smtps ?
>>
>> openssl s_client -connect <hostname or IP>:465
>>
>> That will negotiate an SSL/TLS connection with the given host on port
>> 465 (smtps) and leave you inside the encrypted session as if you'd
>> used
>> 'telnet <hostname>:25'


--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire