Loading ...
Sorry, an error occurred while loading the content.
 

Re: possible localhost dns spoof attack

Expand Messages
  • Jamie
    Sure... the log entries are not altered in any way. *** /etc/hostname *** serve.stimulussoft.com *** /etc/hosts *** 127.0.0.1 localhost.localdomain
    Message 1 of 32 , Feb 26, 2013
      Sure... the log entries are not altered in any way.

      *** /etc/hostname ***

      serve.stimulussoft.com

      *** /etc/hosts ***

      127.0.0.1 localhost.localdomain localhost
      71.6.200.51 serve.stimulussoft.com serve.mailarchiva.com

      *** postfix configuration ***

      alias_database = hash:/etc/aliases
      alias_maps = hash:/etc/aliases
      append_dot_mydomain = no
      biff = no
      broken_sasl_auth_clients = yes
      config_directory = /etc/postfix
      content_filter = smtp-amavis:[127.0.0.1]:10024
      header_checks = pcre:/etc/postfix/header_checks
      home_mailbox = Maildir/
      inet_interfaces = all
      mailbox_command =
      mailbox_size_limit = 0
      mydestination = $mydomain, $myhostname, serve.mailarchiva.com,
      serve.stimulussoft.com, localhost.stimulussoft.com, localhost,
      mailarchiva.com
      myhostname = serve.stimulussoft.com
      myorigin = /etc/mailname
      readme_directory = no
      recipient_delimiter = +
      relayhost =
      smtp_host_lookup = dns, native
      smtp_tls_note_starttls_offer = yes
      smtp_tls_security_level = may
      smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
      smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
      smtpd_helo_required = yes
      smtpd_helo_restrictions = permit_mynetworks
      permit_sasl_authenticated reject_invalid_hostname
      reject_non_fqdn_hostname
      smtpd_recipient_restrictions =
      permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
      smtpd_sasl_auth_enable = yes
      smtpd_sasl_local_domain =
      smtpd_sasl_security_options = noanonymous
      smtpd_tls_CAfile = /root/certs/rootcerts.pem
      smtpd_tls_auth_only = no
      smtpd_tls_cert_file = /root/certs/archiva.pem
      smtpd_tls_key_file = /root/certs/mailarchiva.key
      smtpd_tls_loglevel = 1
      smtpd_tls_mandatory_ciphers = medium, high
      smtpd_tls_mandatory_protocols = SSLv3, TLSv1
      smtpd_tls_received_header = yes
      smtpd_tls_req_ccert = no
      smtpd_tls_security_level = may
      smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
      smtpd_tls_session_cache_timeout = 3600s
      smtpd_use_tls = no
      tls_random_source = dev:/dev/urandom
      virtual_alias_domains = hash:/etc/postfix/mydomains
      virtual_alias_maps = hash:/etc/postfix/virtual

      On 2013/02/26 3:32 PM, Deeztek.com Support wrote:
      > On 2/26/2013 7:52 AM, Eero Volotinen wrote:
      >>> Like I said, as soon as I blocked the troublesome IP's the problem went
      >>> away. Thus, it cannot be a local script. Furthermore,
      >>> we are not even running Apache. We are running Tomcat with custom
      >>> developed
      >>> Java apps.
      >>>
      >>> I also ran tcpdump on localhost to see if there was traffic being
      >>> received
      >>> on localhost. Guess what? While the spamming was taking place
      >>> there was no smtp traffic passing through on localhost port 25.
      >> You should still recheck your mail server configuration, looks like
      >> your server is open relay?
      >>
      >> --
      >> Eero
      >
    • Benny Pedersen
      ... check that you have not external nameservers that can resolve localhost into 127.0.0.1, but show logs on what postfix really did, even if sender ip is
      Message 32 of 32 , Feb 28, 2013
        Jamie skrev den 2013-02-26 11:32:

        > We would appreciate your thoughts.

        check that you have not external nameservers that can resolve localhost
        into 127.0.0.1, but show logs on what postfix really did, even if sender
        ip is localhost it should not allow relaying, unless you have
        permit_mynetwork to early, thats why i only allow smpt auth relaying,
        even from localhost/rfc1918 ips

        to minimise the risk you should only trust localhost nameservers

        and possible it would make sense to reject clients that have mx set as
        localhost or 127.0.0.1

        well i admit it just speculating here, so logs please, with postconf -n
      Your message has been successfully submitted and would be delivered to recipients shortly.