Loading ...
Sorry, an error occurred while loading the content.
 

Re: possible localhost dns spoof attack

Expand Messages
  • Wietse Venema
    ... I agree (and I wrote this code). The Postfix SMTP server logs connect from localhost.localdomain[127.0.0.1] when the connection is made from a local IP
    Message 1 of 32 , Feb 26, 2013
      Noel Jones:
      > > Earlier today I noticed a spammer using my Postfix server as a relay
      > > to send out spam. This was puzzling because i had all requisite anti
      > > relay host settings applied. Further, it was particularly alarming
      > > that Postfix seemed to be receiving the spam messages from localhost
      > > as indicated:
      > >
      > > connect from localhost.localdomain[127.0.0.1]
      ...
      > If postfix logs a connection from 127.0.0.1, the connection *really
      > is* from localhost. Maybe you were looking at a content_filter log
      > line?

      I agree (and I wrote this code). The Postfix SMTP server logs

      connect from localhost.localdomain[127.0.0.1]

      when the connection is made from a local IP address (for example a
      local content filter, or a local application) and you have
      localhost.localdomain in /etc/hosts (or in DNS but that's unlikely).

      In contrast, the Postfix SMTP server logs

      connect from unknown[x.x.x.x]

      for connections that come from a remote IP address that has a PTR
      record of localhost.

      Also, the Postfix SMTP server is hard-coded to log

      connect from localhost[127.0.0.1]

      (no "localdomain here) when invoked as "sendmail -bs". In that case
      there is no IP address and I just make it up.

      Only the first of the three forms matches what you report.

      Wietse
    • Benny Pedersen
      ... check that you have not external nameservers that can resolve localhost into 127.0.0.1, but show logs on what postfix really did, even if sender ip is
      Message 32 of 32 , Feb 28, 2013
        Jamie skrev den 2013-02-26 11:32:

        > We would appreciate your thoughts.

        check that you have not external nameservers that can resolve localhost
        into 127.0.0.1, but show logs on what postfix really did, even if sender
        ip is localhost it should not allow relaying, unless you have
        permit_mynetwork to early, thats why i only allow smpt auth relaying,
        even from localhost/rfc1918 ips

        to minimise the risk you should only trust localhost nameservers

        and possible it would make sense to reject clients that have mx set as
        localhost or 127.0.0.1

        well i admit it just speculating here, so logs please, with postconf -n
      Your message has been successfully submitted and would be delivered to recipients shortly.