Re: possible localhost dns spoof attack
- Noel Jones:
> > Earlier today I noticed a spammer using my Postfix server as a relay...
> > to send out spam. This was puzzling because i had all requisite anti
> > relay host settings applied. Further, it was particularly alarming
> > that Postfix seemed to be receiving the spam messages from localhost
> > as indicated:
> > connect from localhost.localdomain[127.0.0.1]
> If postfix logs a connection from 127.0.0.1, the connection *reallyI agree (and I wrote this code). The Postfix SMTP server logs
> is* from localhost. Maybe you were looking at a content_filter log
connect from localhost.localdomain[127.0.0.1]
when the connection is made from a local IP address (for example a
local content filter, or a local application) and you have
localhost.localdomain in /etc/hosts (or in DNS but that's unlikely).
In contrast, the Postfix SMTP server logs
connect from unknown[x.x.x.x]
for connections that come from a remote IP address that has a PTR
record of localhost.
Also, the Postfix SMTP server is hard-coded to log
connect from localhost[127.0.0.1]
(no "localdomain here) when invoked as "sendmail -bs". In that case
there is no IP address and I just make it up.
Only the first of the three forms matches what you report.
- Jamie skrev den 2013-02-26 11:32:
> We would appreciate your thoughts.check that you have not external nameservers that can resolve localhost
into 127.0.0.1, but show logs on what postfix really did, even if sender
ip is localhost it should not allow relaying, unless you have
permit_mynetwork to early, thats why i only allow smpt auth relaying,
even from localhost/rfc1918 ips
to minimise the risk you should only trust localhost nameservers
and possible it would make sense to reject clients that have mx set as
localhost or 127.0.0.1
well i admit it just speculating here, so logs please, with postconf -n