Loading ...
Sorry, an error occurred while loading the content.

Spam - relay issue

Expand Messages
  • Papadopoulos Nikolaos
    Dear friends, We have Postfix ver2.3.3 on RHEL5, which was working fine for several years. Please find below the output of postconf -n alIias_database =
    Message 1 of 6 , Sep 26, 2013
    • 0 Attachment
      Dear friends,

      We have Postfix ver2.3.3 on RHEL5, which was working fine for several years.
      Please find below the output of postconf -n

      alIias_database = hash:/etc/aliases
      alias_maps = hash:/etc/aliases
      command_directory = /usr/sbin
      config_directory = /etc/postfix
      daemon_directory = /usr/libexec/postfix
      debug_peer_level = 2
      html_directory = no
      inet_interfaces = all
      mail_owner = postfix
      mailbox_size_limit = 0
      mailq_path = /usr/bin/mailq.postfix
      manpage_directory = /usr/share/man
      message_size_limit = 10240000
      mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
      mydomain = xyz.gr
      myhostname = mail.xyz.gr
      mynetworks = 192.168.0.0/16, 10.0.0.0/8, 127.0.0.0/8
      myorigin = $mydomain
      newaliases_path = /usr/bin/newaliases.postfix
      queue_directory = /var/spool/postfix
      readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
      sample_directory = /usr/share/doc/postfix-2.3.3/samples
      sendmail_path = /usr/sbin/sendmail.postfix
      setgid_group = postdrop
      smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, che
      ck_relay_domains
      smtpd_sasl_auth_enable = yes
      smtpd_sasl_local_domain = $myhostname
      smtpd_sasl_security_options = noanonymous
      smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access,
      reject_unknown_sender_domain
      unknown_local_recipient_reject_code = 550


      During the last days we face huge problem by spam emails, as if our server is open relay. For example, the majority of spam emails in the mail queue show as sender: meng.edwn@...<mailto:meng.edwn@...>

      1) how can I find out from which IP address do these emails come from?
      2) I tried to reject mail from and to meng.edwn@...<mailto:meng.edwn@...> without sucess.
      More specifically, I created sender_access and recipient_access with meng.edwn@...<mailto:meng.edwn@...> REJECT
      Could you please inform me what is wrong and there are still emails by mend.edwn@...<mailto:mend.edwn@...> ?

      Best Regards,

      Nikos
    • Viktor Dukhovni
      ... The check_relay_domains restriction is long deprecated, and no longer supported by current versions of Postfix. Strongly consider using
      Message 2 of 6 , Sep 26, 2013
      • 0 Attachment
        On Thu, Sep 26, 2013 at 08:17:51PM +0300, Papadopoulos Nikolaos wrote:

        > We have Postfix ver2.3.3 on RHEL5, which was working fine for several years.
        > Please find below the output of postconf -n
        >
        > smtpd_recipient_restrictions =
        > permit_sasl_authenticated,
        > permit_mynetworks,
        > check_relay_domains

        The "check_relay_domains" restriction is long deprecated, and no
        longer supported by current versions of Postfix. Strongly consider
        using "reject_unauth_destination" instead. The "check_relay_domains"
        legacy feature cannot be made reliable.

        You have no anti-spam controls beyond blocking unauthorized relaying,
        consider adding a suitable RBL (zen.spamhaus.org is a good start,
        possibly via a paid feed if your traffic volume is high enough).

        > smtpd_sasl_auth_enable = yes
        > smtpd_sasl_local_domain = $myhostname
        > smtpd_sasl_security_options = noanonymous

        One or more of your SASL accounts may be compromised.

        > During the last days we face huge problem by spam emails, as if
        > our server is open relay.

        Incoming spam or outgoing spam? Your configuration is not an open
        relay per-se, but it is possible that you relay mail from trusted
        sources (other machines in your domain, authenticated users, ...)
        or locally submitted via compromised web applications.

        > For example, the majority of spam emails in the mail queue show as sender:
        >
        > meng.edwn@...

        Sender addresses of spam are often forged, do not generally indicate
        where the spam is really from and filtering them is not by itself
        an effective defense against spam.

        > 1) how can I find out from which IP address do these emails come from?

        1. YOUR MAIL LOGS!

        2. If a spam message is still in the queue, use "postcat -q <queueid>"
        to see the message envelope records, headers and body. The envelope
        and topmost Received header will show the origin of the message.

        --
        Viktor.
      • /dev/rob0
        ... Logs are necessary. This is not enough to be able to help. ... check_relay_domains was deprecated years before your very old Postfix was released. Not the
        Message 3 of 6 , Sep 26, 2013
        • 0 Attachment
          On Thu, Sep 26, 2013 at 08:17:51PM +0300, Papadopoulos Nikolaos wrote:
          > We have Postfix ver2.3.3 on RHEL5, which was working fine for
          > several years. Please find below the output of postconf -n

          Logs are necessary. This is not enough to be able to help.

          > smtpd_recipient_restrictions = permit_sasl_authenticated,
          > permit_mynetworks, check_relay_domains

          check_relay_domains was deprecated years before your very old Postfix
          was released. Not the cause of the problem, but worthy of note.

          > smtpd_sasl_auth_enable = yes
          > smtpd_sasl_local_domain = $myhostname
          > smtpd_sasl_security_options = noanonymous
          > smtpd_sender_restrictions = check_sender_access
          > hash:/etc/postfix/sender_access, reject_unknown_sender_domain

          > During the last days we face huge problem by spam emails, as if our
          > server is open relay. For example, the majority of spam emails in
          > the mail queue show as sender:
          > meng.edwn@...<mailto:meng.edwn@...>

          With a "<mailto:..." like that, or are you using a broken MUA?

          If the spams continue to come in, "service postfix stop" right now.
          There is no point in letting the problem get worse.

          > 1) how can I find out from which IP address do these emails come
          > from?

          Read your logs. Find the FIRST appearance of one of the queue IDs of
          the spams. Share those few lines if you need help. (No, not your
          entire log file.)

          > 2) I tried to reject mail from and to
          > meng.edwn@...<mailto:meng.edwn@...> without sucess.
          > More specifically, I created sender_access and recipient_access
          > with meng.edwn@...<mailto:meng.edwn@...> REJECT
          > Could you please inform me what is wrong and there are still
          > emails by mend.edwn@...<mailto:mend.edwn@...> ?

          Not really. Logs are necessary.

          Anyway, on that last line you had "mend." while all the others are
          "meng." Typo? Check (and show) your /etc/postfix/sender_access file.

          Are you using submission with settings which override the global
          smtpd_sender_restrictions?

          Finally: you have some sort of compromise. Blocking a sender address
          might solve the immediate problem, but it will not repair the
          compromise. We'll have to see more before we can advise further.
          --
          http://rob0.nodns4.us/ -- system administration and consulting
          Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
        • LuKreme
          ... huh?
          Message 4 of 6 , Sep 26, 2013
          • 0 Attachment
            On 26 Sep 2013, at 11:17 , Papadopoulos Nikolaos <n-pap@...> wrote:

            > alIias_database = hash:/etc/aliases

            huh?
          • Papadopoulos Nikolaos
            It s a mistake in copy - paste ... From: owner-postfix-users@postfix.org [mailto:owner-postfix-users@postfix.org] On Behalf Of LuKreme Sent: Thursday,
            Message 5 of 6 , Oct 1, 2013
            • 0 Attachment
              It's a mistake in copy - paste

              -----Original Message-----
              From: owner-postfix-users@... [mailto:owner-postfix-users@...] On Behalf Of LuKreme
              Sent: Thursday, September 26, 2013 9:51 PM
              To: postfix-users@... postfix
              Subject: Re: Spam - relay issue


              On 26 Sep 2013, at 11:17 , Papadopoulos Nikolaos <n-pap@...> wrote:

              > alIias_database = hash:/etc/aliases

              huh?
            • Papadopoulos Nikolaos
              Hello, I did the following and for the last 5 days there is no more spam. 1) The password of the users were very simple and maybe compromised. We changed all
              Message 6 of 6 , Oct 1, 2013
              • 0 Attachment
                Hello,

                I did the following and for the last 5 days there is no more spam.
                1) The password of the users were very simple and maybe compromised. We changed all the passwords to more complex ones
                2) We ran antivirus on the entire network and cleaned a lot of viruses, malware etc
                3) We blocked through the firewall a couple of IP addresses, that the logs showed suspicious
                4) We used sender_access and recipient_access to reject some emails

                The last 5 days it seems that we do not face problem with spam. Although, we are also currently looking for any anti-spam solution in order to prevent similar problems in the future.

                Thanks.

                -----Original Message-----
                From: owner-postfix-users@... [mailto:owner-postfix-users@...] On Behalf Of Viktor Dukhovni
                Sent: Thursday, September 26, 2013 8:43 PM
                To: postfix-users@...
                Subject: Re: Spam - relay issue

                On Thu, Sep 26, 2013 at 08:17:51PM +0300, Papadopoulos Nikolaos wrote:

                > We have Postfix ver2.3.3 on RHEL5, which was working fine for several years.
                > Please find below the output of postconf -n
                >
                > smtpd_recipient_restrictions =
                > permit_sasl_authenticated,
                > permit_mynetworks,
                > check_relay_domains

                The "check_relay_domains" restriction is long deprecated, and no longer supported by current versions of Postfix. Strongly consider using "reject_unauth_destination" instead. The "check_relay_domains"
                legacy feature cannot be made reliable.

                You have no anti-spam controls beyond blocking unauthorized relaying, consider adding a suitable RBL (zen.spamhaus.org is a good start, possibly via a paid feed if your traffic volume is high enough).

                > smtpd_sasl_auth_enable = yes
                > smtpd_sasl_local_domain = $myhostname
                > smtpd_sasl_security_options = noanonymous

                One or more of your SASL accounts may be compromised.

                > During the last days we face huge problem by spam emails, as if our
                > server is open relay.

                Incoming spam or outgoing spam? Your configuration is not an open relay per-se, but it is possible that you relay mail from trusted sources (other machines in your domain, authenticated users, ...) or locally submitted via compromised web applications.

                > For example, the majority of spam emails in the mail queue show as sender:
                >
                > meng.edwn@...

                Sender addresses of spam are often forged, do not generally indicate where the spam is really from and filtering them is not by itself an effective defense against spam.

                > 1) how can I find out from which IP address do these emails come from?

                1. YOUR MAIL LOGS!

                2. If a spam message is still in the queue, use "postcat -q <queueid>"
                to see the message envelope records, headers and body. The envelope
                and topmost Received header will show the origin of the message.

                --
                Viktor.
              Your message has been successfully submitted and would be delivered to recipients shortly.