Logs?
Send the relevant logs so people can analyze the problem.
On 6/8/23 22:36, Richard Troy wrote:
Hi All,
This is my first posting here, and maybe I should have found this WAY
back in January, '23, if not LONG before. I want to be but I find it
difficult here to be brief. ... Surely background will surely help:
A 27 or so year old Fedora / Postfix / Dovecot site I built had a
major disaster in January and I've not yet been able to fully recover
because Dovecot has let the damned spammers in again and again and
again and again! OH, sure, I got it down to a trickle, but these few
Russian sites always managed to get their spam through and I just had
to shut Dovecot down entirely. I never found out how they got in, etc.
And I've STRONGLY suspected Dovecot got cracked - at least the modern
version in the youngest version for the youngest Fedora we had back in
January - uh, Fedora Server 37 - I've forgotten the matching Dovecot
version.
In the disaster, we lost /var but not /etc, so I figured recovery
would be easy and for nearly everything, it was. But NOT Dovecot (and
insofar as it matters, Postfix), and in these 5+ months I've tried so
many things, I'm sure I've forgotten most of them and I don't know
that a retroactive look is worth doing.
...I kept some notes that might be useful if anyone wants to see the
evidence of the cracking, but in short, I kept a constant watch on the
logs and when ANY relay happened that shouldn't, I'd instantly know it
and shut things off entirely. However, that became untenable as I
couldn't find the problem and had to just shut it off, pissing off
users, etc, but I've had to do things like spend a month and a half
traveling, and so forth and, well... Life goes on, as the saying goes.
---
NOW I want to try again.
It's my perception that it's a waste of time to even LOOK at the old
Dovecot configuration stuff. I feel I need to REMOVE it ALL, and I
could use some help being SURE to get it all gone. And then I think I
need to do a FULL new installation. Overkill? IDK.
I could use some advice about SAFE ways to make changes and test to
ensure we do NOT become an open mail relay EVER AGAIN.
ALSO WORTH SAYING is that if Dovecot were all that damned safe and
secure I wouldn't so easily be able to propose a new feature that
would make a HUGE difference to sites like mine: Give me a white-list
of the ONLY accounts that can relay; NOTHING ELSE can relay. ... THAT
would do it! But no! Neither in Postfix nor dovecot is there such a
thing!
Combine that with a greylist type function where the usual IP
addresses for particular users were let through, and new ones delayed,
THAT would be awesome, too! And this isn't even all that hard to do -
I could do it if I didn't already have a thousand obligations in life!
And if someone tells me I'm wrong and points me at how to do these
things, I'll fall out of my damned chair! And after picking myself up,
I'll find a way to send that person some sort of gift. THIS WOULD HAVE
SOLVED ALL MY PROBLEMS. And I'm sure MANY others could use this, too!
---
THIS configuration:
I'd like to find a way to have both virtual and our existing "unix
accounts" users.
IF we had an IMAP supported password CHANGING scheme, we'd gladly run
encrypted passwords, but there isn't, and we haven't invented
(finished inventing!) our own web-way to change 'em and so we're stuck
with plain text until one of these things changes.
BTW, isn't this a HUGE and OBVIOUS hole that should have been fixed
decades ago?! If a major provider like the Dovecot.org team added a
way to update passwords to the IMAP protocol, all the rest of the
folks would follow along for sure! OR, "is that a thing" and I'm just
ignorant of it?
So, again, plain-text, in cram, of course. What else? Coach me on "the
right way" if you want, but if users can't change it themselves,
they'd rather I can retrieve it for them if needed... I'm sure the
corporate world doesn't do it this way, but their code isn't open
source, or am I wrong?...
---
In closing I don't actually anticipate ANY help.
My father, an even earlier computer user than me, once observed, "you
can ask for information until you're blue in the face, and nobody will
say a thing, but post the WRONG thing and a hundred people will post
to point out you're wrong!"
GIVEN how EASY it is to have your email system become an instant open
relay at the hands of the spammers out there, how the hell Dovecot can
advertise the way it is WITHOUT a serious guide about this is just
frustrating and laughable. But I'd love to be shown where they DO help
with this!
Thanks for any and all help,
Richard
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
