Guy wrote:
Hi guys,
I've got some mail in the queue that's clearly spam. The from address
is [EMAIL PROTECTED] and the source server is
"7c.91.5746.static.theplanet.com [70.87.145.124]" The recipient
addresses are random domains that do not belong to me. The server is
supposed to be a gateway and outgoing server for our users.
I've tried telnet to port 25 on the box and get relay access denied
trying to send to a non local domain (gmail.com). So either my config
is completely screwed (which is very possible) or I've got a
compromised user. If it's a compromised user, is it possible for
postfix to include the authenticated username in the message headers?
Below is a postconf -n from the gateway/smtp server. Any advice on
what I'm missing or bad settings would be great. Also, which of the
standard config examples would cover what I'm trying to do with this
server? Or should I just start reading through the base configuration?
Or should I just hurry up and get the Book of Postfix? :P
Thanks
Guy
You don't appear to have any errors in your postconf -n that
could possibly cause an open relay.
To find the source of the spam, grep your logs for the QUEUEID
displayed by the mailq command. If the mail has been in the
logs a couple days, you may need to examine logs that have
been rotated out. The objective is to find the first entry
referring to the unwanted mail and determine how it entered
postfix. If it was SASL authenticated, that will be logged.
Another common point of abuse is web scripts. If your server
has www software on it, that could be the problem.
Postfix 2.3 and later can report the sasl user in the headers;
http://www.postfix.org/postconf.5.html#smtpd_sasl_authenticated_header
Postfix 2.5 and newer also support RFC 3848 to report
authentication/encryption status in the Received: header, but
this doesn't record the user name.
--
Noel Jones
[EMAIL PROTECTED]:/var/spool/postfix/hold# postconf -n
2bounce_notice_recipient = [EMAIL PROTECTED]
anvil_rate_time_unit = 60s
bounce_notice_recipient = [EMAIL PROTECTED]
bounce_template_file = /etc/postfix/bounce.cf
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
cyrus_sasl_config_path = /etc/postfix/sasl/
daemon_directory = /usr/lib/postfix
debug_peer_level = 2
default_destination_concurrency_limit = 30
delay_notice_recipient = [EMAIL PROTECTED]
error_notice_recipient = [EMAIL PROTECTED]
home_mailbox = .maildir/
html_directory = /usr/share/doc/postfix-2.2.10/html
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maps_rbl_domains = sbl-xbl.spamhaus.org
message_size_limit = 31240000
mynetworks = 127.0.0.0/8, 72.9.230.26
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
rbl_reply_maps = hash:/etc/postfix/rbl_reply
readme_directory = /usr/share/doc/postfix-2.2.10/readme
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd_client_connection_count_limit = 30
smtpd_client_connection_rate_limit = 100
smtpd_client_message_rate_limit = 100
smtpd_client_recipient_rate_limit = 100
smtpd_error_sleep_time = 1s
smtpd_hard_error_limit = 20
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_invalid_hostname,
reject_non_fqdn_sender, reject_unknown_sender_domain,
reject_unauth_destination, check_recipient_access
hash:/etc/postfix/spamlovers, check_client_access
cidr:/etc/postfix/postfix-dnswl-permit, reject_rbl_client
zen.spamhaus.org, reject_rbl_client bl.spamcop.net,
reject_rbl_client psbl.surriel.com, reject_rhsbl_client
zen.spamhaus.org, reject_rhsbl_client bl.spamcop.net,
check_policy_service inet:127.0.0.1:10031, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_soft_error_limit = 10
smtpd_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
smtpd_tls_cert_file = /etc/ssl/certs/imapd.pem
smtpd_tls_key_file = /etc/ssl/private/imapd.pem
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
mysql:/etc/postfix/mysql_virtual_catchall_maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_transport = smtp:barracuda.aluminati.org
