> -----Original Message-----
> From: owner-postfix-us...@postfix.org [mailto:owner-postfix-
> us...@postfix.org] On Behalf Of Noel Jones
> Sent: Thursday, February 19, 2009 9:14 AM
> To: Tait Grove; 'Postfix users'
> Subject: Re: Hacking activity
>
> Tait Grove wrote:
> > Somehow, out of the blue, my postfix setup is allowing relaying. I pass
> > all the relay tests, but a hacker has figured out how to send email
> > through my server without authenticating. I have checked my server for
> > being an open relay and all the tests are passing. The only error log
> > entry that is showing up that may be related is:
> >
> >
> >
> > Feb 19 08:40:31 post-app3 postfix/smtpd[31907]: warning: connect #10 to
> > subsystem private/verify: Connection refused
> >
> > --
> >
> > Feb 19 08:40:31 post-app3 postfix/smtpd[32157]: warning: connect #8 to
> > subsystem private/verify: Connection refused
> >
> > Feb 19 08:40:31 post-app3 postfix/smtpd[33028]: fatal: connect #11 to
> > subsystem private/verify: Connection refused
> >
> > Feb 19 08:40:31 post-app3 postfix/pipe[31861]: warning: connect #8 to
> > subsystem private/verify: Connection refused
> >
> > --
> >
> > Feb 19 08:40:32 post-app3 postfix/qmgr[31126]: warning: private/dovecot
> > socket: malformed response
> >
> > Feb 19 08:40:32 post-app3 postfix/qmgr[31126]: warning: transport
> > dovecot failure -- see a previous warning/fatal/panic logfile record for
> > the problem description
> >
> > Feb 19 08:40:32 post-app3 postfix/qmgr[31126]: warning: private/dovecot
> > socket: malformed response
> >
> > Feb 19 08:40:32 post-app3 postfix/qmgr[31126]: warning: transport
> > dovecot failure -- see a previous warning/fatal/panic logfile record for
> > the problem description
> >
> > Feb 19 08:40:32 post-app3 postfix/qmgr[31126]: warning: private/dovecot
> > socket: malformed response
> >
> > Feb 19 08:40:32 post-app3 postfix/qmgr[31126]: warning: transport
> > dovecot failure -- see a previous warning/fatal/panic logfile record for
> > the problem description
> >
> > --
> >
> > Feb 19 08:40:37 post-app3 postfix/pipe[33777]: warning: connect #6 to
> > subsystem private/verify: Connection refused
> >
> > Feb 19 08:40:37 post-app3 postfix/smtpd[32018]: fatal: connect #11 to
> > subsystem private/verify: Connection refused
> >
> > I updated postfix and related software, the issue is still happening. Do
> > these messages mean anything about my specific problem?
> >
> >
> >
> > -- T
> >
> >
> >
>
> The log entries you show are irrelevant to your stated problem.
>
> You need to examine logs of messages that you think should not
> have been accepted or relayed.
>
> Please see http://www.postfix.org/DEBUG_README.html#mail
>
> -- Noel Jones
I did open a few of the messages. The user has taken over the dovecot
account. So all the emails are coming from dove...@local.servername.net
through postfix. I thought for sure an account had been compromised. Dovecot
is a local, unix user, with nologin and the account is locked out as far as
the OS is concerned. I looked at my webmail, thinking that could be the
case, but they are not getting in through there. Somehow they are piping
commands into my mail to get it send email out - tons of stuff to/from
Brazil.
My CONF file:
alias_database = hash:/etc/mail/aliases
alias_maps = hash:/etc/mail/aliases
bounce_queue_lifetime = 2d
broken_sasl_auth_clients = yes
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
disable_vrfy_command = yes
enable_original_recipient = no
html_directory = no
inet_interfaces = 127.0.0.1, localhost, $myhostname
invalid_hostname_reject_code = 550
mail_owner = postfix
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
maps_rbl_reject_code = 554
maximal_backoff_time = 5135s
maximal_queue_lifetime = 2d
message_size_limit = 40960000
minimal_backoff_time = 535s
mydestination = localhost.$mydomain, $mydomain, localhost, $myhostname
myhostname = post-app3.tdpserver.net
mynetworks = 127.0.0.0/8, {EXTERNAL_IP_RANGE}/8, {INTERNAL_IP_RANGE}/25,
$myhostname
newaliases_path = /usr/local/bin/newaliases
non_fqdn_reject_code = 504
proxy_interfaces = {INTERNAL_IP_TO_THIS_SERVER}
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps
$virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains
$relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps
$recipient_canonical_maps $relocated_maps $transport_maps $mynetworks
$virtual_mailbox_limit_maps
queue_directory = /var/spool/postfix
queue_run_delay = 535s
readme_directory = no
relay_domains =
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtp_sasl_password_maps =
proxy:mysql:$config_directory/mysql_virtual_mailbox_maps.cf
smtp_tls_CAfile = /usr/local/share/certs/ca-root.crt
smtp_tls_cert_file = /usr/local/etc/dovecot/certs/tdpserver.crt
smtp_tls_key_file = /usr/local/etc/dovecot/certs/tdpserver.key
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_client_connection_rate_limit = 400
smtpd_client_event_limit_exceptions = $mynetworks, {INTERNAL_IP_RANGE}/8,
127.0.0.1, {EXTERNAL_IP_RANGE}/25, localhost
smtpd_data_restrictions = reject_unauth_pipelining,
reject_multi_recipient_bounce, permit
smtpd_recipient_limit = 3000
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks,
reject_invalid_helo_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
check_policy_service inet:127.0.0.1:10031,
reject_unauth_destination,
warn_if_reject reject_unverified_recipient,
reject_unknown_sender_domain,
check_recipient_access hash:$config_directory/recipient.list,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client zen.spamhaus.org,
permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_exceptions_networks = $mynetworks
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /usr/local/share/certs/ca-root.crt
smtpd_tls_ask_ccert = no
smtpd_tls_cert_file = /usr/local/etc/dovecot/certs/tdpserver.crt
smtpd_tls_key_file = /usr/local/etc/dovecot/certs/tdpserver.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
soft_bounce = no
transport_maps = hash:/etc/mail/transport
unknown_local_recipient_reject_code = 550
unverified_sender_reject_code = 550
virtual_alias_maps =
proxy:mysql:$config_directory/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:125
virtual_mailbox_base = /NFS1MAILDIR/mailSysV2
virtual_mailbox_domains =
proxy:mysql:$config_directory/mysql_virtual_domains_maps.cf
virtual_mailbox_limit_maps =
proxy:mysql:/usr/local/etc/postfix/mysql_virtual_mailbox_limit_maps.cf
virtual_mailbox_maps =
proxy:mysql:$config_directory/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 142
virtual_transport = dovecot
virtual_uid_maps = static:125
Anywhere else I should dig into? Can I monitor the SMTP command requests
coming into postfix somehow?
-- T
