Hello Everybody.
I am running a Postfix postfix-2.3.3-2.1.el5_2 on a CentOS 5.4 box at
a Federal University in Brazil.
Our users (students and professors) suffered several social
engineering attacks and spammers got some valid users and passwords.
I know that the spammers are using a fake email (i...@freelotto.com)
to send SPAM through our MX. But they are using some unidentified
usernames.
I need some help or thoughts about:
- which parameter at master.cf or main.cf can I turn on in order to
see the IP used by a specif user (authentication against SASL DOVECOT)
or
to see the IP address used by the sender i...@freelotto.com.
Below this email I put my main.cf and my master.cf in order to help.
Thanks.
--
Klaus Engelmann
CCNA CCDA - CSCO10971632
LPIC-1 - LPI000138061
[r...@prometeu log]# postconf -n
alias_database = hash:/etc/postfix/aliasDB/aliases
alias_maps = hash:/etc/postfix/aliasDB/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
default_privs = vmail
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/headerChecks/header_checks
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
local_recipient_maps = unix:passwd.byname $alias_maps
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 20971520
mime_header_checks = regexp:/etc/postfix/headerChecks/mime_header_checks
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = ufcspa.edu.br
myhostname = prometeu.ufcspa.edu.br
mynetworks = 200.18.67.24/32, 127.0.0.0/8, 200.18.67.0/24,
172.16.0.0/16, 10.201.1.0/24, 10.200.1.0/24
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
relay_domains =
relayhost =
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP
smtpd_client_connection_count_limit = 10
smtpd_client_connection_rate_limit = 15
smtpd_client_message_rate_limit = 25
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_delay_reject = yes
smtpd_error_sleep_time = 20s
smtpd_hard_error_limit = 3
smtpd_helo_required = yes
smtpd_junk_command_limit = 1
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, check_client_access
hash:/etc/postfix/whitelist/rbl_whitelist,
check_sender_access
hash:/etc/postfix/whitelist/user_restrictions,
reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname,
check_helo_access
regexp:/etc/postfix/helo-blacklist/smtp_helo_blacklist,
reject_non_fqdn_sender, reject_unknown_sender_domain,
reject_non_fqdn_recipient, reject_unauth_destination,
reject_unlisted_recipient,
reject_unknown_recipient_domain, reject_rbl_client dnsbl.njabl.org,
reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client
cbl.abuseat.org, reject_rbl_client bl.spamcop.net,
reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client
combined.rbl.msrbl.net, reject_rbl_client b.barracudacentral.org,
check_policy_service unix:private/spfpolicy,
check_policy_service inet:127.0.0.1:2501, permit
smtpd_reject_unlisted_recipient = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_soft_error_limit = 1
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/ssl/certPostfix.pem
smtpd_tls_key_file = /etc/postfix/ssl/keyPostfix.pem
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
virtual_alias_maps = ldap:/etc/postfix/ldap/valias.cf
virtual_gid_maps = static:200
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = fffcmpa.edu.br ufcspa.edu.br
virtual_mailbox_maps = ldap:/etc/postfix/ldap/vmaps.cf
virtual_transport = dovecot
virtual_uid_maps = static:200
[r...@prometeu log]# cat /etc/postfix/master.cf | sed '/^#/d'
smtp inet n - n - - smtpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o fallback_relay=
showq unix n - n - - showq
error unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
old-cyrus unix - n n - - pipe
flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m
${extension} ${user}
cyrus unix - n n - - pipe
user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m
${extension} ${user}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f
${sender} -d ${user}
spfpolicy unix - n n - - spawn
user=nobody argv=/usr/bin/perl /usr/local/lib/postfix-policyd-spf-perl
