I think we are having directory harvest attacks on our OS X Server. I am not familiar with postfix and we use this server primarily to send mail out from our web servers on the same subnet. There are a few account that receive mail and are popped but no mail really stored on the server. I have OS X set to only allow relay from our local subnet and a few other known hosts. How do I stop these attacks which look like mail is being relayed even though it is restricted. Any help would be appreciated.
Here is my postfix conf: biff = no command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix debug_peer_level = 2 enable_server_options = yes header_checks = html_directory = /usr/share/doc/postfix/html inet_interfaces = all mail_owner = _postfix mailbox_size_limit = 0 mailbox_transport = dovecot mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man maps_rbl_domains = message_size_limit = 52428800 mydestination = $myhostname, localhost.$mydomain, localhost, mail2.4nova.net, $mydomain mydomain = Nova-Mail2.local mydomain_fallback = localhost myhostname = Nova-Mail2.local mynetworks = 74.84.205.0/24,74.95.99.16/28,65.254.210.137,74.84.205.84 newaliases_path = /usr/bin/newaliases queue_directory = /private/var/spool/postfix readme_directory = /usr/share/doc/postfix recipient_delimiter = + relayhost = sample_directory = /usr/share/doc/postfix/examples sendmail_path = /usr/sbin/sendmail setgid_group = _postdrop smtpd_client_restrictions = hash:/etc/postfix/smtpdreject cidr:/etc/postfix/smtpdreject.cidr permit_mynetworks permit_sasl_authenticated reject_rbl_client zen.spamhaus.orgreject_rbl_client sbl-xbl.spamhaus.org permit smtpd_enforce_tls = no smtpd_helo_required = no smtpd_helo_restrictions = smtpd_pw_server_security_options = none smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks check_sender_access hash:/etc/postfix/sender_access reject_unauth_destination permit smtpd_sasl_auth_enable = no smtpd_tls_CAfile = /etc/certificates/mail2.4nova.net.9F8B16932C4D21BF8CF23A56C69185B969123837.chain.pem smtpd_tls_cert_file = smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL smtpd_tls_key_file = smtpd_tls_loglevel = 0 smtpd_use_pw_server = no smtpd_use_tls = no soft_bounce = no tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 virtual_alias_domains = $virtual_alias_maps hash:/etc/postfix/virtual_domains virtual_alias_maps = hash:/etc/postfix/virtual_users I don't understand why some of these show 127.0.0.1 (localhost) as the relay. How can I stop this if it looks like it is the local machine do it. Here is an example of what we are seeing in the logs: May 24 15:59:08 mail2 postfix/smtpd[20542]: AA561359557D: client=localhost[127.0.0.1] May 24 15:59:08 mail2 postfix/cleanup[21223]: AA561359557D: message-id=< 201105250351138904...@4nova.net> May 24 15:59:08 mail2 postfix/qmgr[20404]: AA561359557D: from=< hwli...@4nova.net>, size=209772, nrcpt=1 (queue active) May 24 15:59:08 mail2 postfix/smtp[20897]: 610E03595566: to=<jyfr...@163.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.6, delays=2.4/0/0.01/0.11, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=21180-02, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as AA561359557D) May 24 15:59:15 mail2 postfix/smtp[21081]: AA561359557D: host 163mx03.mxmail.netease.com[220.181.12.53] said: 451 DT:SPM mx3, NcCowEDJilsNDtxNMSnSAA--.439S2, please try again 1306267153 http://mail.163.com/help/help_spam_16.htm?ip=74.84.205.236&hostid=mx3&time=1306267153(in reply to end of DATA command) May 24 15:59:23 mail2 postfix/smtp[21081]: AA561359557D: to=<jyfr...@163.com>, relay=163mx01.mxmail.netease.com[220.181.12.63]:25, delay=15, delays=0.01/0/12/3.3, dsn=4.0.0, status=deferred (host 163mx01.mxmail.netease.com[220.181.12.63] said: 451 DT:SPM mx13, P8CowJCLJ_ITDtxN0fYoBg--.1346S2, please try again 1306267163 http://mail.163.com/help/help_spam_16.htm?ip=74.84.205.236&hostid=mx13&time=1306267163(in reply to end of DATA command)) May 24 16:05:21 mail2 postfix/qmgr[20404]: AA561359557D: from=< hwli...@4nova.net>, size=209772, nrcpt=1 (queue active) May 24 16:05:31 mail2 postfix/smtp[21694]: AA561359557D: to=<jyfr...@163.com>, relay=163mx02.mxmail.netease.com[220.181.12.77]:25, delay=383, delays=373/1.4/5.6/2.8, dsn=2.0.0, status=sent (250 Mail OK queued as mx27,TcCowJC7z_SDD9xNxUbYAQ--.622S2 1306267531) May 24 16:05:31 mail2 postfix/qmgr[20404]: AA561359557D: removed May 24 15:59:08 mail2 postfix/smtpd[20542]: AA561359557D: client=localhost[127.0.0.1] May 24 15:59:08 mail2 postfix/cleanup[21223]: AA561359557D: message-id=< 201105250351138904...@4nova.net> May 24 15:59:08 mail2 postfix/qmgr[20404]: AA561359557D: from=< hwli...@4nova.net>, size=209772, nrcpt=1 (queue active) May 24 15:59:08 mail2 postfix/smtp[20897]: 610E03595566: to=<jyfr...@163.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.6, delays=2.4/0/0.01/0.11, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=21180-02, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as AA561359557D) May 24 15:59:15 mail2 postfix/smtp[21081]: AA561359557D: host 163mx03.mxmail.netease.com[220.181.12.53] said: 451 DT:SPM mx3, NcCowEDJilsNDtxNMSnSAA--.439S2, please try again 1306267153 http://mail.163.com/help/help_spam_16.htm?ip=74.84.205.236&hostid=mx3&time=1306267153(in reply to end of DATA command) May 24 15:59:23 mail2 postfix/smtp[21081]: AA561359557D: to=<jyfr...@163.com>, relay=163mx01.mxmail.netease.com[220.181.12.63]:25, delay=15, delays=0.01/0/12/3.3, dsn=4.0.0, status=deferred (host 163mx01.mxmail.netease.com[220.181.12.63] said: 451 DT:SPM mx13, P8CowJCLJ_ITDtxN0fYoBg--.1346S2, please try again 1306267163 http://mail.163.com/help/help_spam_16.htm?ip=74.84.205.236&hostid=mx13&time=1306267163(in reply to end of DATA command)) May 24 16:05:21 mail2 postfix/qmgr[20404]: AA561359557D: from=< hwli...@4nova.net>, size=209772, nrcpt=1 (queue active) May 24 16:05:31 mail2 postfix/smtp[21694]: AA561359557D: to=<jyfr...@163.com>, relay=163mx02.mxmail.netease.com[220.181.12.77]:25, delay=383, delays=373/1.4/5.6/2.8, dsn=2.0.0, status=sent (250 Mail OK queued as mx27,TcCowJC7z_SDD9xNxUbYAQ--.622S2 1306267531) May 24 16:05:31 mail2 postfix/qmgr[20404]: AA561359557D: removed Thanks, Ryan
