Re: I'm an open relay some how

Fri, 30 Dec 2011 09:31:31 -0800 

On 12/30/2011 10:26 AM, Noel Jones wrote:

On 12/30/2011 11:19 AM, Stephen Atkins wrote:

On 12/30/2011 10:17 AM, Gary Smith wrote:

I've been administering the same postfix server for years so I'm
a little
confused as to how this happened.  Granted postifx hasn't been
updated in a
year or so.

This morning I came in to a mailq of over 93000 messages all
destine to
@yahoo.com.tw

For now I'm just blocking all email destined for this domain but
I would
really like to find out what happened.  I haven't changed my main.cf
file for over a year.    I can post it if needed.



Are you an open relay or did one of your user accounts get
hacked.  I'd check the envelope of one of the messages, cross that
with where it originated and go from there.  Just a shoot from the
hip guess with little information.


I'm pretty sure.  I'm watching the connections coming in and they
are from external IP addresses.  A who is shows them as being from
south America and Europe.




Show all the postfix logging for one of the suspect transactions.
Show your "postconf -n" output.

http://www.postfix.org/DEBUG_README.html#mail



   -- Noel Jones


Here is the output of my postconf -n

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases hash:/etc/postfix/majordomo/majoraliases 
allow_untrusted_routing = no
bounce_queue_lifetime = 2h
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/lib/postfix
debug_peer_level = 1
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks
home_mailbox = Maildir/
in_flow_delay = 5s
inet_interfaces = all
local_recipient_maps =
mail_owner = postfix
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
maximal_queue_lifetime = 1d
message_size_limit = 26214400
mydestination = localhost.localdomain, localhost, mta1.rcr.inc mta2.rcr.inc, ridelouise.com, canadiarockiessummer.com, rcr.west rcr.inc 
mydomain = skircr.com
myhostname = smtp.skircr.com
mynetworks = 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24, 192.168.4.0/24, 192.168.5.0/24, 192.168.6.0/24, 192.168.7.0/24, 209.91.64.21, 127.0.0.0/8, 10.0.100.0/24, 10.0.6.0/24, 192.168.10.0/24, 192.168.80.0/23, 192.168.142.0/24, 216.133.52.45, 216.113.43.184, 192.168.143.0/24, 69.70.230.206, 207.96.243.24, 207.96.243.25, 24.37.1.234, 10.0.0.0/8 
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
owner_request_special = no
queue_directory = /var/spool/postfix
readme_directory = no
recipient_delimiter = +
sample_directory = /usr/share/doc/postfix-2.0.11/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_helo_name = skircr.com
smtpd_banner = $myhostname ESMTP $mail_name. We block/report all spam/spammers. 
smtpd_client_restrictions = permit_mynetworks
smtpd_delay_reject = no
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,                      permit
smtpd_recipient_restrictions = hash:/etc/postfix/access, check_client_access hash:/etc/postfix/client_checks, check_recipient_access hash:/etc/postfix/sender_checks, check_sender_access hash:/etc/postfix/sender_checks, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, reject_invalid_hostname, check_client_access cidr:/etc/postfix/dnswl-header, check_client_access cidr:/etc/postfix/dnswl-permit, check_client_access hash:/etc/postfix/rbl_override, reject_rbl_client zen.spamhaus.org, reject_rbl_client combined.njabl.org, reject_rbl_client dbl.spamhaus.org, check_policy_service inet:127.0.0.1:60000, permit 
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = hash:/etc/postfix/access, check_client_access hash:/etc/postfix/client_checks, check_sender_access hash:/etc/postfix/sender_checks, permit_sasl_authenticated, permit_mynetworks, reject_unauth_pipelining, permit 
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
smtpd_tls_key_file = /etc/ssl/private/smtpd.key
smtpd_tls_loglevel = 9
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = mysql:/etc/postfix/mysql/virtual_alias_maps.cf
virtual_gid_maps = static:119
virtual_mailbox_base = /usr/local/virtual
virtual_mailbox_domains = mysql:/etc/postfix/mysql/virtual_domains_maps.cf
virtual_mailbox_limit = 0
virtual_mailbox_maps = mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
virtual_minimum_uid = 109
virtual_transport = virtual
virtual_uid_maps = static:109


--
Stephen Atkins
Information Systems
Resorts of the Canadian Rockies INC.
http://www.skircr.com
satk...@skircr.com
Voice: (403) 209-3367
Cell: (403) 510-8333
Fax: (403) 244-3774

Reply via email to