On Friday 30 December 2011 14:46:46 Lorens Kockum wrote: > On Fri, Dec 30, 2011 at 12:51:27PM -0600, Noel Jones wrote: > > These are rejected and not useful to our discussion. Please > > show ALL the postfix logging of a suspect transaction that > > makes it to your queue. In particular, we want to see if > > there is a sasl_username= line logged for a suspicious QUEUEID. > > Stephen, you say that you have a lot of mail in the queue. I > suppose you use `mailq` to see that? You need to take the queue > ID of a suspect mail from there, grep /var/log/maillog for that, > and send us the output.
Specifically, we would be most interested in how the message first entered the queue. Arrival via smtpd(8) means you (Stephen) have an access maps problem, or, as Noel surmised, exploited SASL user credentials. Arrival via pickup(8) means you have some other kind of exploit, such as a compromised HTTP-PHP script. I'll also take this opportunity to nitpick in some ways that Noel spared you. :) > > smtpd_recipient_restrictions = hash:/etc/postfix/access, "access" is a terrible name for an access lookup, believe it or not! And here you are using it as an implied check_recipient_access lookup, which as Noel pointed out, should not be done. What is this lookup doing? (Do you know?) > > check_client_access hash:/etc/postfix/client_checks, This one is named appropriately, but possibly not *used* in a safe, reasonable manner. What is this one doing? > > check_recipient_access hash:/etc/postfix/sender_checks, > > check_sender_access hash:/etc/postfix/sender_checks, Same file, named "sender_checks", being used for both sender and recipient lookups? That might be reasonable, but "sender_checks" is not a good name in that case. In general, check_sender_access is not a good tool. Sure, it does exactly what it claims to do, but most spam has forged sender addresses. Therefore check_sender_access is reasonable neither for whitelisting nor for blacklisting. My bet is on this file; you have done something in "sender_checks" that you should not have done. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
