On Thu, June 14, 2012 05:34, Giuseppe Perna wrote: > Good morning, I noticed that postmaster connects IMAP4 whit webmail > and I generated spam. > I can reset the password for postmaster? > give me the info? > thanks > > Content-Tr48:09 nameserver imapd[16380]: imap service init from > 127.0.0.1 > Jun 14 07:48:09 nameserver imapd[16380]: Login user=postmaster > host=localhost [127.0.0.1] > puoi reset48:09 nameserver imapd[16380]: Logout user=postmaster > host=localhost [127.0.0.1]
These entries tell you that the postmaster user id logged into their IMAP account from the localhost and then logged out. If you are using Cyrus-imapd then possibly you use the rimap option to saslauth to authenticate smtp relays? Or perhaps you just permit relaying from the local host from your webmail setup without further authentication. >From the log entries it appears that the webmail host is the same host as your smtp server and imap server. I infer that your imap and smtp authentication mechanisms are also on the same host and that these are probably /etc/passwd. If the subsequent log entries are spam email sent by postmaster and postmaster was used to authenticate for smtp relaying via your server, either via imap or simply by gaining access to the webmail application, then the postmaster userid credentials have been compromised. If you use /etc/passwd for imap authentication then change the password for postmaster. That will require that you either have root access or possess the current (compromised) postmaster credentials yourself. If you use ldap or some other centralized authentication for imap/smtp then the credentials need to be changed there. In any case, postmaster is a system account. The likelihood is that it had a weak password and that a dictionary attack via your webmail interface was the source of the compromise. However, if this user id has had its credentials compromised on one of my systems then I would suspect the presence of a rootkit. As a matter of prudence you need to check very carefully for this. If a rootkit is discovered or reasonably suspected then never again can your system be considered secure and it will need to be rebuilt. > 48:10 nameserver postfix/smtp[16403]: 23094B81BD7: > to=<Ayaz@ayaz.lezgin>, relay=none, delay=2, status=bounced (Host or > domain n$ > Jun 14 07:48:10 nameserver postfix/smtp[16402]: 23094B81BD7: > to=<brian.stew...@avovent.com>, relay=none, delay=2, status=bounced > (Host or$ > Jun 14 07:48:10 nameserver postfix/smtp[16472]: 23094B81BD7: > to=<CialisAndV45@gmail.comomar2010ahmed>, relay=none, delay=2, > status=bounce$ > Jun 14 07:48:10 nameserver postfix/smtp[16451]: warning: > valid_hostname: empty hostname > Jun 14 07:48:10 nameserver postfix/smtp[16451]: warning: malformed > domain name in resource data of MX record for DontEmail.com: > Jun 14 07:48:10 nameserver postfix/smtp[16451]: 23094B81BD7: > to=<callorsmsmedirec...@dontemail.com>, relay=none, delay=2, > status=deferred$ > New mail f48:10 nameserver postfix/smtp[16438]: warning: > valid_hostname: empty hostname > ----14 07:48:10 nameserver postfix/smtp[16438]: warning: malformed > domain name in resource data of MX record for consensus.com: > > Thanks > -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
