Thanks James, Thanks James, you're a true friend. I allow relaying only to the hosts declared in main.cf file and users are in the file / etc / passwd. postmaster is the user in this file. I can confidently change the password or disable the user postmaster? I'm not going to cause damage to the Postfix configuration? thanks
these doors open. 22/tcp open ssh 25/tcp open smtp 37/tcp open time 80/tcp open http 110/tcp open pop3 113/tcp open auth 125/tcp open locus-map 143/tcp open imap 443/tcp open https IMAP4 and POP4 are invoked from / usr / sbin / imapd and / usr/sbin/pop3 this is my configuration: #postconf -n alias_database = hash:/etc/postfix/aliases alias_maps = hash:/etc/postfix/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix debug_peer_level = 2 default_process_limit = 100 defer_transports = uucp delay_warning_time = 30m header_checks = regexp:/etc/postfix/header_checks inet_interfaces = all mail_owner = postfix mail_spool_directory = /var/spool/mail mailbox_command = /usr/bin/procmail mailbox_size_limit = 1004800000 mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man maximal_backoff_time = 2h maximal_queue_lifetime = 1d message_size_limit = 102400000 minimal_backoff_time = 1h mydestination = $mydomain,esempio.it (local domain) mydomain = esempio.it myhostname = mail.esempio.it mynetworks = 192.168.1.0/24 myorigin = $mydomain newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix queue_run_delay = 10m readme_directory = /usr/share/doc/postfix-1.1.11/README_FILES relay_domains = $mydestination sample_directory = /usr/share/doc/postfix-1.1.11/samples sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtpd_banner = $myhostname ESMTP $mail_name smtpd_helo_required = yes strict_rfc821_envelopes = yes swap_bangpath = no virtual_mailbox_limit = 1004800000 2012/6/14 James B. Byrne <byrn...@harte-lyne.ca>: > > On Thu, June 14, 2012 05:34, Giuseppe Perna wrote: >> Good morning, I noticed that postmaster connects IMAP4 whit webmail >> and I generated spam. >> I can reset the password for postmaster? >> give me the info? >> thanks >> >> Content-Tr48:09 nameserver imapd[16380]: imap service init from >> 127.0.0.1 >> Jun 14 07:48:09 nameserver imapd[16380]: Login user=postmaster >> host=localhost [127.0.0.1] >> puoi reset48:09 nameserver imapd[16380]: Logout user=postmaster >> host=localhost [127.0.0.1] > > These entries tell you that the postmaster user id logged into their > IMAP account from the localhost and then logged out. If you are using > Cyrus-imapd then possibly you use the rimap option to saslauth to > authenticate smtp relays? Or perhaps you just permit relaying from > the local host from your webmail setup without further authentication. > > From the log entries it appears that the webmail host is the same host > as your smtp server and imap server. I infer that your imap and smtp > authentication mechanisms are also on the same host and that these are > probably /etc/passwd. > > If the subsequent log entries are spam email sent by postmaster and > postmaster was used to authenticate for smtp relaying via your server, > either via imap or simply by gaining access to the webmail > application, then the postmaster userid credentials have been > compromised. > > If you use /etc/passwd for imap authentication then change the > password for postmaster. That will require that you either have root > access or possess the current (compromised) postmaster credentials > yourself. If you use ldap or some other centralized authentication > for imap/smtp then the credentials need to be changed there. > > In any case, postmaster is a system account. The likelihood is that > it had a weak password and that a dictionary attack via your webmail > interface was the source of the compromise. However, if this user id > has had its credentials compromised on one of my systems then I would > suspect the presence of a rootkit. As a matter of prudence you need to > check very carefully for this. If a rootkit is discovered or > reasonably suspected then never again can your system be considered > secure and it will need to be rebuilt. > >> 48:10 nameserver postfix/smtp[16403]: 23094B81BD7: >> to=<Ayaz@ayaz.lezgin>, relay=none, delay=2, status=bounced (Host or >> domain n$ >> Jun 14 07:48:10 nameserver postfix/smtp[16402]: 23094B81BD7: >> to=<brian.stew...@avovent.com>, relay=none, delay=2, status=bounced >> (Host or$ >> Jun 14 07:48:10 nameserver postfix/smtp[16472]: 23094B81BD7: >> to=<CialisAndV45@gmail.comomar2010ahmed>, relay=none, delay=2, >> status=bounce$ >> Jun 14 07:48:10 nameserver postfix/smtp[16451]: warning: >> valid_hostname: empty hostname >> Jun 14 07:48:10 nameserver postfix/smtp[16451]: warning: malformed >> domain name in resource data of MX record for DontEmail.com: >> Jun 14 07:48:10 nameserver postfix/smtp[16451]: 23094B81BD7: >> to=<callorsmsmedirec...@dontemail.com>, relay=none, delay=2, >> status=deferred$ >> New mail f48:10 nameserver postfix/smtp[16438]: warning: >> valid_hostname: empty hostname >> ----14 07:48:10 nameserver postfix/smtp[16438]: warning: malformed >> domain name in resource data of MX record for consensus.com: >> >> Thanks >> > > > > > -- > *** E-Mail is NOT a SECURE channel *** > James B. Byrne mailto:byrn...@harte-lyne.ca > Harte & Lyne Limited http://www.harte-lyne.ca > 9 Brockley Drive vox: +1 905 561 1241 > Hamilton, Ontario fax: +1 905 561 0757 > Canada L8E 3C3 >
