On Thu, Oct 08, 2015 at 12:34:25AM +1100, Voytek wrote:
> it looks like I have a couple of compromised user accounts on one of the
> domains on this server, I've changed the user password then even deleted
> the user (through postfixadmin) but that didn't help..? I can see in the
> log this:
>
> Oct 8 00:27:57 emu postfix/smtpd[7655]: 87E6B5E791:
> client=unknown[104.200.78.121], sasl_method=LOGIN,
> sasl_username=c...@dom.org.au
> Oct 8 00:27:58 emu postfix/smtpd[7678]: 645845FCCE:
> client=unknown[104.200.78.121], sasl_method=LOGIN,
> sasl_username=b...@dom.org.au
>
> I've also tried adding to main.cf this "check_sasl_access
> hash:/etc/postfix/sasl_access"
>
> # cat /etc/postfix/sasl_access
> cas HOLD
> bank HOLD
> cas...@dom.org.au HOLD
> bankst...@dom.org.au HOLD
Notice that the logs say "c...@dom.org.com", but you're not blocking
that exact authentication name.
--
Viktor.
