So what is SASL using in Postfix ? Is Postfix calling SASL, which calls PAM, which calls LDAP, to check the Password?
You must follow the trail of how they got the password if you say you changed it and it does not help. -ALF -Angelo Fazzina Operating Systems Programmer / Analyst University of Connecticut, UITS, SSG-Linux/ M&C 860-486-9075 -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Paul van der Vlis Sent: Friday, October 21, 2016 4:16 PM To: [email protected] Subject: Open relay Hello, I have a big problem, someone is using my mailserver for sending spam. I see it in de logs. I can block the IP but then they use other IP's. So far I know my server is up-to-date and correct configured. And when I do some open relay tests, everything is OK. Like this ones: http://www.mailradar.com/openrelay/ http://mxtoolbox.com/diagnostic.aspx The name of my mailserver is mail.vandervlis.nl, so far I see the spammers are using port 587. Please feel free to do tests. What I see in the logs and in the headers of the spam is that they are using authentication. But the username is not correct. On my server I use usernames like "john", and this username lookslike an e-mail address, so with an "@" in it. The part before the @ is a correct username on my server, but when I change the password it does not help. All spam is recognizeble by this authenticated username. In the headers I see this as the first "received" (I've changed the authenticated sender for privacy): ---- Received: from [127.0.0.1] (87-92-55-206.bb.dnainternet.fi [87.92.55.206]) (Authenticated sender: [email protected]) by mail.vandervlis.nl (Postfix) with ESMTPSA id 774B23E0285; Fri, 21 Oct 2016 18:57:14 +0200 (CEST) ---- As would my server sent it to my server... Does somebody have a clou here? With regards, Paul van der Vlis. Some settings and logs: smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/etc/postfix/whitelist, reject_invalid_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, reject_unauth_destination, check_policy_service unix:private/shadelist, reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client ix.dnsbl.manitu.net, permit smtpd_tls_cert_file = /etc/postfix/tls/*.vandervlis.nl.pem smtpd_use_tls = yes smtpd_sasl_auth_enable = yes smtpd_sasl_exceptions_networks = $mynetworks smtpd_tls_loglevel = 1 smtpd_tls_auth_only = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes Oct 21 16:54:31 sigmund postfix/smtpd[2158]: D34743E027B: client=unknown[94.26.41.188], sasl_method=PLAIN, [email protected] -- Paul van der Vlis Linux systeembeheer Groningen https://www.vandervlis.nl/ -- Paul van der Vlis Linux systeembeheer Groningen https://www.vandervlis.nl/
