Op 23-10-16 om 13:32 schreef Ansgar Wiechers: > On 2016-10-23 Paul van der Vlis wrote: >> Op 22-10-16 om 18:23 schreef /dev/rob0: >>> The only actual conclusion is that you have failed to put forth the >>> necessary information, as Bill [I think] pointed you to the >>> http://www.postfix.org/DEBUG_README.html#mail link. >> >> The problem is that somebody did send spam using port 587 with a not >> excisting username, and I am interested how that is possible. >> >> sigmund:/var/log# postconf -Mf > > So you finally decided to show the output of "postconf -Mf" and > "saslfinger -s". Good. Now you just need to provide the rest of the > information Bill Cole asked of you 2 days ago: > > - Full output of "postconf -nf". > - Full headers of a sample message (you may obfuscate personal > information about the recipient). > - All log lines associated with that particular message. At the very > least the output of "grep <QUEUE_ID> /var/log/mail.log".
I am sorry when I did not give the right information. I did read the link, and did what was asked there. > In case you don't know how to find the queue ID in a log message, it's > this part of the log line: > > <date> <host> postfix/smtpd[<pid>]: 2758BBF4062: ... > ^^^^^^^^^^^ > And did you already investigate why the authentication backend considers > "p...@puk.nl" a valid user, as Noel Jones asked? What did you find out? Yes, and I found out that when the username is "p...@puk.nl" SASL actually checks on "piet": ---------- saslauthd[19855] :do_auth : auth success: [user=piet] [service=smtp] [realm=puk.nl] [mech=pam] ---------- I did some more tests, and it seems to be that the spammer actually did know the password. After changing the password, the logging changed: ---------- saslauthd[20161] :do_auth : auth failure: [user=piet] [service=smtp] [realm=puk.nl] [mech=pam] --------- <cut> With regards, Paul van der Vlis. -- Paul van der Vlis Linux systeembeheer Groningen https://www.vandervlis.nl/
