Hai Paul,
I saw you got it fixed, comprimized pass as i suspected. ;-)
I saw also this in you log.
from [127.0.0.1] (87-92-55-206.bb.dnainternet.fi [87.92.55.206]
This should never be allowed. ( from 127.0.0.1 ) ( on the external ip )
Thats impossible imo.
To fix that you can use something like below.
Just make sure every known hostname and ipnumber of the server is listed here.
Beware with these 3, these can give false positives.
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname,
(pcre:/etc/postfix/helo.pcre)
## Namebase
/^ip6-localhost$/ 554 Don't use my own hostname
/^localhost$/ 554 Don't use my own hostname
/^localhost\.localdomain$/ 554 Don't use my own hostname
/^localhost\.yourdomain\.tld$/ 554 Don't use my own hostname
/^localhost\.subdom\.yourdomain\.tld$/ 554 Don't use my own hostname
/^yourdomain\.tld$/ 554 Don't use my own domainname
/^hostname\.yourdomain\.tld$/ 554 Don't use my own hostname
/^hostname\.subdom\.yourdomain\.tld$/ 554 Don't use my own hostname
## IP Based
/^127\.0\.0\.1$/ 554 Don't use my own IP address
/^\[127\.0\.0\.1\]$/ 554 Don't use my own IP address
/^\:\:1$/ 554 Don't use my own IP address
/^\[\:\:1\]$/ 554 Don't use my own IP address
/^\1\.2\.3\.4$/ 554 Don't use my own IP address
/^\[1\.2\.3\.4]$/ 554 Don't use my own IP address
# and add ipv6 ip if you use it.
## Optional, but can gives false blocks.
#/^[0-9.]+$/ 554 Your software is not RFC 2821 compliant:
EHLO/HELO must be a hostname.domain.tld or an address-literal (IP enclosed in
brackets)
#/^[0-9]+(\.[0-9]+){3}$/ 554 Your software is not RFC 2821 compliant:
EHLO/HELO must be a hostname.domain.tld or an address-literal (IP enclosed in
brackets)
# /^[0-9.-]+$/ 550 Your software is not RFC 2821 compliant:
EHLO/HELO must be a hostname.domain.tld or an address-literal (IP enclosed in
brackets)
# /^[0-9]+(\.[0-9]+){3}$/ REJECT Invalid hostname
# added in main.cf
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
check_helo_access hash:/etc/postfix/overrule/allow_helo_access.map
check_helo_access pcre:/etc/postfix/pcre/helo.pcre,
permit_sasl_authenticated,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname,
reject_unauth_destination,
reject_unauth_pipelining
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: p...@vandervlis.nl [mailto:owner-postfix-us...@postfix.org] Namens
> Paul van der Vlis
> Verzonden: zondag 23 oktober 2016 13:51
> Aan: postfix-users@postfix.org
> Onderwerp: Re: Open relay, found it
>
> Op 23-10-16 om 13:32 schreef Ansgar Wiechers:
> > On 2016-10-23 Paul van der Vlis wrote:
> >> Op 22-10-16 om 18:23 schreef /dev/rob0:
> >>> The only actual conclusion is that you have failed to put forth the
> >>> necessary information, as Bill [I think] pointed you to the
> >>> http://www.postfix.org/DEBUG_README.html#mail link.
> >>
> >> The problem is that somebody did send spam using port 587 with a not
> >> excisting username, and I am interested how that is possible.
> >>
> >> sigmund:/var/log# postconf -Mf
> >
> > So you finally decided to show the output of "postconf -Mf" and
> > "saslfinger -s". Good. Now you just need to provide the rest of the
> > information Bill Cole asked of you 2 days ago:
> >
> > - Full output of "postconf -nf".
> > - Full headers of a sample message (you may obfuscate personal
> > information about the recipient).
> > - All log lines associated with that particular message. At the very
> > least the output of "grep <QUEUE_ID> /var/log/mail.log".
>
> I am sorry when I did not give the right information. I did read the
> link, and did what was asked there.
>
> > In case you don't know how to find the queue ID in a log message, it's
> > this part of the log line:
> >
> > <date> <host> postfix/smtpd[<pid>]: 2758BBF4062: ...
> > ^^^^^^^^^^^
> > And did you already investigate why the authentication backend considers
> > "p...@puk.nl" a valid user, as Noel Jones asked? What did you find out?
>
> Yes, and I found out that when the username is "p...@puk.nl" SASL
> actually checks on "piet":
> ----------
> saslauthd[19855] :do_auth : auth success: [user=piet]
> [service=smtp] [realm=puk.nl] [mech=pam]
> ----------
>
> I did some more tests, and it seems to be that the spammer actually did
> know the password. After changing the password, the logging changed:
> ----------
> saslauthd[20161] :do_auth : auth failure: [user=piet]
> [service=smtp] [realm=puk.nl] [mech=pam]
> ---------
>
> <cut>
>
> With regards,
> Paul van der Vlis.
>
>
>
> --
> Paul van der Vlis Linux systeembeheer Groningen
> https://www.vandervlis.nl/
