Am 13. Juni 2017 10:28:39 MESZ schrieb Homer Wilson Smith <homerwsm...@lightlink.com>: > > Running postfix 2.3.3 CentOS 5.x > > This is a simple apache 2 web server running postfix for >incoming mail for shell users on the same server. Very low key, >almost no traffic, outside is not allowed to connect to the >postfix on this machine. > > This machine's only handles shell users on the its own domain, >adore.lightlink.com and mail addressed or forward to it from our other >real mail servers that talk to the outside world. > > Suddenly I am find adore's mailq queue filled with spam, each having >a pickup line in the logs, but no indication where it comes from, >probably >the web server as the from username is apache, but so far no >corellation >between web logs and time stamp on pickup line. > > This machine is also running an innd news server if it makes >any difference, innd 2.x > > Can someone tell me about possible injection routes into the >maildrop directory and how to stop it if I can't >find the web page doing it.
Start with restricting which users are allowed to locally submit mail authorized_submit_users http://www.postfix.org/postconf.5.html#authorized_submit_users > Thanks Homer > >Jun 12 05:26:16 adore2 postfix/pickup[14251]: E39582B000C: uid=48 >from=<apache> >Jun 12 05:26:17 adore2 postfix/pickup[14251]: F23D62B000F: uid=48 >from=<apache> >Jun 12 05:26:17 adore2 postfix/pickup[14251]: 099E82B0028: uid=48 >from=<apache> >Jun 12 05:26:17 adore2 postfix/pickup[14251]: 2169C2B0038: uid=48 >from=<apache> >Jun 12 05:26:17 adore2 postfix/pickup[14251]: 260E32B0065: uid=48 >from=<apache> >Jun 12 05:26:17 adore2 postfix/pickup[14251]: 2AB902B007D: uid=48 >from=<apache> >Jun 12 05:26:17 adore2 postfix/pickup[14251]: 325422B0080: uid=48 >from=<apache> >Jun 12 05:26:17 adore2 postfix/pickup[14251]: 3AC572B0095: uid=48 >from=<apache> >Jun 12 05:26:17 adore2 postfix/pickup[14251]: 3D0A32B00B8: uid=48 >from=<apache> >Jun 12 05:26:17 adore2 postfix/pickup[14251]: 417DD2B00BD: uid=48 >from=<apache> >Jun 12 05:26:17 adore2 postfix/pickup[14251]: 4728B2B00CA: uid=48 >from=<apache> >Jun 12 05:26:17 adore2 postfix/pickup[14251]: 4FE062B00D2: uid=48 >from=<apache> >Jun 12 05:26:17 adore2 postfix/pickup[14251]: 89BB02B00DD: uid=48 >from=<apache> >Jun 12 05:26:17 adore2 postfix/pickup[14251]: A53092B00E3: uid=48 >from=<apache> >Jun 12 05:26:17 adore2 postfix/pickup[14251]: BEAB72B00E7: uid=48 >from=<apache> >Jun 12 05:26:17 adore2 postfix/pickup[14251]: CA9F42B00EC: uid=48 >from=<apache> >... on and on and on thousands etc. -- Christian Kivalo
