Hello,
I'm seeing lot of emails coming from local IP address trying to send
message to non existing accounts. Sending accounts are valid and even
authenticated. They all try to send messages to domain matching the
sending one. For example:
supp...@example.org -> u...@example.org
supp...@example.net -> u...@example.net
and so on. support@* is valid, user@* is not. In logs they are coming
from inet_interfaces address set in main.cf. This is the handshake part:
Out: 220 mail.example.com ESMTP Postfix
In: EHLO localhost.localdomain
Out: 250-mail.example.com
Out: 250-PIPELINING
Out: 250-SIZE 24800000
Out: 250-ETRN
Out: 250-STARTTLS
Out: 250-ENHANCEDSTATUSCODES
Out: 250-8BITMIME
Out: 250 DSN
In: STARTTLS
Out: 220 2.0.0 Ready to start TLS
In: EHLO localhost.localdomain
Out: 250-mail.example.com
Out: 250-PIPELINING
Out: 250-SIZE 24800000
Out: 250-ETRN
Out: 250-AUTH PLAIN LOGIN
Out: 250-AUTH=PLAIN LOGIN
Out: 250-ENHANCEDSTATUSCODES
Out: 250-8BITMIME
Out: 250 DSN
In: AUTH LOGIN
Out: 334 fjUIrwvlXCkR
In: t3VncG6ydiBwpGZ2v3ducmRjb476ZXJ0ZXIub3Jn
Out: 334 dfjklaeuYFGL
In: dEgzfjklsaliQwMxl
Out: 235 2.7.0 Authentication successful
In: MAIL FROM:<supp...@example.org>
Out: 250 2.1.0 Ok
In: RCPT TO:<u...@example.org>
Out: 451 4.3.0 <u...@example.org>: Temporary lookup failure
Session aborted, reason: lost connection
Jun 3 06:12:04 mail postfix/smtpd[26186]: connect from
mail.example.com[DD.DDD.DD.DDD]
Jun 3 06:12:04 mail postfix/smtpd[26186]: setting up TLS connection from
mail.example.com[DD.DDD.DD.DDD]
Jun 3 06:12:04 mail postfix/smtpd[26186]: Anonymous TLS connection established
from mail.example.com[DD.DDD.DD.DDD]: TLSv1 with cipher DHE-RSA-AES256-SHA
(256/256 bits)
Jun 3 06:12:04 mail postfix/smtpd[26186]: NOQUEUE: reject: RCPT from
mail.example.com[DD.DDD.DD.DDD]: 550 5.1.1 <u...@example.org>: Recipient
address rejected: User unknown in virtual mailbox table;
from=<supp...@example.org> to=<u...@example.org> proto=ESMTP
helo=<localhost.localdomain>
Jun 3 06:12:04 mail postfix/smtpd[26186]: lost connection after RCPT from
mail.example.com[DD.DDD.DD.DDD]
Jun 3 06:12:04 mail postfix/smtpd[26186]: disconnect from
mail.example.com[DD.DDD.DD.DDD]
My postconf -n (Postfix 2.6.6) is in the attachment.
How can I find out from where these emails are coming? If they are really from
localhost, what program/script? If from outside how to prevent IP spoofing?
Seing that it tries several passwords and succeed make me worried even more.
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
delay_warning_time = 4
disable_vrfy_command = yes
html_directory = no
import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY
LANG=C RESOLV_MULTI=on
inet_interfaces = DD.DDD.DD.DDD
inet_protocols = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 24800000
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = example.com
myhostname = mail.example.com
mynetworks = $config_directory/mynetworks
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
recipient_delimiter = +
relay_domains = proxy:mysql:/etc/postfix/mysql-relay_domains_maps.cf
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
smtp_use_tls = yes
smtpd_client_restrictions =
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks, reject_unauth_destination, reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_unknown_recipient_domain
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions =
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.example.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.example.com/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
strict_mailbox_ownership = no
tls_high_cipherlist =
EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_alias_maps.cf,
regexp:/etc/postfix/virtual_regexp
virtual_gid_maps = static:12
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains_maps.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_maps.cf
virtual_minimum_uid = 101
virtual_transport = dovecot
virtual_uid_maps = static:101
