On Sat, Oct 26, 2019 at 10:48:08AM -0700, Patrick Mahan wrote:
On Sat, Oct 26, 2019 at 6:11 AM Atnakus Arzah <atnakus.ar...@gmail.com>
wrote:
On Sat, Oct 05, 2019 at 11:09:35PM -0700, Patrick Mahan wrote:
>All,
>
>I am trying to understand how I am being a mail relay for (what I believe)
>are unauthorized users. I have the following postfix config set -
>
>smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authentication,
>reject_unauth_destination
>
>mynetworks_style = subnet
>
>However, an account seemingly seems to be used as a relay. The user is
>complaining about seeing tons of MAIL REJECT messages. The logs are
>showing -
>
>Oct 5 00:00:02 ns postfix/smtpd[65859]: BB829A32C24:
>client=unknown[37.114.181.42], sasl_method=LOGIN, sasl_username=tracy
>Oct 5 00:00:03 ns postfix/cleanup[65877]: BB829A32C24: message-id=<
>2c64d5d9-682c-4fe8-e0d9-7c9f071f6...@mahan.org>
>Oct 5 00:00:03 ns postfix/qmgr[1159]: BB829A32C24: from=<
>lozroeb...@mahan.org>, size=772, nrcpt=1 (queue active)
>Oct 5 00:00:04 ns postfix/smtpd[65859]: 56778A32C28:
>client=unknown[37.114.181.42], sasl_method=LOGIN, sasl_username=tracy
Hazarding a guess here : potentially the sender/spammer has access to the
sasl credentials of
tracy?
You could verify whether your postfix MTA is open relay using the following
tool : https://mxtoolbox.com/diagnostic.aspx
Once I reset tracy's login credentials the relaying stopped. It turns out
this particular user had used the same password on many websites and had
undoubtedly been compromised. I have required that this password remain
private to our mail server.
The mxtoolbox reports that the mail server is not an open relay.
Thanks,
Patrick
You could also use a tool like fail2ban to detect multiple failed logins
(during scans) and block the IP address.
- Atnakus
