Rich Wales:
> This question is kind-of related to my recent open relay problem, which
> at the moment seems most likely caused by a hacker invading my mail
> server (possibly through a web service running on the same box) and
> injecting fraudulent messages into my server directly via the localhost
> interface.
>
> Postfix "sort-of" recognizes this, because each of the fake messages
> appears to contain a "Received:" header line (created by my Postfix)
> saying the sender sent out a host name or address in its HELO, but my
> Postfix knew that the message was really coming from 127.0.0.1.
>
> My question is, is there any configuration option for Postfix to reject
> mail in a situation where the sender is clearly spoofing its identity
> like this during the SMTP conversation?
>
> I suppose it might possibly be good enough in this situation to use an
> option that rejects inbound mail claiming to be from some outside host
> when in fact it's really coming from localhost. I've looked at the
> various smtpd_helo_restrictions, but it's not obvious to me which (if
> any) of these can do what I want.
>
> Obviously, this option (if it exists) would need to be used judiciously
> so as not to block legitimate e-mail passing through milters and such.
> But what I want to know is if any such option exists at all.
I would suggest that you fix the exploited script. Look for time
stamps that appear in both web server logging and Postfix logging.
1) Use awk or perl to extract time stamps from web server logs and
normalize them so that they look the same. Produce sorted unqiue
timestamps with "sort -u" and save the result to file. Ditto for
time stamps from Postfix logs.
2) Look for time stamps that appear in both files.
comm -12 webserver-timestamps postfix-timestamps
3) Look up the corresponding records in webserver logs and Postfix logs.
Wietse
