On Fri, Oct 23, 2020 at 12:57:06PM -0700, Rich Wales wrote:
> > But note also "dovecot" showing up here. It looks like the spammer is
> > using some feature of Dovecot to originate a connection to the Postfix
> > SMTP server.
>
> Actually, it's most likely a log entry from a periodic probe of my
> server's functions (including its IMAP service) by Nagios.
Yes, I noted that Dovecot could have been a red-herring.
> I captured another incident last night, and there was no mention of
> Dovecot in the log. I'm not attaching the log for this second incident
> right now (I had "smtpd -v" in effect and the log data is really long),
> but I can share it if people really want to see it.
I don't recall whether you have as yet posted the requested (sans any
reformatting of line breaks) outputs of:
$ postconf -Mf
$ postconf -nf
More Postfix log data is not going to help. Somehow the attacker is
managing to create an apparent connection from 127.0.0.1. This is
either a bad rule in your iptables, some interesting abuse of your
TCP stack, or an as yet unreported proxy process on your system.
> I've made another change to my Postfix configuration -- I changed the
> value of postscreen_blacklist_action to "drop".
That won't change anything. What would be helpful is a full packet
capture, which may mean recording everything coming in/out of your
machine for some hours, if you have the space to store full network
recordings.
> I'm still waiting to
> see if I have any more instances of open relay attempts from localhost
> after having made this change. If the earlier open relay attempts are
> in fact somehow (still unsure how?) being generated as a consequence of
> the blacklisted connection, then maybe having postscreen drop right away
> will nip the open relay attempts in the bud.
The logic of this escapes me. Dropping the Postscreen connection
slightly more quickly is unlikely to change anything. Also instead
of rejecting email from 127.0.0.1, it would be more useful to accept
and quarantine it (put it on HOLD).
smtpd_client_restrictions =
check_client_access inline:{ { 127.0.0.1 = HOLD } }
smtpd_relay_restrictions =
permit_mynetworks
reject_unauth_destination
--
Viktor.
