Webmin postfix compromised, lots of spam through my mailserver

4 posts / 0 new
Last post
#1 Tue, 01/05/2016 - 03:45
marceld202

Webmin postfix compromised, lots of spam through my mailserver

Hi,

Yesterday I discovered thousands of mail being sent through the mailserver of one of mine VPS systems. So I did some digging and checked the logs, however, I did not see any authentication in the logs.

Then I did a test in my mailclient (Outlouk). What I discovered is that I could sent mails over my mailserver, without authentication! For receiving I need authentication, but not for sending.

Then I thought, maybe the incoming mail authentication is being transported to the outgoing mail settings in my mailclient (Outlouk), however, when I just check outgoing mail (even when I change my password, etc), it still succeeds according to the Outlouk test.

So I checked my config of postfix and compared to some on the iternet, and found lots of speculating about this setting: smtpd_recipient_restrictions:

Mine value was: permit_mynetworks permit_sasl_authenticated reject_unauth_destination

Then I changed this to permit_mynetworks permit_sasl_authenticated reject

Now I needed the outgoing mailserver verification, however, I wasn't able to receive mail anymore from certain domains (in this case tested with Office 365).

So I'm a little lost here. I couldn't find any conclusive guide on the correct / safe settings (even just to begin with) so I don't know where my settings are wrong. Hopefully someone can share his postfix configuration so I can check it out.

Thanks!

Tue, 01/05/2016 - 03:48
marceld202

Note: I did an open relay check using http://mxtoolbox.com/diagnostic.aspx, which turned out fine so no open relay. However, I`m using IMAP protocol, so maybe thats why the smtp check is ok but something is wrong in my IMAP auth

Tue, 01/05/2016 - 04:08
marceld202

One more thing: I read this somewhere:

'The magical file you need to edit is /etc/sysconfig/saslauthd. At the bottom you will see the following:

Additional flags to pass to saslauthd on the command line. See saslauthd(8) for the list of accepted flags. FLAGS=-r'

To enable emailstructure like me@domain

However, the file /etc/sysconfig/saslauthd does not exist on my system. I`m on Linux,Ubuntu 14

There is a file /usr/sbin/saslauthd (encrypted as it seems, or at least not readable) and there is a file /etc/default/saslauthd but that doesn't have this line at the bottom..?

Tue, 01/05/2016 - 11:10
andreychek

Howdy,

The default settings for "smtpd_recipient_restrictions" are:

permit_mynetworks permit_sasl_authenticated reject_unauth_destination

Is your desktop PC on the same LAN as your server? Or are you just emailing someone on your Virtualmin server? In either case Postfix may accept the messages you're sending with those settings.

-Eric

Topic locked