Postfix is sending spam

Discussion in 'Server Operation' started by svehex, Dec 26, 2009.

  1. svehex

    svehex New Member

    I really need your help. My Postfix server is sending out spam (I know it's real because I received one myself). It seem to have started on December 19 2009.

    I've followed the howto's to set up a secure postfix server, as far as I could without limiting the options beyond my needs.

    I'm sure I've got SSL, TLS and no relay running, but it still spews out spam.

    I turned it back on for about an hour and got over 1000 lines in my mail.log.

    I'm not an expert, so I could really use some help to stop this and secure my mailserver. I have a web shop, so www-data has to be able to send mail.

    Please let me know what other info you need. The mail logs can be found here (since they're too large to upload):http://heksebua.com/logs/mail/
     
  2. Miguel

    Miguel New Member HowtoForge Supporter

    For one,

    change the permissions on the files so that I can read them. I can see a listing of your logs, but have an access denied when I trie to read them.

    I your server is sending out spam, than you also have to take into account the possibility of being blacklisted is when it is reported.

    Do this online check to see I there might be an open relay on your server:

    http://www.abuse.net/relay.html

    Kind regards,

    Miguel
     
  3. svehex

    svehex New Member

    The permissions have been changed. (664)
    I've already run the check. I isn't open for relay (as previously mentioned).
     
  4. Miguel

    Miguel New Member HowtoForge Supporter

    As far as I can tell from the log files, the mails are being send by the user www-data and errors that your db is older than the source file.

    Send me your main.cf file to miguel.brams'at'wiedewaratje.be to look at.

    From what I see is that postfix is not the culprit, but a script on your server that is sending out these mails.

    Also install and run rkhunter (if you haven't done so) to see is there is a type of rootkit or other that is sending mails.

    My best bet for the moment is that your webserver (one of the sites) is sending out the mails.

    Kind regards,

    Miguel
     
  5. svehex

    svehex New Member

    My prime suspect is oscommerce, judging by who the mails are sent to.. I've sent you the main.cf. The database error is older than the spam.

    I've run chkrootkit and rkhunter and nothing was found.
     
  6. falko

    falko Super Moderator ISPConfig Developer

    Are you running the latest version of OSCommerce, or is it an older one?
     
  7. svehex

    svehex New Member

    I use v2.2rc2
     
  8. falko

    falko Super Moderator ISPConfig Developer

    I don't know if this helps, but I suggest you update to v2.2rc2a.
     
  9. svehex

    svehex New Member

    I did so yesterday. The only differences are small changes to sessions and compatibility.

    Other things that have been done so far:

    main.cf:

    smtpd_sasl_local_domain = $mydomain
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_security_options = noanonymous
    smtpd_sasl_type = dovecot
    smtpd_sasl_path = private/auth
    smtpd_sasl_authenticated_header = yes --> Logs header information
    broken_sasl_auth_clients = yes

    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client, reject_unauth_destination

    dovecot.conf.
    auth default {
    mechanisms = plain login
    passdb pam {
    }
    userdb passwd {
    }
    socket listen {
    client {
    path = /var/spool/postfix/private/auth
    mode = 0660
    user = postfix
    group = postfix
    }
    }
    }

    Configured oscommerce to send e-mails from another address.
     

Share This Page