I really need your help. My Postfix server is sending out spam (I know it's real because I received one myself). It seem to have started on December 19 2009. I've followed the howto's to set up a secure postfix server, as far as I could without limiting the options beyond my needs. I'm sure I've got SSL, TLS and no relay running, but it still spews out spam. I turned it back on for about an hour and got over 1000 lines in my mail.log. I'm not an expert, so I could really use some help to stop this and secure my mailserver. I have a web shop, so www-data has to be able to send mail. Please let me know what other info you need. The mail logs can be found here (since they're too large to upload):http://heksebua.com/logs/mail/
For one, change the permissions on the files so that I can read them. I can see a listing of your logs, but have an access denied when I trie to read them. I your server is sending out spam, than you also have to take into account the possibility of being blacklisted is when it is reported. Do this online check to see I there might be an open relay on your server: http://www.abuse.net/relay.html Kind regards, Miguel
The permissions have been changed. (664) I've already run the check. I isn't open for relay (as previously mentioned).
As far as I can tell from the log files, the mails are being send by the user www-data and errors that your db is older than the source file. Send me your main.cf file to miguel.brams'at'wiedewaratje.be to look at. From what I see is that postfix is not the culprit, but a script on your server that is sending out these mails. Also install and run rkhunter (if you haven't done so) to see is there is a type of rootkit or other that is sending mails. My best bet for the moment is that your webserver (one of the sites) is sending out the mails. Kind regards, Miguel
My prime suspect is oscommerce, judging by who the mails are sent to.. I've sent you the main.cf. The database error is older than the spam. I've run chkrootkit and rkhunter and nothing was found.
I did so yesterday. The only differences are small changes to sessions and compatibility. Other things that have been done so far: main.cf: smtpd_sasl_local_domain = $mydomain smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_authenticated_header = yes --> Logs header information broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client, reject_unauth_destination dovecot.conf. auth default { mechanisms = plain login passdb pam { } userdb passwd { } socket listen { client { path = /var/spool/postfix/private/auth mode = 0660 user = postfix group = postfix } } } Configured oscommerce to send e-mails from another address.