Hello! I tried to solve this problem, spending time in google and other forums, finding information... I think I did many things...but! The problem is that my e-mail server sends and receive thousands of spam and I'm listed in http://www.mxtoolbox.com/blacklists.aspx in 5-7lists. What I have: OpenSuse10.3 Postfix 2.6.5 Cyrus SASL 2.1.22 Postgrey 1.32 ISPconfig 2.2.33 Here are: 1) /etc/postfix/main.cf: Code: #################################################################################### ###GENERAL SETTINGS #################################################################################### mail_owner = postfix masquerade_exceptions = root masquerade_classes = envelope_sender, header_sender, header_recipient myhostname = myhostname.$mydomain inet_interfaces = all inet_protocols = all biff = yes masquerade_domains = #mydestination = $myhostname, localhost.$mydomain defer_transports = mynetworks_style = subnet disable_dns_lookups = no relayhost = mailbox_command = mailbox_transport = strict_8bitmime = no disable_mime_output_conversion = no mailbox_size_limit = 0 message_size_limit = 10240000 mydomain = ardit.lv mynetworks = 127.0.0.0/8 delay_warning_time = 1h message_strip_characters = \0 setgid_group = maildrop #################################################################################### ###MAPS #################################################################################### canonical_maps = hash:/etc/postfix/canonical #virtual_alias_maps = hash:/etc/postfix/virtual virtual_alias_domains = hash:/etc/postfix/virtual relocated_maps = hash:/etc/postfix/relocated transport_maps = hash:/etc/postfix/transport sender_canonical_maps = hash:/etc/postfix/sender_canonical virtual_maps = hash:/etc/postfix/virtusertable alias_maps = hash:/etc/aliases header_checks = regexp:/etc/postfix/header_checks mime_header_checks = regexp:/etc/postfix/mime_header_checks body_checks = regexp:/etc/postfix/body_checks #################################################################################### ###DIRECTORIES #################################################################################### readme_directory = /usr/share/doc/packages/postfix/README_FILES mail_spool_directory = /var/mail program_directory = /usr/lib/postfix mydestination = /etc/postfix/local-host-names sample_directory = /usr/share/doc/packages/postfix/samples manpage_directory = /usr/share/man html_directory = /usr/share/doc/packages/postfix/html #################################################################################### ###PATHS #################################################################################### sendmail_path = /usr/sbin/sendmail mailq_path = /usr/bin/mailq newaliases_path = /usr/bin/newaliases daemon_directory = /usr/lib/postfix queue_directory = /var/spool/postfix command_directory = /usr/sbin mydestination = /etc/postfix/local-host-names #################################################################################### ###DEBUG #################################################################################### debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5 #################################################################################### ###SASL #################################################################################### smtp_sasl_auth_enable = yes smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_type = cyrus #smtpd_sasl_path = private/auth smtpd_sasl_path = smtpd smtpd_sasl_mechanism_filter = !gssapi, !external, static:all smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd #################################################################################### ###TLS #################################################################################### smtpd_use_tls = yes smtp_use_tls = yes smtpd_tls_auth_only = yes smtp_tls_note_starttls_offer = yes smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom #################################################################################### ###RULES AGAINST SPAMS ETC. MALWARES #################################################################################### smtpd_sender_restrictions = warn_if_reject, hash:/etc/postfix/access_client, permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_rbl_client list.dsbl.org, reject_rbl_client zen.spamhaus.org, permit smtpd_client_restrictions = permit_sasl_authenticated, check_client_access hash:/etc/postfix/access_client, reject_rbl_client relays.mail-abuse.org, reject_rbl_client relays.ordlb.org, reject_rhsbl_sender dsn.rfc-ignorant.org, # reject_unknown_client, reject_rbl_client list.dsbl.org, reject_rbl_client zen.spamhaus.org, permit_mynetworks, reject_unauth_pipelining, permit smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_invalid_hostname, reject_unknown_hostname, reject_non_fqdn_hostname, reject_rbl_client list.dsbl.org, reject_rbl_client zen.spamhaus.org, regexp:/etc/postfix/helo.regexp, permit bounce_size_limit = 1024 smtpd_helo_required = yes smtpd_delay_reject = yes strict_rfc821_envelopes = yes disable_vrfy_command = yes default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using $rbl_domain${rbl_reason?; $rbl_reason} access_map_reject_code = 554 invalid_hostname_reject_code = 554 multi_recipient_bounce_reject_code = 554 non_fqdn_reject_code = 554 relay_domains_reject_code = 554 unknown_address_reject_code = 554 unknown_hostname_reject_code = 554 unknown_client_reject_code = 554 unknown_local_recipient_reject_code = 554 unknown_relay_recipient_reject_code = 554 unknown_sender_reject_code = 554 unknown_virtual_alias_reject_code = 554 unknown_virtual_mailbox_reject_code = 554 unverified_recipient_reject_code = 554 unverified_sender_reject_code = 554 notify_classes = resource,software smtpd_recipient_restrictions = warn_if_reject, permit_sasl_authenticated, permit_mynetworks, check_relay_domains, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_destination, reject_unauth_pipelining, check_policy_service inet:127.0.0.1:6000, check_policy_service inet:127.0.0.1:10023, #check_sender_access hash:/etc/postfix/verify_sender_map, reject_rbl_client cbl.abuseat.org, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client rblmap.tu-berlin.de, reject_rbl_client relays.ordb.org, reject_rbl_client dnsbl.sorbs.org, reject_rbl_client opm.blitzed.org, reject_rbl_client blackholes.easynet.nl, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client dsn.rfc-ignorant.org, reject_rbl_client proxies.relays.monkeys.com, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client list.dsbl.org, reject_rbl_client multi.uribl.com, reject_rbl_client zen.spamhaus.org, reject_rbl_client bogusmx.rfc-ignorant.org, # check_client_access hash:/etc/postfix/helo_client_exceptions, check_client_access hash:/etc/postfix/rbl_client_exceptions, permit 2) Body checks is made after this How To: http://www.malware.com.br/postfix.txt 3) /etc/postfix/rbl_client_exceptions contains my client domain names: Code: .domain.com OK ......... 4) hello.regexp contains: Code: /^localhost$/ 550 Don't use my own hostname /^host\.domain\.com$/ 550 Don't use my own hostname /^127\.0\.0\.1$/ 550 Don't use my own IP address /^\[180\.169\.9\.91]$/ 550 Don't use my own IP address /^\[180\.169\.9\.92]$/ 550 Don't use my own IP address #/^[0-9.]+$/ 550 Your software is not RFC 2821 compliant #/^[0-9]+(\.[0-9]+){3}$/ 550 Your software is not RFC 2821 compliant ~ 5) /etc/access_client contains: Code: #################################################### ###Manually founded #################################################### 216.52.192.0/24 REJECT 63.251.178.28 REJECT 158.36.80.149 REJECT 82.128.0.0/24 REJECT 65.55.92.0/24 REJECT 206.46.232.0/24 REJECT 65.55.92.88 REJECT 65.55.37.0/24 REJECT 58.36.80.149 REJECT 116.228.146.94REJECT 195.248.241.211 REJECT 203.34.37.27 REJECT 210.241.225.190 REJECT 167.206.112.6 REJECT 96.57.243.42 REJECT 207.157.105.74 REJECT 41.222.193.35 REJECT 203.39.191.100 REJECT 216.201.209.161 REJECT 80.232.169.191 REJECT 202.22.159.237 REJECT 84.238.0.4 REJECT #################################################### ###Whitelist #################################################### .myclient1.com OK .myclient2.com OK ........... .myclient3.com OK .gov OK .gov.lv OK ##################################################### ### ALL Bad IP's from http://www.unixhub.com/block.html### ##################################################### after updeiting these file I use postmap /etc/postfix/appropriate_map_file 7) /etc/postfix/master.cf: Code: # # Postfix master process configuration file. For details on the format # of the file, see the Postfix master(5) manual page. # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== smtp inet n - n - - smtpd #submission inet n - n - - smtpd # -o smtpd_etrn_restrictions=reject # -o smtpd_client_restrictions=permit_sasl_authenticated,reject #smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes # -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes smtps inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_sender=yes -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o broken_sasl_auth_clients=yes #submission inet n - n - - smtpd # -o smtpd_etrn_restrictions=reject # -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes #628 inet n - n - - qmqpd pickup fifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr #qmgr fifo n - n 300 1 oqmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap smtp unix - - n - - smtp # When relaying mail as backup MX, disable fallback_relay to avoid MX loops relay unix - - n - - smtp -o fallback_relay= # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - n - - showq error unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil #localhost:10025 inet n - n - - smtpd -o content_filter= scache unix - - n - 1 scache # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual # pages of the non-Postfix software to find out what options it wants. # # Many of the following services use the Postfix pipe(8) delivery # agent. See the pipe(8) man page for information about ${recipient} # and other message envelope options. # ==================================================================== # # maildrop. See the Postfix MAILDROP_README file for details. # Also specify in main.cf: maildrop_destination_recipient_limit=1 # maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient} cyrus unix - n n - - pipe user=cyrus argv=/usr/lib/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient procmail unix - n n - - pipe flags=R user=nobody argv=/usr/bin/procmail -t -m /etc/procmailrc ${sender} ${recipient} retry unix - - n - - error tlsmgr unix - - n 1000? 1 tlsmgr 8) netstat -tap Code: Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 *:imaps *:* LISTEN 3302/couriertcpd tcp 0 0 *:pop3s *:* LISTEN 3334/couriertcpd tcp 0 0 *:mysql *:* LISTEN 2361/mysqld tcp 0 0 *:corba-iiop-ssl *:* LISTEN 5647/rpc.rquotad tcp 0 0 *:pop3 *:* LISTEN 3317/couriertcpd tcp 0 0 localhost.localdoma:783 *:* LISTEN 6329/spamd.pid tcp 0 0 *:sunrpc *:* LISTEN 3421/portmap tcp 0 0 *:imap *:* LISTEN 3280/couriertcpd tcp 0 0 *:www-http *:* LISTEN 2953/httpd2-prefork tcp 0 0 *:smtps *:* LISTEN 5314/master tcp 0 0 *:hosts2-ns *:* LISTEN 2889/ispconfig_http tcp 0 0 *:ftp *:* LISTEN 5756/proftpd: (acce tcp 0 0 myhost.mydomain.l:domain *:* LISTEN 5621/named tcp 0 0 localhost.locald:domain *:* LISTEN 5621/named tcp 0 0 *:ssh *:* LISTEN 3234/sshd tcp 0 0 localhost.localdoma:953 *:* LISTEN 5621/named tcp 0 0 *:smtp *:* LISTEN 5314/master tcp 0 0 *:https *:* LISTEN 2953/httpd2-prefork tcp 0 0 localhost.loc:lanserver *:* LISTEN 3429/famd tcp 0 0 myhost.mydomain.lv:38451 mta-v9.mail.vip.mu:smtp ESTABLISHED 5266/smtp tcp 0 0 myhost.mydomain.lv:33570 mfe1.sinos.net:smtp ESTABLISHED 5332/smtp tcp 0 0 myhost.mydomain.lv:57976 server4.camintel.c:smtp ESTABLISHED 3051/smtp tcp 0 0 myhost.mydomain.lv:ftp customer-2:compaq-https ESTABLISHED 5582/proftpd: mole tcp 0 0 myhost.mydomain.lv:47469 fr-end-01.ipteleco:smtp ESTABLISHED 5336/smtp tcp 0 0 myhost.mydomain.lv:54602 mta-v2.mail.vip.sp:smtp TIME_WAIT - tcp 0 0 myhost.mydomain.lv:38921 de.mx.aol.com:smtp TIME_WAIT - tcp 0 0 myhost.mydomain.lv:37318 mx-ha01.web.de:smtp TIME_WAIT - tcp 0 0 myhost.mydomain.lv:41672 mxf2.rambler.ru:smtp TIME_WAIT - tcp 0 1 myhost.mydomain.lv:55333 211.76.133.78:smtp FIN_WAIT1 - tcp 0 0 myhost.mydomain.lv:50394 server-0076f.dnspr:smtp ESTABLISHED 3033/smtp tcp 0 1 myhost.mydomain.lv:50499 eowyn.portugalmail:smtp SYN_SENT 5481/smtp 10) created post-rule-setup.sh script as described in http://www.howtoforge.com/forums/showthread.php?t=6393 and http://www.howtoforge.com/forums/showthread.php?t=36299 and here are source Inserted almost ALL bad IPS Code: ############################## ############################## ############################## # For AUTH-SMTP############### ############################## iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --destination-port 465 -j ACCEPT ###################################################### ###Blocking incoming for smtp port 25 ###################################################### ###################################################### # My own blaclikst of IP's ###################################################### iptables -A INPUT -p tcp -s 158.26.80.149 --dport 25 -j REJECT iptables -A INPUT -p tcp -s 63.251.178.28 --dport 25 -j REJECT iptables -A INPUT -p tcp -s 216.52.192.104 --dport 25 -j REJECT iptables -A INPUT -p tcp -s 216.52.192.8 --dport 25 -j REJECT ............... iptables -A OUTPUT -p tcp -s 204.126.12.0/23 --dport 21 -j REJECT iptables -A OUTPUT -p tcp -s 204.126.140.0/23 --dport 21 -j REJECT In process solving the problem I added almost all INPUT and OUTPUT IP addresses from this blackIPlist: http://blacklist.linuxadmin.org/ But the problem is, that after system reboot, iptables locks and does not start, so I manually have to delete /var/lock/bastille. After that I restart FW, but all rules ar gone... All installed as described in http://www.howtoforge.com/perfect_server_opensuse10.3... 1.5 years mail server lives without big problems, but all started last week...dead line was last Thursday ;-( 11) /var/log/messages: Code: Sep 28 12:28:28 myhost named[4739]: unexpected RCODE (REFUSED) resolving 'ondasnet.com.br/MX/IN': IP_ Sep 28 12:28:28 myhost named[4739]: unexpected RCODE (SERVFAIL) resolving 'inter.net.co/MX/IN': IP_#53 Sep 28 12:28:29 myhost named[4739]: FORMERR resolving 'hotmail.com.pe/MX/IN': IP_#53 Sep 28 12:28:29 myhost named[4739]: FORMERR resolving 'hotmail.com.pe/MX/IN': IP_#53 Sep 28 12:28:29 myhost named[4739]: unexpected RCODE (SERVFAIL) resolving 'colombianet.net/MX/IN': IP_#53 Sep 28 12:28:29 myhost named[4739]: FORMERR resolving 'hotmail.com.pe/MX/IN': IP_#53 Sep 28 12:28:30 myhost named[4739]: unexpected RCODE (SERVFAIL) resolving 'colombianet.net/MX/IN': IP_#53 Sep 28 12:28:54 myhost named[4739]: lame server resolving 'ahcrucha.hurtad.plaza.cl' (in 'plaza.cl'?): IP_#53 Sep 28 12:28:54 myhost named[4739]: lame server resolving 'ajahuel.paine.plaza.cl' (in 'plaza.cl'?): IP_#53 Sep 28 12:28:54 myhost named[4739]: lame server resolving 'andbello.florid.plaza.cl' (in 'plaza.cl'?): IP_#53 Sep 28 12:28:54 myhost named[4739]: lame server resolving 'anglica.plaza.cl' (in 'plaza.cl'?): IP_#53 12) /var/log/mail.err: Code: Sep 28 11:45:19 myhost postfix/bounce[9990]: fatal: lock file defer 42F952F96E8: Resource temporarily unavailable Sep 28 11:46:05 myhost postfix/bounce[11012]: fatal: lock file defer 41C74EE2F14: Resource temporarily unavailable Sep 28 11:46:14 myhost postfix/bounce[11003]: fatal: lock file defer E25FD77AA7E: Resource temporarily unavailable Sep 28 11:46:58 myhost postfix/bounce[9942]: fatal: lock file defer 176FF519632: Resource temporarily unavailable Sep 28 21:09:21 myhost postfix/master[5313]: fatal: open lock file pid/master.pid: unable to set exclusive lock: Resource temporarily unavailable 13) I have no DNS server on my server, DNS entries manages my data center ISP... 14)I have fail2ban installed and configured and DenyHosts. 15) Also system is checked using rkhunter-1.3.4 and chkrootkit... I have aprr. 10 clients with appr. 30 emails. But my /var/spool/postfix/incoming folder contains >160 000 entries (messages), /var/spool/postfix/active folder contains max size - 20 000 entries... I can delete all recors from these folders, but they are back after few seconds. There are messages with "Australian National Lotteries", "Nigeria e-mails", spam meils to big amount of aol and yahho users (existing, non-existing) etc... Today after some searches in google I make SASL authentification to SMTP server, so, without authorizing and check TLS box e-mails cann not be sent! But these also do not solve the problem! I don't know, what else You should know to help me...? Is there any chance to win the spammers and get back my normal mail server process?
Hi, the changes you did do not hurt, but they will not solve your problem. If your server sends out spam and was configured properly before, there are 3 possible reasons: 1) Your server configuration changed and it is now an open relay. You can esaily test this here: http://www.mxtoolbox.com/blacklists.aspx 2) One of your smtp / pop3 accounts is misused for sending spam e.g. because someone got a password or cracked a passord of one of your users. To find this out, you have to read your mail log and check it if a user that sends out spam authenticates itself first. 3) The most common reason is not even related to your postfix setup. You might have a vulnerable contact form or cms system in one of the websites on your server that is misused to send spam. To find out which of the webs is causing this, you can use this logging setup: http://www.howtoforge.com/how-to-log-emails-sent-with-phps-mail-function-to-detect-form-spam
1) No, my server has no Open relay... I'm tested in in many web pages (for example: http://www.abuse.net/relay.html) and with scripts. This is not the cause. 2) In log file there is no info about users who sent e-mail. Log files look as I post it in root post. 3) I'm used this link and create logins from web forms... Only 1 client have mail form in his web application and it is secured by Secure code... and I thin - this is not the cause.
Your first post does not contain the mail log, you just posted errors and warnings. Please take a look at your mail log file and check what I explaine din 2). Also check your server with rkhunter to ensure that it did not got hacked. http://www.rootkit.nl/projects/rootkit_hunter.html
OK, I'll check mail log. As I wrote in root post: 15) Also system is checked using rkhunter-1.3.4 and chkrootkit, nothing bad found...
I checked logs - there is no info, that some clientusernam@clientdomain sent spams... Any more ideas? I'm working with google and other sources to "upgrade" my Bastille-firewall...
SPF Record Do you have an SPF Record for that domain in your DNS Zone? More than likely its not originating from your server, but possibly they are able to forge your domain from their own email server. Adding an SPF Record will have most receiving email systems deny the email as spam with no penalty to you.
Our guess from the information here is that most likely you have had a client's account compromised by a weak password. The other possibility is some type of web application or similar which generates email for you, which may have been compromised. The first thing we would recommend doing is to take a look into the mail queues and try to look at an individual message to determine where it has come from since you have had no luck with your logs. If you can't do that, then you are going to have to increase logging to see where these messages are coming from. We also would recommend making sure that you have a password policy for your clients such as minimum lengths including non-alpha characters. Depending on how difficult it would be to change your user's passwords you might just try that to start with. Lastly, you will need to delete the mail queues or you will just get listed again. @MxToolBox
Hello again! Thanks for previous answers and suggestions.... I'm still trying to kill spam on my server... Lasts weeks in my postfix active directory there is 4000-10000 files... My server is busy, also http://www.mxtoolbox.com/SuperTool.aspx?action=blacklist bad result (5-6 blacklists) ;-( I reinstalled server, now I'm using Ubuntu server 9.10, last ispconfig... Code: /etc/postfix/main.cf: # See /usr/share/postfix/main.cf.dist for a commented, more complete version smtpd_banner = $myhostname ESMTP $mail_name biff = no # appending .domain is the MUA's job. append_dot_mydomain = no readme_directory = no # TLS parameters smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_use_tls = yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache myhostname = hostname.domain.lv #alias_maps = hash:/etc/aliases #alias_database = hash:/etc/aliases myorigin = /etc/mailname relayhost = mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0 message_size_limit = 20971520 recipient_delimiter = + inet_interfaces = all inet_protocols = all smtpd_sasl_local_domain = smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes smtpd_tls_auth_only = no smtp_use_tls = yes smtp_tls_note_starttls_offer = yes smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom ######## ### MAPS: ######## virtual_maps = hash:/etc/postfix/virtusertable mydestination = /etc/postfix/local-host-names relay_recipient_maps = hash:/etc/postfix/relay_recipients header_checks = pcre:/etc/postfix/header_checks.pcre body_checks = pcre:/etc/postfix/body_checks.pcre alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases ######## ### My manual entries ######## disable_vrfy_command = yes smtpd_helo_required = yes strict_rfc821_envelopes = yes smtpd_delay_reject = yes smtpd_reject_unlisted_recipient = yes ######## #Error codes ######## unknown_address_reject_code = 554 unknown_hostname_reject_code = 554 unknown_client_reject_code = 554 invalid_hostname_reject_code = 554 multi_recipient_bounce_reject_code = 554 non_fqdn_reject_code = 554 relay_domains_reject_code = 554 unknown_local_recipient_reject_code = 554 unknown_relay_recipient_reject_code = 554 unknown_virtual_alias_reject_code = 554 unknown_virtual_mailbox_reject_code = 554 unverified_recipient_reject_code = 554 unverified_sender_reject_code = 554 smtpd_restriction_classes = verify_sender, from_freemail_host from_freemail_host = check_client_access hash://etc/postfix/freemail_hosts,reject verify_sender = reject_unverified_sender smtpd_client_restrictions = permit_sasl_authenticated,permit_mynetworks,check_client_access hash:/etc/postfix/client_checks,reject_unknown_reverse_client_hostname smtpd_helo_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_invalid_hostname,reject_unknown_helo_hostname,check_helo_access hash:/etc/postfix/helo_checks,regexp:/etc/postfix/helo.regexp smtpd_sender_restrictions = reject_unknown_sender_domain,reject_non_fqdn_sender,permit_sasl_authenticated,permit_mynetworks,check_sender_access hash:/etc/postfix/sender_access,check_sender_access hash:/etc/postfix/freemail_access,reject_unauth_destination smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,reject_invalid_hostname,reject_unauth_pipelining,reject_unknown_recipient_domain,reject_non_fqdn_recipient,check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,check_policy_service inet:127.0.0.1:6000,check_sender_access hash:/etc/postfix/verify_sender.map,reject_non_fqdn_hostname,reject_invalid_hostname,reject_unverified_recipient,reject_rbl_client cbl.abuseat.org,reject_rbl_client sbl.spamhaus.org,reject_rbl_client pbl.spamhaus.org,reject_rbl_client multi.uribl.com,reject_rbl_client dsn.rfc-ignorant.org,reject_rbl_client bogusmx.rfc-ignorant.org,reject_rbl_client list.dsbl.org,reject_rbl_client zen.spamhaus.org,reject_rbl_client dnsbl-1.uceprotect.net,permit I informed customers to change passwords to "Strong_passwords"... Testing http://verify.abuse.net/cgi-bin/relaytest for Open relay - My server is not open relay... I do not manage dns records on my server, dns records, if customer like, are managed out of my server. Server is checked with: lynis, chkrootkit, rkhunter. Server also is configured with Spamassasin, Postrgrey, Clamavis, Mailscanner (for graphical report), munin, monit and cactis. It seems that some-one is sending spams "from" my server despite the fact that server is not open relay, and "non-existing" receivers send back e-mails that e-mail can not be sent... Any more ideas what else could be the problem? ;-O EDITED: Such "mails" are in my postfix active dorectory: Code: CO 3600 4946 48 0 2972T1270261376 [email protected]_time=1270261377Arewrite_context=remoteAsasl_method=LOGINAsasl_username=infoA.log_client_name=ml82.128.19.157.multilinks.comA log_client_address=82.128.19.157Alog_client_port=4624A@log_message_origin=ml82.128.19.157.multilinks.com[82.128.19.157]Alog_helo_name=UserAlog_protocol_name=ESMTPA*client_name=ml82.128.19.157.multilinks.comA2reverse_client_name=ml82.128.19.157.multilinks.comAclient_address=82.128.19.157Aclient_port=4624Ahelo_name=UserAprotocol_name=ESMTPAclient_address_type=2A.dsn_orig_rcpt=rfc822;[email protected]@[email protected]$dsn_orig_rcpt=rfc822;[email protected]@[email protected]_orig_rcpt=rfc822;[email protected]"[email protected]"[email protected]/dsn_orig_rcpt=rfc822;[email protected]@[email protected])dsn_orig_rcpt=rfc822;[email protected]@[email protected],dsn_orig_rcpt=rfc822;[email protected]@[email protected]#dsn_orig_rcpt=rfc822;[email protected]@[email protected]*dsn_orig_rcpt=rfc822;[email protected]@[email protected]+dsn_orig_rcpt=rfc822;[email protected]@[email protected]_orig_rcpt=rfc822;[email protected]@[email protected]+dsn_orig_rcpt=rfc822;[email protected]@[email protected],dsn_orig_rcpt=rfc822;[email protected]@[email protected]/dsn_orig_rcpt=rfc822;[email protected]@[email protected]&dsn_orig_rcpt=rfc822;[email protected]@[email protected]&dsn_orig_rcpt=rfc822;[email protected]@[email protected]#dsn_orig_rcpt=rfc822;[email protected]@[email protected]_orig_rcpt=rfc822;[email protected]@[email protected](dsn_orig_rcpt=rfc822;[email protected]@[email protected]_orig_rcpt=rfc822;[email protected]@[email protected]'dsn_orig_rcpt=rfc822;[email protected]@[email protected]*dsn_orig_rcpt=rfc822;[email protected]@[email protected],dsn_orig_rcpt=rfc822;[email protected]@[email protected]$dsn_orig_rcpt=rfc822;[email protected]@[email protected]_orig_rcpt=rfc822;[email protected]@[email protected]'dsn_orig_rcpt=rfc822;[email protected]@[email protected])dsn_orig_rcpt=rfc822;[email protected]@[email protected],dsn_orig_rcpt=rfc822;[email protected]@[email protected]'dsn_orig_rcpt=rfc822;[email protected]@[email protected]'dsn_orig_rcpt=rfc822;[email protected]@[email protected]+dsn_orig_rcpt=rfc822;[email protected]@[email protected]*dsn_orig_rcpt=rfc822;[email protected]@[email protected])dsn_orig_rcpt=rfc822;[email protected]@[email protected]'dsn_orig_rcpt=rfc822;[email protected]@[email protected]_orig_rcpt=rfc822;[email protected]@[email protected],dsn_orig_rcpt=rfc822;[email protected]@[email protected]&dsn_orig_rcpt=rfc822;[email protected]@[email protected]_orig_rcpt=rfc822;[email protected][email protected][email protected]#dsn_orig_rcpt=rfc822;[email protected]@[email protected]'dsn_orig_rcpt=rfc822;[email protected]@[email protected]&dsn_orig_rcpt=rfc822;[email protected]@[email protected]'dsn_orig_rcpt=rfc822;[email protected]@[email protected](dsn_orig_rcpt=rfc822;[email protected][email protected][email protected](dsn_orig_rcpt=rfc822;[email protected][email protected][email protected](dsn_orig_rcpt=rfc822;[email protected][email protected][email protected]+dsn_orig_rcpt=rfc822;[email protected]@[email protected]&dsn_orig_rcpt=rfc822;[email protected]@[email protected]'dsn_orig_rcpt=rfc822;[email protected]@[email protected]_orig_rcpt=rfc822;[email protected]@[email protected] Interesting that this "client" IP is blocked with iptables: Code: iptables -A INPUT -s 82.128.18.0/23 -j DROP iptables -A OUTPUT -d 82.128.18.0/23 -j DROP iptables -A INPUT -s 82.128.83.46 -j DROP iptables -A OUTPUT -d 82.128.83.46 -j DROP iptables -A INPUT -s 82.128.83.49 -j DROP iptables -A OUTPUT -d 82.128.83.49 -j DROP iptables -A INPUT -s 82.128.20.59 -j DROP iptables -A OUTPUT -d 82.128.20.59 -j DROP Also this ip is blocked using /etc/postfix/client_access: Code: #Always allow my host MY-IP OK #Whitelist GOOD-IP OK # Using a domain name #Block concrete IP addresses 196.46.245.21 DROP 41.28.220.193 DROP 41.211.228.122 DROP 41.211.228.232 DROP 41.211.238.145 DROP 82.128.83.46 DROP 82.128.83.49 DROP 82.128.18.0/23 DROP 82.128.20.59 DROP here is mail.warn log: Code: Apr 7 15:22:46 ardweb01 postfix/smtp[15468]: warning: numeric domain name in resource data of MX record for hostelturf.com: 67.102.46.122 Apr 7 15:23:01 ardweb01 postfix/qmgr[15293]: warning: mail for gmail.com is using up 4146 of 5229 active queue entries Apr 7 15:23:01 ardweb01 postfix/qmgr[15293]: warning: this may slow down other mail deliveries Apr 7 15:23:01 ardweb01 postfix/qmgr[15293]: warning: you may need to increase the main.cf smtp_destination_concurrency_limit from 20 Apr 7 15:23:01 ardweb01 postfix/qmgr[15293]: warning: please avoid flushing the whole queue when you have Apr 7 15:23:01 ardweb01 postfix/qmgr[15293]: warning: lots of deferred mail, that is bad for performance Apr 7 15:23:01 ardweb01 postfix/qmgr[15293]: warning: to turn off these warnings specify: qmgr_clog_warn_time = 0 Apr 7 15:23:19 ardweb01 postfix/smtp[18721]: warning: no MX host for gmaul.com has a valid address record Apr 7 15:24:31 ardweb01 postfix/smtp[19229]: warning: no MX host for rigbyco.com has a valid address record Apr 7 15:27:37 ardweb01 postfix/smtp[18709]: warning: no MX host for jpost.co.il has a valid address record Apr 7 15:28:01 ardweb01 postfix/qmgr[15293]: warning: mail for gmail.com is using up 4059 of 4656 active queue entries Apr 7 15:28:01 ardweb01 postfix/qmgr[15293]: warning: this may slow down other mail deliveries Apr 7 15:28:01 ardweb01 postfix/qmgr[15293]: warning: you may need to increase the main.cf smtp_destination_concurrency_limit from 20 Apr 7 15:28:01 ardweb01 postfix/qmgr[15293]: warning: please avoid flushing the whole queue when you have Apr 7 15:28:01 ardweb01 postfix/qmgr[15293]: warning: lots of deferred mail, that is bad for performance Apr 7 15:28:01 ardweb01 postfix/qmgr[15293]: warning: to turn off these warnings specify: qmgr_clog_warn_time = 0 Apr 7 15:29:14 ardweb01 postfix/smtp[20368]: warning: numeric domain name in resource data of MX record for mail.intellect.com.tw: 211.75.226.154 Apr 7 15:30:21 ardweb01 postfix/smtp[20397]: warning: numeric domain name in resource data of MX record for chinawangtai.com: 203.88.192.62 Apr 7 15:30:42 ardweb01 postfix/smtp[15526]: warning: numeric domain name in resource data of MX record for aurora.il.us: 64.195.1.137 Apr 7 15:32:46 ardweb01 postfix/smtp[20285]: warning: tls_text_name: mail.loversline.de[194.187.140.2]:25: peer certificate has no issuer Organization Apr 7 15:32:46 ardweb01 postfix/smtp[20285]: warning: tls_text_name: mail.loversline.de[194.187.140.2]:25: peer certificate has no subject CN Apr 7 15:34:16 ardweb01 postfix/smtp[19160]: warning: no MX host for gmaii.com has a valid address record Apr 7 15:35:46 ardweb01 postfix/smtpd[20986]: warning: 83.150.207.253: hostname 253-207-150-83.customers.iber-x.net verification failed: Name or service not known Apr 7 15:48:19 ardweb01 postfix/smtp[22044]: warning: numeric domain name in resource data of MX record for sur-design.com: 66.92.134.116 Apr 7 15:48:44 ardweb01 postfix/smtp[22105]: warning: no MX host for aol.cm has a valid address record Apr 7 15:49:22 ardweb01 postfix/smtp[22045]: warning: no MX host for dma.mil has a valid address record Apr 7 15:49:25 ardweb01 postfix/smtpd[22138]: warning: 78.155.47.46: hostname adsl-new47-l47.crnagora.net verification failed: Name or service not known Apr 7 15:49:35 ardweb01 postfix/smtp[22029]: warning: numeric domain name in resource data of MX record for greenmatrix.net: 204.247.178.85 Apr 7 15:49:58 ardweb01 postfix/smtp[22064]: warning: no MX host for dma.mil has a valid address record Apr 7 15:53:03 ardweb01 postfix/smtp[22498]: warning: numeric domain name in resource data of MX record for kflc.ac.kr: 218.149.189.119 Apr 7 15:53:10 ardweb01 postfix/smtp[22496]: warning: numeric domain name in resource data of MX record for audiointercomservices.com: 69.22.252.49 Apr 7 15:53:19 ardweb01 postfix/smtp[22046]: warning: no MX host for futurephoto.com has a valid address record Apr 7 15:54:38 ardweb01 postfix/smtp[22506]: warning: numeric domain name in resource data of MX record for kflc.ac.kr: 218.149.189.119 Apr 7 15:54:54 ardweb01 postfix/smtp[22020]: warning: numeric domain name in resource data of MX record for pyramidcoach.com: 68.74.53.33 Apr 7 15:55:10 ardweb01 postgrey[3073]: whitelisted: mailfe02.swip.net[212.247.154.33] Apr 7 15:55:21 ardweb01 postfix/smtp[22469]: warning: tls_text_name: starburstcom.com[62.241.60.2]:25: peer certificate has no issuer Organization Apr 7 15:55:21 ardweb01 postfix/smtp[22469]: warning: tls_text_name: starburstcom.com[62.241.60.2]:25: peer certificate has no subject CN Apr 7 15:55:21 ardweb01 postfix/smtp[22518]: warning: no MX host for uoguelph.ca has a valid address record Apr 7 15:55:41 ardweb01 postfix/smtp[22517]: warning: no MX host for cirpack.fr has a valid address record Apr 7 15:55:57 ardweb01 postfix/smtp[22498]: warning: no MX host for uoguelph.ca has a valid address record Apr 7 15:56:54 ardweb01 postgrey[3073]: whitelisted: mailfe06.swip.net[212.247.154.161] Apr 7 15:58:02 ardweb01 postfix/smtp[22505]: warning: numeric domain name in resource data of MX record for mail.ctin.ac.cn: 218.70.66.117 Apr 7 15:58:08 ardweb01 postfix/smtp[22529]: warning: no MX host for futurephoto.com has a valid address record Apr 7 16:00:12 ardweb01 postfix/smtp[22064]: warning: numeric domain name in resource data of MX record for sgrow.com: 64.22.126.33 Apr 7 16:00:23 ardweb01 postfix/smtp[22468]: warning: no MX host for uoguelph.ca has a valid address record Apr 7 16:03:11 ardweb01 postfix/smtp[22445]: warning: no MX host for ragingbull.com has a valid address record Apr 7 16:05:28 ardweb01 postfix/smtp[22532]: warning: numeric domain name in resource data of MX record for unidocsys.com: 131.210.4.32 Apr 7 16:05:28 ardweb01 postfix/smtp[22494]: warning: numeric domain name in resource data of MX record for xteamlinux.com.cn: 211.153.184.18 Apr 7 16:05:30 ardweb01 postfix/smtp[22064]: warning: no MX host for aol.cm has a valid address record Apr 7 16:08:04 ardweb01 postfix/smtp[22445]: warning: no MX host for uoguelph.ca has a valid address record Apr 7 16:08:34 ardweb01 postfix/smtp[22531]: warning: numeric domain name in resource data of MX record for 168market.com: 209.164.15.45 Apr 7 16:08:35 ardweb01 postfix/smtp[22505]: warning: numeric domain name in resource data of MX record for cubexs.net.pk: 202.63.215.14 Apr 7 16:09:52 ardweb01 postfix/smtp[21664]: warning: no MX host for dma.mil has a valid address record Apr 7 16:10:18 ardweb01 postfix/smtp[22053]: warning: no MX host for uoguelph.ca has a valid address record Apr 7 16:10:56 ardweb01 postfix/smtp[22019]: warning: numeric domain name in resource data of MX record for laitai.com: 211.157.1.130 Apr 7 16:11:08 ardweb01 postfix/smtp[22525]: warning: numeric domain name in resource data of MX record for mm459.com: 207.111.216.142 Apr 7 16:11:08 ardweb01 postfix/smtp[22525]: warning: numeric domain name in resource data of MX record for mm459.com: 207.111.216.142 Apr 7 16:11:52 ardweb01 postfix/smtp[22498]: warning: no MX host for futurephoto.com has a valid address record Apr 7 16:12:05 ardweb01 postfix/smtp[22060]: warning: no MX host for dma.mil has a valid address record Apr 7 16:12:17 ardweb01 postfix/smtpd[25558]: warning: 78.155.37.159: hostname adsl-new37-l160.crnagora.net verification failed: Name or service not known mail.log: Code: Apr 7 16:34:19 mydomain postfix/error[27490]: E68C346EDF: to=<[email protected]>, relay=none, delay=383814, delays=383296/517/0/0.66, dsn=4.0.0, status=deferred (delivery temporarily suspended: host mx.east.cox.net[68.1.17.3] refused to talk to me: 554 eastrmimpi05.cox.net IMP [MY_IP] blocked. Error Code: IPBL0100 - Refer to Error Codes section at http://postmaster.cox.net/confluence/display/postmaster/Error+Codes for more information.) Apr 7 16:34:19 mydomain postfix/error[27384]: 0BDC744F6D: to=<[email protected]>, relay=none, delay=126914, delays=126389/523/0/1.8, dsn=4.7.0, status=deferred (delivery temporarily suspended: host d.mx.mail.yahoo.com[209.191.88.254] refused to talk to me: 421 4.7.0 [TS01] Messages from [MY_IP] temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html) Apr 7 16:34:19 mydomain postfix/smtp[25996]: AA3A942DEF: host idcmail-mx2no.cg.shawcable.net[64.59.134.8] refused to talk to me: 554-idcmail.shaw.ca 554 Your connection from [MY_IP] has been rejected due to poor reputation. Apr 7 16:34:19 mydomain postfix/error[27440]: 0C2E045D93: to=<[email protected]>, relay=none, delay=385201, delays=384676/524/0/0.38, dsn=4.7.0, status=deferred (delivery temporarily suspended: host d.mx.mail.yahoo.com[209.191.88.254] refused to talk to me: 421 4.7.0 [TS01] Messages from [MY_IP] temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html) Apr 7 16:34:19 mydomain postfix/smtp[26048]: A995646DFD: host smtp.secureserver.net[216.69.186.201] refused to talk to me: 554-m1pismtp01-022.prod.mesa1.secureserver.net 554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means. Apr 7 16:34:19 mydomain postfix/smtp[26081]: connect to maninet.com[82.98.86.167]:25: Connection timed out Apr 7 16:34:19 mydomain postfix/smtp[26058]: A995646DFD: host hrndva-smtpin01.mail.rr.com[71.74.56.243] refused to talk to me: 554 5.7.1 - ERROR: Mail refused - <[MY_IP]> - See http://security.rr.com/cgi-bin/block-lookup?[MY_IP] Apr 7 16:34:19 mydomain postfix/error[27493]: 6324F44DB6: to=<[email protected]>, relay=none, delay=383710, delays=383461/248/0/0.52, dsn=4.0.0, status=deferred (delivery temporarily suspended: host mx.east.cox.net[68.1.17.3] refused to talk to me: 554 eastrmimpi05.cox.net IMP [MY_IP] blocked. Error Code: IPBL0100 - Refer to Error Codes section at http://postmaster.cox.net/confluence/display/postmaster/Error+Codes for more information.) Apr 7 16:34:19 mydomain postfix/error[27449]: 139F043032: to=<[email protected]>, relay=none, delay=131452, delays=130934/517/0/0.93, dsn=4.0.0, status=deferred (delivery temporarily suspended: host mx.east.cox.net[68.1.17.3] refused to talk to me: 554 eastrmimpi05.cox.net IMP [MY_IP] blocked. Error Code: IPBL0100 - Refer to Error Codes section at http://postmaster.cox.net/confluence/display/postmaster/Error+Codes for more information.) Apr 7 16:34:19 mydomain postfix/error[27424]: A3CEF41BD3: to=<[email protected]>, relay=none, delay=384481, delays=384233/247/0/0.48, dsn=4.0.0, status=deferred (delivery temporarily suspended: host mx.east.cox.net[68.1.17.3] refused to talk to me: 554 eastrmimpi05.cox.net IMP [MY_IP] blocked. Error Code: IPBL0100 - Refer to Error Codes section at http://postmaster.cox.net/confluence/display/postmaster/Error+Codes for more information.) Apr 7 16:34:19 mydomain postfix/error[27421]: 087C5468EB: to=<[email protected]>, relay=none, delay=425667, delays=425142/524/0/0.74, dsn=4.7.0, status=deferred (delivery temporarily suspended: host d.mx.mail.yahoo.com[209.191.88.254] refused to talk to me: 421 4.7.0 [TS01] Messages from [MY_IP] temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html) Apr 7 16:34:19 mydomain postfix/error[27459]: AB1D646B4B: to=<[email protected]>, relay=none, delay=423642, delays=423395/247/0/0.46, dsn=4.0.0, status=deferred (delivery temporarily suspended: host mx.east.cox.net[68.1.17.3] refused to talk to me: 554 eastrmimpi05.cox.net IMP [MY_IP] blocked. Error Code: IPBL0100 - Refer to Error Codes section at http://postmaster.cox.net/confluence/display/postmaster/Error+Codes for more information.) Apr 7 16:34:19 mydomain postfix/error[27381]: 3D5C642037: to=<[email protected]>, relay=none, delay=131137, delays=130606/528/0/3.4, dsn=4.7.0, status=deferred (delivery temporarily suspended: host d.mx.mail.yahoo.com[209.191.88.254] refused to talk to me: 421 4.7.0 [TS01] Messages from [MY_IP] temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html) Apr 7 16:34:19 mydomain postfix/error[27489]: 91A1A456FA: to=<[email protected]>, relay=none, delay=385572, delays=385049/523/0/0.42, dsn=4.7.0, status=deferred (delivery temporarily suspended: host d.mx.mail.yahoo.com[209.191.88.254] refused to talk to me: 421 4.7.0 [TS01] Messages from [MY_IP] temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
Maybe the spammer uses a hole in one of your web applications to send out spam. http://www.howtoforge.com/how-to-log-emails-sent-with-phps-mail-function-to-detect-form-spam
Thanks Falko, but now - I already have this "hole" for logging (also add feature that IP address are logged to) and there is no "spammers" from here... ;-( It ir somewhere else, but I really do not have any ideas - where? ;-OOO
I am having a similar problem. All of the email seems to be coming from [email protected]. Does this mean someone has found a hole in ispconfig?
This doesn't mean there's a hole in ISPConfig as you can set any email address you like when you send a mail, even something like [email protected]... Of course, spammers can do the same.
