Blocking unauthorized senders to send mail.

Discussion in 'ISPConfig 3 Priority Support' started by pawan, Mar 19, 2016.

  1. pawan

    pawan Member

    I have set mailjet as relay server. That is working fine.
    But I am getting notification mail from them like
    Code:
    We have received an email from a new sender address using your account :
    
    Detected on: 2016-03-19 11:35:46
    From: [email protected]
    
    Emails sent from this sender will not be sent until you validate this address in your account. Messages will remain in our processing queue for a few days and will be sent as soon as the sender becomes valid.
    If you have any question about this email, please take a look at our dedicated FAQ: I received an alert for a new sender address: what should I do?.
    
    See you soon,
    The Mailjet Team 
    This domain and user doesn't exist in my server, how it can send mail is worrying me.
    The contents of my /etc/postfix/main.cf is like this
    Code:
    # See /usr/share/postfix/main.cf.dist for a commented, more complete version
    
    
    # Debian specific:  Specifying a file name will cause the first
    # line of that file to be used as the name.  The Debian default
    # is /etc/mailname.
    #myorigin = /etc/mailname
    
    smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
    biff = no
    
    # appending .domain is the MUA's job.
    append_dot_mydomain = no
    
    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h
    
    readme_directory = /usr/share/doc/postfix
    
    # TLS parameters
    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    smtpd_tls_key_file = /etc/postfix/smtpd.key
    smtpd_use_tls = yes
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    
    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.
    
    myhostname = server1.mywebsolutions.co.in
    alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    myorigin = /etc/mailname
    mydestination = server1.mywebsolutions.co.in, localhost, localhost.localdomain
    relayhost = in-v3.mailjet.com
    #mynetworks = 127.0.0.0/8 [::1]/128
    mailbox_size_limit = 0
    recipient_delimiter =
    inet_interfaces = all
    html_directory = /usr/share/doc/postfix/html
    virtual_alias_domains =
    virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
    virtual_mailbox_base = /var/vmail
    virtual_uid_maps = static:5000
    virtual_gid_maps = static:5000
    
    smtpd_sasl_auth_enable = yes
    broken_sasl_auth_clients = yes
    smtpd_sasl_authenticated_header = yes
    #smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, #reject_unauth_destination
    
    
    
    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_rbl_client zen.spamhaus.org
       
    smtpd_tls_security_level = may
    
    transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
    relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
    relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks
    smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf
    smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
    
    # /etc/postfix/main.cf
    # HELO restrictions:
    #smtpd_delay_reject = yes
    smtpd_helo_required = yes
    smtpd_helo_restrictions =
        permit_mynetworks,
        reject_non_fqdn_helo_hostname,
        reject_invalid_helo_hostname,
        permit
                   
    smtpd_client_message_rate_limit = 100
    maildrop_destination_concurrency_limit = 1
    maildrop_destination_recipient_limit = 1
    virtual_transport = dovecot
    header_checks = regexp:/etc/postfix/header_checks
    mime_header_checks = regexp:/etc/postfix/mime_header_checks
    nested_header_checks = regexp:/etc/postfix/nested_header_checks
    body_checks = regexp:/etc/postfix/body_checks
    owner_request_special = no
    dovecot_destination_recipient_limit = 1
    smtpd_sasl_type = dovecot
    smtpd_sasl_path = private/auth
    content_filter = amavis:[127.0.0.1]:10024
    receive_override_options = no_address_mappings
    message_size_limit = 20971520
    inet_protocols = all
    
    smtp_tls_security_level = may
    smtpd_relay_restrictions = check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
    smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
    smtpd_tls_protocols = !SSLv2,!SSLv3
    smtp_tls_protocols = !SSLv2,!SSLv3
    smtp_sasl_auth_enable = yes
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
    smtp_sasl_security_options = 
    Where and what I need to update to block users which are not created by me.
     
  2. pawan

    pawan Member

    Till,
    This is making me scratch my head, how this can happen.
    Code:
    We have received an email from a new sender address using your account :
    
    Detected on: 2016-03-19 15:03:34
    From: [email protected]
    
    Emails sent from this sender will not be sent until you validate this address in your account. Messages will remain in our processing queue for a few days and will be sent as soon as the sender becomes valid.
    If you have any question about this email, please take a look at our dedicated FAQ: I received an alert for a new sender address: what should I do?.
    
    See you soon,
    The Mailjet Team 
    There is nothing like [email protected] - in my mail.log, mail.err or syslog.
    how this user is trying to send mail using my ip.
    Thanks.
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Search for [email protected] in the mail.log. And emails can get send trough a website as well, so if you host websites and one of thes egit hacked, then it is possible that the email was sent trough that website directly.
     
  4. pawan

    pawan Member

    Hi Till
    I have checked the mail.log and checked all the logs using command
    Code:
    grep -rlv "peter.dickson@" /var/log
    but couldn't find a trace of it.
    Now how can I know from where these mails are being sent. I have around 60-70 website, how can I identify which one is getting exploited.
     
  5. pawan

    pawan Member

    I was able to find one more user in mail.log which is not in my domain/user list. The logs are like this, just cannot make out where to put a plug to stop this:
    user - [email protected]
    Code:
    Mar 20 18:37:36 server1 postfix/qmgr[3743]: D121D601882: from=<[email protected]>, size=3606, nrcpt=1 (queue active)
    Mar 20 18:37:37 server1 postfix/smtpd[15274]: disconnect from co1gmehub02.msn.com[65.55.52.230]
    Mar 20 18:37:44 server1 postfix/smtpd[15287]: connect from localhost.localdomain[127.0.0.1]
    Mar 20 18:37:44 server1 postfix/smtpd[15287]: CF7DD601CB8: client=localhost.localdomain[127.0.0.1]
    Mar 20 18:37:44 server1 postfix/cleanup[15281]: CF7DD601CB8: message-id=<[email protected]>
    Mar 20 18:37:44 server1 postfix/smtpd[15287]: disconnect from localhost.localdomain[127.0.0.1]
    Mar 20 18:37:44 server1 postfix/qmgr[3743]: CF7DD601CB8: from=<[email protected]>, size=4556, nrcpt=1 (queue active)
    Mar 20 18:37:44 server1 amavis[6293]: (06293-04) Passed CLEAN, [65.55.52.230] [65.55.52.230] <[email protected]> -> <[email protected]>, Message-ID: <[email protected]>, mail_id: Nsb3mNP03fix, Hits: 2.231, size: 3606, queued_as: CF7DD601CB8, [email protected], 8124 ms
    Mar 20 18:37:44 server1 postfix/smtp[15283]: D121D601882: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=10, delays=2/0.01/0/8.1, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as CF7DD601CB8)
    Mar 20 18:37:44 server1 postfix/qmgr[3743]: D121D601882: removed
    Mar 20 18:37:45 server1 postfix/pickup[13305]: 3A69C601CE5: uid=5000 from=<[email protected]>
    Mar 20 18:37:45 server1 dovecot: lda([email protected]): sieve: msgid=<[email protected]>: forwarded to <[email protected]>
    Mar 20 18:37:45 server1 postfix/cleanup[15281]: 3A69C601CE5: message-id=<[email protected]>
    Mar 20 18:37:45 server1 postfix/qmgr[3743]: 3A69C601CE5: from=<[email protected]>, size=4809, nrcpt=1 (queue active)
    Mar 20 18:37:45 server1 dovecot: lda([email protected]): sieve: msgid=<[email protected]>: stored mail into mailbox 'INBOX'
    Mar 20 18:37:45 server1 postfix/pipe[15288]: CF7DD601CB8: to=<[email protected]>, relay=dovecot, delay=0.54, delays=0.06/0.01/0/0.48, dsn=2.0.0, status=sent (delivered via dovecot service)
    Mar 20 18:37:45 server1 postfix/qmgr[3743]: CF7DD601CB8: removed
    Mar 20 18:37:45 server1 postfix/smtpd[15287]: connect from localhost.localdomain[127.0.0.1]
    Mar 20 18:37:45 server1 postfix/smtpd[15287]: 737A2601882: client=localhost.localdomain[127.0.0.1]
    Mar 20 18:37:45 server1 postfix/cleanup[15281]: 737A2601882: message-id=<[email protected]>
    Mar 20 18:37:45 server1 postfix/smtpd[15287]: disconnect from localhost.localdomain[127.0.0.1]
    Mar 20 18:37:45 server1 postfix/qmgr[3743]: 737A2601882: from=<[email protected]>, size=4883, nrcpt=1 (queue active)
    Mar 20 18:37:45 server1 amavis[7178]: (07178-04) Passed CLEAN, [127.0.0.1] [65.55.52.230] <[email protected]> -> <[email protected]>, Message-ID: <[email protected]>, mail_id: CvI6V1Vtrn5T, Hits: 2.231, size: 4809, queued_as: 737A2601882, [email protected], 195 ms
     

Share This Page