we followed the install instructions without any issues. now we have people sending emails as our users without providing passwords. so my questions are 1. how did they get a list of the users on the server? 2. how are they able to send emails as the users? All of the passwords have been changed so we know they dont have the passwords to send email
Which installation instructions for which software and why did you change passwords instead of trying to migrate them?
The instructions for ISPConfig that are part of the manual which are the same that I followed posted online here. Migrate to where?
Ok, as you did not mentioned iSPConfig anywhere in your first post and did not post in the ISPConfig forum, so this was not clear. 1) You can see a list of email accounts that you created in ISPConfig and if you created client logins for your clients, then they can create email accounts by themself and they can also see all email accounts they created in ISPConfig. 2) If you want to allow sending without password from a specific IP address on a postfix server, then you can add the IP address of the email sender in the line 'mynetworks' in postfix main.cf file and restart postfix. In general, you should try to avoid that and use authenticated SMTP with username (mail address) and password instead.
I think you mis understood what I was asking. I'm in the US. there are people from Africa, China, Brazil, Russia, etc. sending email from my server, as users of my server to other people. The people from the other countries do not belong on my server. How do they know the account names of my users? This is new install on a fresh system.
It is very unlikely that these emails are sent from your server, at least when you followed the perfect server guide, then it is not possible to send email without proper authentication. The more likely reason is that you think that these emails are sent from your system just because someone abused the from the address of some of your email users in emails while the emails are not ending from your system. You can see in the mail headers and in the system mail.log, if these are sent by your server, but it is very unlikely. You can also verify this by using an open relay test. To your original questions: 1) Where do spammers know which emails exist: there are huge databases of email addresses available in the dark spheres of the internet, addresses are spidered from websites, sold by shady companies etc. So you can expect that almost all email addresses are known sooner or later, and which server is responsible for a given email address can be looked up easily in DNS. 2) They are not able to send emails as these users, they just use an email address in the from field of an email. That's something different. Email works similar to normal postal mail. You can write a letter and put someone else's address as the sender on that letter and send it with your countries postal service. And the same with email. But with email, there are mechanisms to make it easier for the receiving servers to find out if an email was sent by the right system, search for DKIM and SPF, you can setup both in ISPConfig for the email accounts of your customers. This will help other email systems to verify if the emails were sent by an authorized server or not.
This part is not difficult and these emails' true sources can be determined and that they may come from servers other than yours.
ok, let me try again. I know for a fact they are sending emails from my server as accounts that I have setup. so the questions are: 1. how did they get a list of the users that I created on the server? 2. how are they able to send emails as the users if we have changed the passwords? 3. how do I stop them? This is a new install of ispconfig following the instructions.
As I mentioned earlier, this is unlikely and the fact that changing their passwords did not stop it confirms that your fact is probably not a fact. And if your system was setup according to the perfect server guide, then sending without password is not even possible. So, to get one step further, forget what you think is a fact, take one step back and post the complete mail headers of such an email plus the log lines from mail.log for one of these emails so we can see how they were sent.
never mind, I'll go to a different board and find someone else who isn't full of himself.. I've been doing this mess for 30+years on windows. I'm still learning the linux side but I know what the hell I'm talking about. I guess watching the router connections and logs isn't a fact. thanks for nothing.
No need to be mad, we are trying to help you out. Maybe people are sending from a different server, and the SPF record for the domain is non existent or not strict enough? Why won't you share the email headers?
I just asked you to share the mail headers and logs. If you are working with Windows systems for 30 years, then you should know that an admin needs details to diagnose a problem and you reject to provide these details, so how shall we be able to help you? That's as if you go into a garage and say 'my car does not work anymore, what's the problem?', without willing to give any hint on the symtoms that let you assume it's not working anymore and without letting the mechanics have a look at it. If you have seen the traffic in your router and logs, why have you not said that and why did you not post the logs? You did not mention that you use a router at all, maybe you just manually allowed sending without password in mynetworks setting of postfix main.cf and forgot that the connections that come from the router have an internal IP as well if it's a NAT router, so you might have allowed sending to everyone by such a manual change in the config. We have here users all day that say to everything its a fact while it's no fact is many cases, not because they do their wrong claims intentionally, just simply because they have not enough Linux knowledge to interpret the symptoms correctly. To come back to your original problem, please post the mail headers and the Linux mail.log that shows these emails to be sent. And I'm quite sure that people in other boards request also logs and mail headers if you ask them the same question.