Is my postfix hacked? Hi guys! I really need help in my matter! Yesterday I analyzed mail logs and noticed something really strange. I think my postfix is hacked. We do not use our mail server too much, but maillog is full of unrecognized records. Here is the part of it: Many .es domain names, but our mail server is in .lv zone! And we do not have so much users, to send SO MANY emails!!! What steps should I take now? Is it trojan horse on my server or something??? P.S. I am using CentoOS 5.2 (Perfect server install)
have you checked that your relay is not open? please post main.cf so that we can help you. cheers, maik
Thanks for you answer! Sry, I am new to mail server. How do I check this? P.S. I can post configs only in the evening - I am at work now.
you must have something inside main.cf like this: mynetworks = 192.168.1.0/24 <--your local net fallback_relay = mydestination = test.gr smtpd_sasl_local_domain = smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_authenticated-header = yes broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination the above are for authanticating users to enable to relay mail through your server. try this to check your mail server telnet ip 25 you will get smtp banner like 220 Esmtp service then type ehlo localhost.localdomain you should get something like 250-PIPELINING 250-SIZE 15000000 250-ETRN 250-AUTH PLAIN LOGIN <--this means that your sever can authenticate clients to allow them to relay 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN if there is not the above line ,means that your server allows relay based on ip address origin only. check main.cf... (my networks setting..) have a nice day michael ps: if you want to enable auth to work you MUST start saslauthd service as well..
maikcat I really appreciate your help. I will look in the evening and will post what I found there I did not even thought, that something like this is possible (real newbie I am in mails servers)... P.S. Btw, when I was analyzing logs, I noticed taht this started in April 25th. Till that time, everything was fine.
Here is main.cf options: And more from telnet: So as I understand I have relay opened. Should I simply make smtpd_sasl_auth_enable = yes to NO ? And what I will loose after that? I do not so good in all this... I hope you will help me to understand. Thank you! P.S. I made all setting to postfix using this article: http://www.howtoforge.com/perfect-server-centos-5.2-p5 P.P.S. I have tested my server for OPEN Relay here http://www.myiptest.com/staticpages/index.php/open-relay-test and got the answer: >Unable to relay: Invalid response code received from server > This server is NOT Open Relay
That's a good thing. But it is still possible that spammers abuse web applications on your server (like contact forms, gustbooks, etc.).
Ok! But what I think, that I am a victim of Backscatter mails. Can you advice me something regarding it? How do I check this?
That's difficult to check. You can have a look at Apache's access logs to see if there's a contact form/guestbook/whatever that is accessed again and again from the same IP.
I do not think that it is from guestbooks/forms. What I have done: I stopped postfix for about 3 hours. Then I started it again and look into logs. Immediately after start I got tons of mails in queue (I am not posting all of them): And then activity started again: These .es domains - can I simply somehow ban them? What I am suffering from?
the local_recipient_maps option in your set the local_recipient_maps = this will accept mail for whatever user (exist or not) combine it with luser_relay = [email protected] this will stop bounced back messages... the side effect is that if someone mistypes a valid mail account he will never get notification back from you with his error.... :s cheers,
maikcat sry - I have not provided all main.cf file. I have it like this at the moment: Do you really think I need to set local_recipient_maps to empty value? This will turn off local recipient checking
yes it will turn off local recipient check, the reason i believe you need this is for avoiding spammers to querie your mail server for valid users (they also use VRFY and EXPN commands as well). the use of luser_relay is for creating a bucket ,so that your system will never try to send back mail telling that the x mailbox doesnt exists, the drawback of this approach is that if a valid user sends mail to one of yours account but he mistyped his mail,he will never know that his mail never reached the intended recipient, the advantage is that your queue will never be full with postfix trying to send back notifications to spammers (who will probably provided erroneous from: address..) cheers,
bzzik your problem was solved? Hi bzzik: Could you solve the bounce problem? I'm having apparentry the same problem, that it is killing my server. Hi maikcat: The Look this: This would be the solution? local_recipient_maps = luser_relay = [email protected] Thanks
Are you trying to relay through another server? Take a look here: http://www.howtoforge.com/postfix_relaying_through_another_mailserver
Hi Falko: No. I'm doing direct from my server, I'm not using relay. Why ask this? I think the attack is Backscatter for the messages I have in the queue of deferred look this: I've made the changes mentioned maikcat, also erased the deferred queue, with postsuper -d ALL deferred command. Apparently now the queue is empty, but I have to continue to monitor the operation of the server.
Sry for the delay... Yes I have A, MX, and txt SPF record for the domain. The only thing I can get to be in the unusual configuration is that I have 2 MX records plus, that not responding "the concept of nolisting" site.com. 86400 IN MX 5 dummy1.site.com. site.com. 86400 IN MX 10 mail.site.com. site.com. 86400 IN MX 20 dummy2.site.com. dummy1.site.com. 86400 IN A 190.xx.yy.z1 mail.site.com. 86400 IN A 190.xx.yy.z2 dummy2.site.com. 86400 IN A 190.xx.yy.z3 site.com. 86400 IN TXT "v=spf1 ip4:190.xx.yy.z2 a mx ptr ~all" Obviously in dummy1 and dummy2 I don't have mail server.
Please delete the MX records for site.com. 86400 IN MX 5 dummy1.site.com. site.com. 86400 IN MX 20 dummy2.site.com.