Hello everyone, I can see my server is being used for sending spam, but I really can't figure out how to close their way into my server, I can se they use multiple ip's to send spam with. Until now they have only used 1 single customer mail addresse let's just call it [email protected] To prevent them to send more spam I have from ispconfig panel blocked the email in postfix blacklist as sender. I have tried check for open relay with http://www.mailradar.com/openrelay/ and the result was All tested completed! No relays accepted by remote host! I have tried disable the customers website and make sure its wasn't mail() by going through /var/log/phpmail.log and result is: spam is not from the website. I have tried change password on the mail user, but spam was still going into mail queue (the customer don't even know the password atm.). This is my postfix main.cf have following content: Code: # See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = /usr/share/doc/postfix #SPF tjek (http://www.howtoforge.com/hardening-postfix-for-ispconfig-3) policy-spf_time_limit = 3600s # TLS parameters smtpd_tls_cert_file = /etc/postfix/smtpd.cert smtpd_tls_key_file = /etc/postfix/smtpd.key smtpd_use_tls = yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. myhostname = myserver.domain.tld alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases myorigin = /etc/mailname mydestination = myserver.domain.tld, localhost, localhost.localdomain relayhost = mynetworks = 127.0.0.0/8 [::1]/128 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all html_directory = /usr/share/doc/postfix/html virtual_alias_domains = virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf, hash:/var/lib/mailman/data/virtual-mailman virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_mailbox_base = /var/vmail virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes #smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination, reject_rbl_client list.dsbl.org, reject_rbl_client sbl.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net, smtpd_tls_security_level = may transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf #smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf smtpd_client_message_rate_limit = 100 maildrop_destination_concurrency_limit = 1 maildrop_destination_recipient_limit = 1 virtual_transport = maildrop header_checks = regexp:/etc/postfix/header_checks mime_header_checks = regexp:/etc/postfix/mime_header_checks nested_header_checks = regexp:/etc/postfix/nested_header_checks body_checks = regexp:/etc/postfix/body_checks owner_request_special = no content_filter = amavis:[127.0.0.1]:10024 receive_override_options = no_address_mappings #helo restrictions fra http://www.howtoforge.com/hardening-postfix-for-ispconfig-3 smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname #strift rfc fra http://www.howtoforge.com/hardening-postfix-for-ispconfig-3 strict_rfc821_envelopes = yes #data restrictions fra http://www.howtoforge.com/hardening-postfix-for-ispconfig-3 smtpd_data_restrictions = reject_unauth_pipelining #smtpd delay smtpd_delay_reject = yes message_size_limit = 0 inet_protocols = all #anti spam fra http://www.cyberciti.biz/tips/postfix-spam-filtering-with-blacklists-howto.html disable_vrfy_command = yes #Mailman virtual_maps = hash:/var/lib/mailman/data/virtual-mailman owner_request_special = no inet_protocols = all authorized_submit_users = !root, static:anyone this is my master.cf Code: # # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master"). # # Do not forget to execute "postfix reload" after editing this file. # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== smtp inet n - - - - smtpd 2525 inet n - - - - smtpd submission inet n - - - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #628 inet n - - - - qmqpd pickup fifo n - - 60 1 pickup cleanup unix n - - - 0 cleanup qmgr fifo n - n 300 1 qmgr #qmgr fifo n - - 300 1 oqmgr tlsmgr unix - - - 1000? 1 tlsmgr rewrite unix - - - - - trivial-rewrite bounce unix - - - - 0 bounce defer unix - - - - 0 bounce trace unix - - - - 0 bounce verify unix - - - - 1 verify flush unix n - - 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - - - - smtp # When relaying mail as backup MX, disable fallback_relay to avoid MX loops relay unix - - - - - smtp -o smtp_fallback_relay= # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - - - - showq error unix - - - - - error retry unix - - - - - error discard unix - - - - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - - - - lmtp anvil unix - - - - 1 anvil scache unix - - - - 1 scache # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual # pages of the non-Postfix software to find out what options it wants. # # Many of the following services use the Postfix pipe(8) delivery # agent. See the pipe(8) man page for information about ${recipient} # and other message envelope options. # ==================================================================== # # maildrop. See the Postfix MAILDROP_README file for details. # Also specify in main.cf: maildrop_destination_recipient_limit=1 # maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -d vmail ${extension} ${recipient} ${user} ${nexthop} ${sender} # # ==================================================================== # # Recent Cyrus versions can use the existing "lmtp" master.cf entry. # # Specify in cyrus.conf: # lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 # # Specify in main.cf one or more of the following: # mailbox_transport = lmtp:inet:localhost # virtual_transport = lmtp:inet:localhost # # ==================================================================== # # Cyrus 2.1.5 (Amos Gouaux) # Also specify in main.cf: cyrus_destination_recipient_limit=1 # #cyrus unix - n n - - pipe # user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} # # ==================================================================== # Old example of delivery via Cyrus. # #old-cyrus unix - n n - - pipe # flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} # # ==================================================================== # # See the Postfix UUCP_README file for configuration details. # uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) # # Other external delivery methods. # ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} mailman unix - n n - - pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} amavis unix - - - - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes 127.0.0.1:10025 inet n - - - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks -o smtpd_bind_address=127.0.0.1 policy-spf unix - n n - - spawn user=nobody argv=/usr/bin/policyd-spf after i have blocked the mail user in ispconfig I still see following in syslog Code: May 6 13:53:19 web2 postfix/smtpd[25077]: connect from unknown[***.***.128.138] May 6 13:53:21 web2 postfix/smtpd[25319]: warning: ***.210.111.33: address not listed for hostname 81-210-111-33.ip.netia.com.pl May 6 13:53:21 web2 postfix/smtpd[25319]: connect from unknown[***.210.111.33] May 6 13:53:21 web2 postfix/smtpd[25077]: NOQUEUE: reject: RCPT from unknown[***.***..128.138]: 554 5.7.1 <[email protected]>: Sender address rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<companymail.tld> May 6 13:53:21 web2 postfix/smtpd[25077]: NOQUEUE: reject: RCPT from unknown[***.***..128.138]: 554 5.7.1 <[email protected]>: Sender address rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<companymail.tld> May 6 13:53:21 web2 postfix/smtpd[25077]: NOQUEUE: reject: RCPT from unknown[***.***..128.138]: 554 5.7.1 <[email protected]>: Sender address rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<companymail.tld> May 6 13:53:21 web2 postfix/smtpd[25077]: NOQUEUE: reject: RCPT from unknown[***.***..128.138]: 554 5.7.1 <[email protected]>: Sender address rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<companymail.tld> May 6 13:53:21 web2 postfix/smtpd[25077]: NOQUEUE: reject: RCPT from unknown[***.***..128.138]: 554 5.7.1 <[email protected]>: Sender address rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<companymail.tld> May 6 13:53:21 web2 postfix/smtpd[25077]: NOQUEUE: reject: RCPT from unknown[***.***..128.138]: 554 5.7.1 <[email protected]>: Sender address rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<companymail.tld> May 6 13:53:22 web2 postfix/smtpd[25077]: NOQUEUE: reject: RCPT from unknown[***.***..128.138]: 554 5.7.1 <[email protected]>: Sender address rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<companymail.tld> May 6 13:53:22 web2 postfix/smtpd[25077]: NOQUEUE: reject: RCPT from unknown[***.***..128.138]: 554 5.7.1 <[email protected]>: Sender address rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<companymail.tld> May 6 13:53:22 web2 postfix/smtpd[25077]: NOQUEUE: reject: RCPT from unknown[***.***..128.138]: 554 5.7.1 <[email protected]>: Sender address rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<companymail.tld> May 6 13:53:22 web2 postfix/smtpd[25319]: NOQUEUE: reject: RCPT from unknown[***.210.111.33]: 554 5.7.1 <[email protected]>: Sender address rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<companymail.tld> May 6 13:53:22 web2 postfix/smtpd[25319]: NOQUEUE: reject: RCPT from unknown[***.210.111.33]: 554 5.7.1 <[email protected]>: Sender address rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<companymail.tld> May 6 13:53:22 web2 postfix/smtpd[25326]: connect from tx2outboundsmtppool1.messaging.microsoft.com[***.55.83.131] May 6 13:53:22 web2 postfix/smtpd[25319]: NOQUEUE: reject: RCPT from unknown[***.210.111.33]: 554 5.7.1 <[email protected]>: Sender address rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<companymail.tld> May 6 13:53:23 web2 postfix/smtpd[25319]: NOQUEUE: reject: RCPT from unknown[***.210.111.33]: 554 5.7.1 <[email protected]>: Sender address rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<companymail.tld> May 6 13:53:23 web2 postfix/smtpd[25319]: NOQUEUE: reject: RCPT from unknown[***.210.111.33]: 554 5.7.1 <[email protected]>: Sender address rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<companymail.tld> May 6 13:53:23 web2 postfix/smtpd[25268]: lost connection after DATA from unknown[***.71.125.14] May 6 13:53:23 web2 postfix/smtpd[25319]: NOQUEUE: reject: RCPT from unknown[***.210.111.33]: 554 5.7.1 <[email protected]>: Sender address rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<companymail.tld> May 6 13:53:23 web2 postfix/smtpd[25319]: NOQUEUE: reject: RCPT from unknown[***.210.111.33]: 554 5.7.1 <[email protected]>: Sender address rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<companymail.tld> May 6 13:53:23 web2 postfix/smtpd[25319]: NOQUEUE: reject: RCPT from unknown[***.210.111.33]: 554 5.7.1 <[email protected]>: Sender address rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<companymail.tld> May 6 13:53:23 web2 postfix/smtpd[25319]: NOQUEUE: reject: RCPT from unknown[***.210.111.33]: 554 5.7.1 <[email protected]>: Sender address rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<companymail.tld> May 6 13:53:23 web2 postfix/smtpd[25319]: NOQUEUE: reject: RCPT from unknown[***.210.111.33]: 554 5.7.1 <[email protected]>: Sender address rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<companymail.tld> May 6 13:53:23 web2 postfix/smtpd[25319]: NOQUEUE: reject: RCPT from unknown[***.210.111.33]: 554 5.7.1 <[email protected]>: Sender address rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<companymail.tld> May 6 13:53:23 web2 postfix/smtpd[25326]: NOQUEUE: reject: RCPT from tx2outboundsmtppool1.messaging.microsoft.com[***.55.83.131]: 450 4.7.1 <TX2EHSNDR002.bigfish.com>: Helo command rejected: Host not found; from=<> to=<[email protected]> proto=ESMTP helo=<TX2EHSNDR002.bigfish.com> May 6 13:53:24 web2 postfix/smtpd[25326]: disconnect from tx2outboundsmtppool1.messaging.microsoft.com[***.55.83.131] If you need more info or logs please tell me. How can I prevent these spammers from sending mails through my server?
Take a look into the spam emails in your queue, you should be able to see the delivery way in the header. Mails in the queue can be viewed with postcat command. run postqueue -p identify one spam email and write down the ID of the mail. The ID looks similra to this "2979E2188345" postcat /var/spool/postfix/deferred/2/2979E2188345 were the "/2/" directory in the path is the first number or char of the ID.
Hello again, I found this, in one of the email's Code: Received: from myserver.mycompany.tld ([127.0.0.1]) by localhost (myserver.mycompany.tld [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9I4pc0fK4JSs; Sun, 5 May 2013 07:16:00 +0200 (CEST) Received: from companymail.tld (unknown [***.96.200.183]) (Authenticated sender: [email protected]) by myserver.mycompany.tld (Postfix) with ESMTPA id 9BE1E14AFE7; Sun, 5 May 2013 07:15:32 +0200 (CEST) When the user is Authenticated sender, does this mean they are logged in to the server with username and password from my client?
Yes. The header is added by postfix when a user is authenticated successfully with email address and password of this mailbox.
