Hi All, It appears somehow, someone created a postfix user account that gave them access to relay spam through a clients server. I have the exact username and password, however, this user is not showing up in the virtualuser.db or anywhere that I know to look (ie shadow). What are the normal locations for the postfix users and does anyone have a suggestion on removing this account. Thanks, Ken
I assume you did a relay test on the server to ensure that it is not a open relay? Please post the content of the main.cf file, comments stripped.
Hi Till, Thanks for the response. Here's the main.cf: smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no append_dot_mydomain = no myhostname = debian.krausorders.com alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname relayhost = [smtp.nuvox.net] mynetworks = 127.0.0.0/8 mailbox_command = mailbox_size_limit = 100000000 recipient_delimiter = + inet_interfaces = all smtpd_sasl_local_domain = smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,check_policy_service inet:127.0.0.1:60000 smtpd_tls_auth_only = no smtp_use_tls = yes smtpd_use_tls = yes smtp_tls_note_starttls_offer = yes smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom home_mailbox = Maildir/ virtual_maps = hash:/etc/postfix/virtusertable mydestination = /etc/postfix/local-host-names smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous message_size_limit = 20000000 smtp_helo_required = yes invalid_hostname_reject_code = 554 multi_hostname_reject_code = 554 non_fqdn_reject_code = 554 relay_domains_reject_code = 554 unknown_address_reject_code = 554 unknown_client_reject_code = 554 unknown_hostname_reject_code = 554 unknown_local_recipient_reject_code = 554 unknown_relay_recipient_reject_code = 554 unknown_sender_reject_code = 554 unknown_virtual_alias_reject_code = 554 unknown_virtual_mailbox_reject_code = 554 unverified_recipient_reject_code = 554 unverified_sender_reject_code = 554 smtpd_recipient_restrictions = reject_invalid_hostname, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client bl.spamcop.net, permit
Hi Falko, No, they actually have a username and password. I know what both are through packet sniffing and have verified that I can login and send email with this info. So now the question is how do I kill this user pass. I have applied an ip ban to a range of IP addresses that this person is connecting from, but this is obviously a temporary measure. Thanks, Ken
Hi Till, No, they're not listed in the /etc/passwd file. The username seems to have been created by a random generator and the password is the same as the username with the addition of a couple of extra charactors on the end. Thanks, Ken
Hi Till, I can't use any random characters, however, if I use the ones I sniffed out then yes they work fine. Thanks, Ken
I see that you have some options twice in your main.cf. Can you remove the redundant lines and post the main.cf again (please wrap it in code tags). Are there any errors/warnings in your mail log?
