Hi. I own a mail server that hosts around 15 clients and 20 domains. I know all of my clients in person. The server is running ISPConfig 3 under Debian stretch OS up to date. One of our clients complained about 2000 bounced mail that he never sent in his inbox. I checked the server and top command showed me around 20 smtpd postfix processes running. I stopped postfix service and the issue stopped. I checked for open relay issues via postfix configuration file and online tools but that wasn't the case. In postfix queue was waiting around 10000 emails all coming from that email account. I asked the client about his password and it was something like that: Email address: [email protected] Password: hisdomain2016 Which was active, well since 2016. I asked him to change his password to something more secure, restarted postfix and everything seems OK after that. Everything except 4 blacklist entries for a 8 years old IP(always clean) and two very stressful hours for me. Question 1. Is it easy for someone to hack a weak email password and send emails using my server. Question 2. Is it possible (if question 1 is yes) for him to sent 6k emails and another 10k waiting in queue in just a couple of hours via a single server? Question 3. How can I set ISPConfig to only accept strong or very strong passwords? Question 4. What command to run to find the first successful login/send attempt regarding that email account. Kind Regards. Happy new year
As far as I can see, I'd say 1 – yes indeed, happened to me some years ago, too (although I didn't have fail2ban back then); 2 – yes, definitely, the incident that hit me was similar and brought the lowly machine I was using to its knees; 3 – System, Interface/Main Config, Misc – the second last option. Cheers, Etc
