Postfix SPAM without auth

Discussion in 'Installation/Configuration' started by Qlimax, Sep 10, 2015.

  1. Qlimax

    Qlimax New Member

    Hello dears,
    I followed this guide to install my server 3 years ago.
    Since now all has gone without issues. Now I'm facing a spam problem

    For a reason I couldn't understand, external users(foreign ips and servers) are able to spam my internal mailboxes without authentication.

    Here is a PoC using telnet from another server:

    $telnet 25
    Connected to
    Escape character is '^]'.
    220 ESMTP Postfix (Ubuntu)
    helo localhost
    mail from:[email protected]
    250 2.1.0 Ok
    rcpt to:[email protected]
    250 2.1.5 Ok
    354 End data with <CR><LF>.<CR><LF>
    250 2.0.0 Ok: queued as 06F4223420D6
    221 2.0.0 Bye
    Connection closed by foreign host.

    Here is the /etc/postfix/ file

    # See /usr/share/postfix/ for a commented, more complete version
    # Debian specific:  Specifying a file name will cause the first
    # line of that file to be used as the name.  The Debian default
    # is /etc/mailname.
    #myorigin = /etc/mailname
    smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
    biff = no
    # appending .domain is the MUA's job.
    append_dot_mydomain = no
    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h
    readme_directory = /usr/share/doc/postfix
    # TLS parameters
    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    smtpd_tls_key_file = /etc/postfix/smtpd.key
    smtpd_use_tls = yes
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.
    myhostname =
    alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    myorigin = /etc/mailname
    mydestination =, localhost, localhost.localdomain
    relayhost =
    mynetworks = [::1]/128
    #mynetworks =
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    html_directory = /usr/share/doc/postfix/html
    virtual_alias_domains =
    virtual_alias_maps = proxy:mysql:/etc/postfix/, proxy:mysql:/etc/postfix/, hash:/var/lib/mailman/data/virtual-mailman
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/
    virtual_mailbox_base = /var/vmail
    virtual_uid_maps = static:5000
    virtual_gid_maps = static:5000
    smtpd_sasl_auth_enable = yes
    broken_sasl_auth_clients = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/, reject_unknown_recipient_domain
    smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/, reject_unknown_sender_domain
    smtpd_client_restrictions = check_client_access mysql:/etc/postfix/
    smtpd_tls_security_level = may
    transport_maps = proxy:mysql:/etc/postfix/
    relay_domains = mysql:/etc/postfix/
    relay_recipient_maps = mysql:/etc/postfix/
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
    smtpd_client_message_rate_limit = 100
    maildrop_destination_concurrency_limit = 1
    maildrop_destination_recipient_limit = 1
    virtual_transport = dovecot
    header_checks = regexp:/etc/postfix/header_checks
    mime_header_checks = regexp:/etc/postfix/mime_header_checks
    nested_header_checks = regexp:/etc/postfix/nested_header_checks
    body_checks = regexp:/etc/postfix/body_checks
    owner_request_special = no
    dovecot_destination_recipient_limit = 1
    smtpd_sasl_type = dovecot
    smtpd_sasl_path = private/auth
    content_filter = amavis:[]:10024
    receive_override_options = no_address_mappings
    message_size_limit = 0
    smtpd_tls_CAfile = /usr/local/ispconfig/interface/ssl/startssl.chain.class1.server.crt

    Any suggestions?
    I would like that anyone who want to use my server as smtp have to authenticate

    Thank you very much!
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    You did made a mistake in your test, to test if a server is a open relay you have to use an external address like a gmail address as to address and not a local address as your server ahs to accept all emails to a local address, otherwise you won't receive any mail at all.

    To test your server, use e.g. mxtoolbox.
  3. Qlimax

    Qlimax New Member

    Hi Till,
    thank you for the reply.

    No my server is not an open relay, but anyone without authentication can use it to spam adresses hosted in the server....
    The big problem is that some of the spammed addresses have set "Automatic send copy" to gmail and hotmail, and they are not so happy...
    It's there a way to prevent this, I mean using postfix only with authentication?

    Thank you, I'm glad you have the time to answer :)
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    What you demand makes no sense as it would disable receiving completely for all email addresses on your server and I guess that's not what you want. Please rethink what you are asking for, if a password would be required to send an email to one of the addresses on your server, then you would have to send a letter with a username and password by (post) mail to anyone up front before he could send you an email.
  5. Qlimax

    Qlimax New Member

    Hm... ok, I see what you are saying!

    Like saying that when a johndoe@gmail dot com uses gmail's smtp to mail me, then this smtp doesn't have to authenticate to my postfix to send a mail to one of my mailbox (on my server).

    Hm... so it sounds like regular spam?

    Do you think, then, that my postfix ( configuration has some issues?
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes. What we call spam is just mail that we don't want, such an email is technically not different from any other email that you like to receive. To filter out spam we can e.g. say that we don't want to accept emails from some servers (aka MX blacklists), that we test if the sending server is allowed to send for this domain (spf/dkim) or we try to find out if an email is spam by inspecting its content with keyword lists, bayes filters etc. lile amavis/spamassassin are doing it on your server.

    Your postfix looks generally fine. To improve spam filtering you could add some rbl's to
  7. Qlimax

    Qlimax New Member

    Thank you till for your precious help and advices!:)
    Really appreciated!

    I will try to implement some blacklisting and spf verification!


Share This Page