0

Recently I received spam report form my vps provider and Trend Micro, I think my vps got suspended because a or some unknow "blank sender" using my mail server as a "jump point", I know this is not a good description but it is almost like that.

So I google it, tried reject null sender config, smtpd_sender_restrictions and smtpd_reject_unlisted_sender, and non of these restrictions are working, the blank sender still using my mail server to probably sending spam email.

And I’m curious, why can’t I send emails with a blank sender username and password on my iPhone? He seems to be able to???

Here's the postfix log.

Aug 13 13:21:55 mail-srv postfix/qmgr[28609]: 80FE844028: from=<>, size=5295, nrcpt=1 (queue active)
Aug 13 13:21:55 mail-srv postfix/qmgr[28609]: 8AFCE6672B: from=<>, size=5519, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 8EC7D4F0B9: from=<>, size=5909, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/error[29363]: 80914808C8: to=<yy@huaku.com.tw>, relay=none, delay=50028, delays=50028/0.01/0/0.02, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with smtp.huaku.com.tw[60.251.166.38] while performing the HELO handshake)
Aug 13 13:21:56 mail-srv postfix/error[29379]: 80FE844028: to=<yy@huaku.com.tw>, relay=none, delay=52167, delays=52167/0.01/0/0.01, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with smtp.huaku.com.tw[60.251.166.38] while performing the HELO handshake)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 893BC809E4: from=<>, size=5527, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 8AB027F6F8: from=<>, size=5183, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/error[29367]: 8AFCE6672B: to=<yy@huaku.com.tw>, relay=none, delay=52306, delays=52306/0.02/0/0.01, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with smtp.huaku.com.tw[60.251.166.38] while performing the HELO handshake)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 8C8A55B7C0: from=<>, size=5545, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/error[29360]: 8EC7D4F0B9: to=<yy@huaku.com.tw>, relay=none, delay=52263, delays=52263/0.02/0/0.01, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with smtp.huaku.com.tw[60.251.166.38] while performing the HELO handshake)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 864266EAD7: from=<>, size=5586, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 8B1894C1FF: from=<>, size=5540, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 8525D44E65: from=<>, size=5532, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 89C656CE39: from=<>, size=5531, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 804E35CEC2: from=<>, size=5577, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 8FF27451C4: from=<>, size=5516, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 8730B5B32C: from=<>, size=5531, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 8125063A9E: from=<>, size=5525, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 87BC557CD2: from=<>, size=5576, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 8F3B957F44: from=<>, size=5526, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 89D8D6EC93: from=<>, size=5531, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 86A845AA04: from=<>, size=5546, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 8F5AB52661: from=<>, size=5543, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 8C1CC5D9E5: from=<>, size=5540, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 80D597FBBF: from=<>, size=5557, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 8146E57F4F: from=<>, size=5568, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 8660B4F9D4: from=<>, size=5255, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 89BD35A33C: from=<>, size=5540, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 87CC8599C5: from=<>, size=5610, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 8E3A6584A0: from=<>, size=5116, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 847636A0B8: from=<>, size=5541, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 86AD480D58: from=<>, size=5542, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 817485AC90: from=<>, size=5556, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 841276EA0D: from=<>, size=5525, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 8296F80B25: from=<>, size=5561, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 8421063162: from=<>, size=5401, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 8384E4B30E: from=<>, size=5161, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 82688821B0: from=<>, size=5566, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 8CF625E8BB: from=<>, size=5368, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 8EE4A518E1: from=<>, size=5531, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 89AB64FF8B: from=<>, size=5226, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 8AF1E5F0DA: from=<>, size=5674, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 877BA5EB02: from=<>, size=5547, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 866416EB06: from=<>, size=5551, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 8B7FD6EE25: from=<>, size=5511, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 8796465671: from=<>, size=5542, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 89D9954689: from=<>, size=5536, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 883335CABD: from=<>, size=5539, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 8FCBF67FAD: from=<>, size=5519, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 8254B5DE8D: from=<>, size=5530, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 8A27C5F0C2: from=<>, size=5398, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 8522E50E32: from=<>, size=5428, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 84A5F80DD3: from=<>, size=5241, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 897F46EC86: from=<>, size=5545, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 89E504C571: from=<>, size=5929, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 8A2946ECA8: from=<>, size=5566, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 88EC766A58: from=<>, size=5715, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 8C51D4B594: from=<>, size=5577, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 812354E8B0: from=<>, size=5550, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 86C048267C: from=<>, size=5515, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 8E3976CAFE: from=<>, size=5556, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 81A327FC62: from=<>, size=5572, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 85DDD660CB: from=<>, size=5550, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 847E150E1E: from=<>, size=5160, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 8E5236F654: from=<>, size=5531, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 8947E4E8EB: from=<>, size=5560, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 8929F577DE: from=<>, size=5540, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 83A1B44F24: from=<>, size=5572, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 8260D7FDB5: from=<>, size=5531, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 8981C80C34: from=<>, size=5537, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 894AE808C9: from=<>, size=5566, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 8CA3C4C831: from=<>, size=5490, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 866C548714: from=<>, size=5522, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 886658262D: from=<>, size=5556, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 822B95A9A8: from=<>, size=5525, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 8BADC69D5E: from=<>, size=5525, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 852266B8C4: from=<>, size=5540, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 83712504BA: from=<>, size=5525, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 8096D64F2C: from=<>, size=5311, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 842845DCEE: from=<>, size=5323, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 8E3A159D01: from=<>, size=5545, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 85D255046D: from=<>, size=5540, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 806735809F: from=<>, size=5519, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 8D4D56C900: from=<>, size=5539, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 869B057748: from=<>, size=5214, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 8B9D682689: from=<>, size=5546, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 81D185E332: from=<>, size=5555, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 85D7C6318F: from=<>, size=5511, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 8F2915D8A7: from=<>, size=5565, nrcpt=1 (queue active)
Aug 13 13:21:56 mail-srv postfix/qmgr[28609]: 894F35C4A7: from=<>, size=5546, nrcpt=1 (queue active)
Aug 13 13:21:58 mail-srv postfix/local[29444]: fatal: main.cf configuration error: mailbox_size_limit is smaller than message_size_limit
Aug 13 13:21:59 mail-srv postfix/master[28607]: warning: process /usr/libexec/postfix/local pid 29444 exit status 1
Aug 13 13:21:59 mail-srv postfix/master[28607]: warning: /usr/libexec/postfix/local: bad command startup -- throttling
Aug 13 13:22:59 mail-srv postfix/local[29554]: fatal: main.cf configuration error: mailbox_size_limit is smaller than message_size_limit
Aug 13 13:23:00 mail-srv postfix/master[28607]: warning: process /usr/libexec/postfix/local pid 29554 exit status 1
Aug 13 13:23:00 mail-srv postfix/master[28607]: warning: /usr/libexec/postfix/local: bad command startup -- throttling
Aug 13 13:24:00 mail-srv postfix/local[29623]: fatal: main.cf configuration error: mailbox_size_limit is smaller than message_size_limit
Aug 13 13:24:01 mail-srv postfix/master[28607]: warning: process /usr/libexec/postfix/local pid 29623 exit status 1
Aug 13 13:24:01 mail-srv postfix/master[28607]: warning: /usr/libexec/postfix/local: bad command startup -- throttling
Aug 13 13:25:01 mail-srv postfix/local[29680]: fatal: main.cf configuration error: mailbox_size_limit is smaller than message_size_limit
Aug 13 13:25:02 mail-srv postfix/master[28607]: warning: process /usr/libexec/postfix/local pid 29680 exit status 1
Aug 13 13:25:02 mail-srv postfix/master[28607]: warning: /usr/libexec/postfix/local: bad command startup -- throttling

Here's postconf -n.

postconf: warning: /etc/postfix/master.cf: undefined parameter: submission_sender_checks
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
compatibility_level = 2
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 102400000
meta_directory = /etc/postfix
milter_default_action = accept
milter_protocol = 2
mydestination =
myhostname = mail-srv.novalocal
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = inet:127.0.0.1:8891
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix3-3.4.7/README_FILES
sample_directory = /usr/share/doc/postfix3-3.4.7/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
shlib_directory = /usr/lib/postfix
smtp_tls_security_level = may
smtpd_milters = inet:127.0.0.1:8891
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_auth_destination, reject_unauth_destination, reject_non_fqdn_sender, reject_unknown_sender_domain
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_auth_destination, reject_unauth_destination, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_sender_login_mismatch
smtpd_tls_chain_files = /etc/pki/dovecot/private/dovecot.pem,/etc/pki/dovecot/certs/dovecot.pem
smtpd_tls_security_level = may
smtpd_use_tls = yes
tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map
unknown_local_recipient_reject_code = 550
virtual_alias_maps = sqlite:/etc/postfix/sqlite_virtual_alias_maps.cf, sqlite:/etc/postfix/sqlite_virtual_alias_domain_maps.cf, sqlite:/etc/postfix/sqlite_virtual_alias_domain_catchall_maps.cf
virtual_mailbox_domains = sqlite:/etc/postfix/sqlite_virtual_domains_maps.cf
virtual_mailbox_maps = sqlite:/etc/postfix/sqlite_virtual_mailbox_maps.cf, sqlite:/etc/postfix/sqlite_virtual_alias_domain_mailbox_maps.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp

word count exceeded.postconf -d here:https://paste.ubuntu.com/p/Nhqf7hbdg9/

nightisovered
  • 1
  • 2
  • I don't see an obvious configuration problem here, which makes me suspect these messages originated _locally_. This may mean your server or web application has been compromised. Check your mail logs carefully to see if you can find the origin of these messages. – Michael Hampton Aug 13 '21 at 19:20
  • There is nothing in the RFCs about email that blocks empty senders, however most clients and servers does. I would say that the big issue is that you have a SMTP server that anyone can use as a jump point, close it down, close smtp port, or at least use firewalls until you have figured out and verified authentication. – NiKiZe Aug 17 '21 at 14:00

1 Answers1

1

The <> sender is the correct way to indicate that if a message cannot be delivered, no error report should be generated.

Error reports are generated with an empty sender precisely so error reports cannot trigger new error reports, so those are valid messages.

The From: field and the SMTP sender are unrelated, except that mail is usually generated with both being the same so error reports are delivered to the correct mailbox.

Your server can be used for spam because you are missing a few restrictions:

smtpd_recipient_restrictions = reject_unauth_destination
smtpd_relay_restrictions = reject_unauth_destination

You will need other settings in these lines to allow legitimate mail through, but which settings depends on how you recognize legitimate mail (permit_mynetworks, permit_sasl_authenticated, or permit_tls_clientcerts are typical, read the documentation on these to see if you need them).

Simon Richter
  • 3,209
  • 17
  • 17
  • In fact, I did not send any emails to these mailboxes, and I have no idea how these reports were generated. – nightisovered Aug 13 '21 at 17:43
  • First line code already exits, so I add the second line to the postfix server config, turns out the same result... If my server was not being abuse by someone else... Why my server IP shows up in some abusedb? And Google blocked me too. – nightisovered Aug 13 '21 at 17:45
  • Here's the log after added the requirements to postfix server config. https://paste.ubuntu.com/p/BrMJhjWhFX/ – nightisovered Aug 13 '21 at 17:47
  • 1
    @nightisovered, there are a few mails that are already in your outgoing queue, these will be unaffected by the changed security settings. The size limit configuration is still wrong. – Simon Richter Aug 14 '21 at 11:31