0

I'm running a postfix installation on ubuntu 10.04 LTS with multiple domains. The relay access requires authentication with STARTTLS. This morning one of the user accounts logged in and sent hundreds of spam mails as I can see from the log. The actual owner of this account informed me of receiving multiple DSN Mails. The logs do not show any signs of a bruteforce attack for the password, so I'm guessing there are only 2 options left:

a) The users password has been stolen (i've already changed it and since then no further incedences occured) b) There's something wrong with the authentication mechanism.

Does anybody have further suggestions on how to investigate on such a topic?

Here is a snippet of the log, when the authentication happend:

Apr 28 09:17:44 vs1909 postfix/smtpd[13325]: connect from unknown[217.76.201.194]
Apr 28 09:17:45 vs1909 postfix/smtpd[13325]: 1458F1409A: client=unknown[217.76.201.194], sasl_method=PLAIN, sasl_username=mail@xxxxxx.tld
Markus
  • 109
  • 2

1 Answers1

4

It's clear to me that the password from mail@xxxxxx.tld has been stolen and someone authenticated on your postfix using this account and password.

You could limit the number of messages sent from an user using the anvil process from postfix, as example:

smtpd_client_message_rate_limit=100

With this option in main.cf you can limit 100 messages/per client in a given time. Check the anvil Postfix docs for detailed info about the procedure.

Another thing to consider, but it's not relevant to the problem itself, it that the authentication appears to be done without any cryptographic mechanism such as TLS or SSL.

Vinícius Ferrão
  • 5,400
  • 10
  • 52
  • 91
  • Thanks for your answer. I look at it the same way, since there are not other abnormalities or suspicious log entries. However, just to make sure: Would it help to renvew the SSL certificates on that box? – Markus Apr 28 '14 at 23:44