0

Something weird is going on on my mail server. I was mailing a friend and my mail bounced because the ip of my server had been blacklisted.

It appears like my server is being used for relaying spam mails. (see excerpt from log below)

I've checked my settings and they shouldn't allow relaying (see below). I've also checked with several test services online (which all cleared / says that relaying aren't allowed).

Is there something I'm missing??

EDIT: Why are non-existing users allowed to relay e-mails (and how do I stop it?)

EDIT 2: I've tried to stop all mails, but it just keeps going (also emptied the queue):

smtpd_sender_restrictions = reject
smtpd_helo_restrictions = reject
smtpd_client_restrictions=reject
smtpd_recipient_restrictions = reject

I can't send mails, I can't receive mails, but the spam just keeps going!!

(I've installed all available updates)

OS: Debian 7

Software: Postfix 2.9.6-2 / 2.7.1-1+squeeze1

main.cf:

myhostname = hus42.se
myorigin = /etc/mailname
mydestination = localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

smtpd_tls_cert_file=/etc/ssl/certs/mailcert.pem
smtpd_tls_key_file=/etc/ssl/private/mail.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_security_level=may
smtpd_tls_protocols = !SSLv2, !SSLv3

local_recipient_maps = proxy:unix:passwd.byname $alias_maps

home_mailbox = Maildir/
virtual_mailbox_domains = /etc/postfix/vhosts
virtual_mailbox_base = /var/email
virtual_mailbox_maps = hash:/etc/postfix/vmaps

virtual_minimum_uid = 1000
virtual_uid_maps = hash:/etc/postfix/vuids
virtual_gid_maps = hash:/etc/postfix/vuids

master.cf: http://pastebin.com/navLmxw3

log:

Apr 22 21:11:20 u0903576-01 postfix/qmgr[11974]: 28940B84981: from=<angela_joseph@chris.hindefjord.se>, size=1105, nrcpt=1 (queue active)
Apr 22 21:11:20 u0903576-01 postfix/pickup[11973]: 4C6D3B84970: uid=33 from=<rita_robertson@chris.hindefjord.se>
Apr 22 21:11:20 u0903576-01 postfix/qmgr[11974]: 1C241C388D2: from=<audrey_wallace@chris.hindefjord.se>, size=1045, nrcpt=1 (queue active)
Apr 22 21:11:20 u0903576-01 postfix/cleanup[11975]: 4C6D3B84970: message-id=<718f45a9d35b948e57f3c522547b3124@chris.hindefjord.se>
Apr 22 21:11:20 u0903576-01 postfix/qmgr[11974]: 1AC87C3924C: from=<lena_sutton@chris.hindefjord.se>, size=1092, nrcpt=1 (queue active)
Apr 22 21:11:20 u0903576-01 postfix/qmgr[11974]: 1326EC3945C: from=<marianne_warren@chris.hindefjord.se>, size=1107, nrcpt=1 (queue active)
Apr 22 21:11:20 u0903576-01 postfix/smtp[12089]: 1E1ADB848F8: host mailin-04.mx.aol.com[64.12.88.131] refused to talk to me: 421 4.7.1 : (DNS:NR) http://postmaster.info.aol.com/errors/421dnsnr.html
Apr 22 21:11:20 u0903576-01 postfix/smtp[12003]: 1A7EAB845C8: host mailin-04.mx.aol.com[64.12.88.131] refused to talk to me: 421 4.7.1 : (DNS:NR) http://postmaster.info.aol.com/errors/421dnsnr.html
Apr 22 21:11:20 u0903576-01 postfix/qmgr[11974]: 1952EC38CA3: from=<maryann_vega@chris.hindefjord.se>, size=1161, nrcpt=1 (queue active)
Apr 22 21:11:20 u0903576-01 postfix/smtp[12109]: 15FA3C381AC: to=<empire1012@netzero.com>, relay=mx.dca.untd.com[64.136.44.37]:25, delay=86030, delays=86029/0.18/0.68/0, dsn=4.0.0, status=deferred (host mx.dca.untd.com[64.136.44.37] refused to talk to me: 550 Access denied...1fd94df0f070717104fd505175246524d094fd5411b50525c19d09b5c121c445d4eddddd40217d5dc41930...)
Apr 22 21:11:20 u0903576-01 postfix/qmgr[11974]: 1229FC38479: from=<claire_mendoza@chris.hindefjord.se>, size=1078, nrcpt=1 (queue active)
Apr 22 21:11:20 u0903576-01 postfix/smtp[12102]: 1AB62C380D1: host mx-ha02.web.de[212.227.17.8] refused to talk to me: 554-web.de (mxweb104) Nemesis ESMTP Service not available 554-No SMTP service 554 invalid DNS PTR resource record, IP=89.221.255.50
Apr 22 21:11:20 u0903576-01 postfix/smtp[12030]: 13DDDC38032: host mx-ha02.web.de[212.227.17.8] refused to talk to me: 554-web.de (mxweb108) Nemesis ESMTP Service not available 554-No SMTP service 554 invalid DNS PTR resource record, IP=89.221.255.50
Apr 22 21:11:20 u0903576-01 postfix/qmgr[11974]: 10717C38AA0: from=<erika_jordan@chris.hindefjord.se>, size=1105, nrcpt=1 (queue active)
Apr 22 21:11:20 u0903576-01 postfix/smtp[12005]: 106F8C38229: host mailin-02.mx.aol.com[64.12.88.164] refused to talk to me: 421 4.7.1 : (DNS:NR) http://postmaster.info.aol.com/errors/421dnsnr.html
Apr 22 21:11:20 u0903576-01 postfix/qmgr[11974]: 17F2FC39469: from=<marlene_roberson@chris.hindefjord.se>, size=1136, nrcpt=1 (queue active)
Apr 22 21:11:20 u0903576-01 postfix/qmgr[11974]: 1E71DB8462E: from=<rochelle_allen@chris.hindefjord.se>, size=1100, nrcpt=1 (queue active)
Apr 22 21:11:20 u0903576-01 postfix/smtp[12002]: 008B1B84986: to=<harriet_crawford@chris.hindefjord.se>, relay=none, delay=0.33, delays=0.17/0.14/0.01/0, dsn=5.4.6, status=bounced (mail for chris.hindefjord.se loops back to myself)
Apr 22 21:11:20 u0903576-01 postfix/error[12111]: 28940B84981: to=<kuale84@yahoo.com>, relay=none, delay=422, delays=422/0.02/0/0.15, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta5.am0.yahoodns.net[98.138.112.33] while sending RCPT TO)
Apr 22 21:11:20 u0903576-01 postfix/error[12138]: 1C241C388D2: to=<fredrahdar@yahoo.com>, relay=none, delay=60498, delays=60498/0.02/0/0.15, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta5.am0.yahoodns.net[98.138.112.33] while sending RCPT TO)
Apr 22 21:11:20 u0903576-01 postfix/qmgr[11974]: 10D90C38F0C: from=<piotr_nowak@chris.hindefjord.se>, size=2892, nrcpt=1 (queue active)
Apr 22 21:11:20 u0903576-01 postfix/smtp[12104]: 841E6B84976: to=<keith.corona@gmail.com>, relay=gmail-smtp-in.l.google.com[173.194.71.27]:25, delay=1985, delays=1984/0.07/0.16/0.71, dsn=2.0.0, status=sent (250 2.0.0 OK 1429737080 l3si4550344lbc.147 - gsmtp)
Apr 22 21:11:20 u0903576-01 postfix/pickup[11973]: 77A24B84960: uid=33 from=<rita_robertson@chris.hindefjord.se>
Apr 22 21:11:20 u0903576-01 postfix/cleanup[12216]: 77A24B84960: message-id=<8c2ad1168a2562aaf04f0eff7cda77c4@chris.hindefjord.se>
Apr 22 21:11:20 u0903576-01 postfix/qmgr[11974]: 4C6D3B84970: from=<rita_robertson@chris.hindefjord.se>, size=1129, nrcpt=1 (queue active)
Apr 22 21:11:20 u0903576-01 postfix/smtp[12078]: 1F84FC391C6: to=<karanbatta@rediffmail.com>, relay=mx.rediffmail.rediff.akadns.net[119.252.147.10]:25, delay=18938, delays=18937/0.02/1.1/0, dsn=4.0.0, status=deferred (host mx.rediffmail.rediff.akadns.net[119.252.147.10] refused to talk to me: 553 delivery from 89.221.255.50 is rejected. The connecting IP is blocked by REDIFF, if any concerns kindly contact the system administrator at ipreputation@rediff.co.in )
Apr 22 21:11:20 u0903576-01 postfix/error[12141]: 10717C38AA0: to=<titi_boss78@yahoo.com>, relay=none, delay=56161, delays=56160/0.02/0/0.05, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta5.am0.yahoodns.net[98.138.112.33] while sending RCPT TO)
ChrisH
  • 3
  • 3

2 Answers2

4

You're confusing open relaying and authenticated relaying. All email servers support authenticated relaying, which is when a user authenticates to the server for the purpose of sending email to external recipients. The server says "OK, you're allowed to use me to send that email for you because you've been authenticated." (otherwise nobody would ever be able to send email). The online tests you've run test for open relaying, which is when a user who doesn't have an email account/mailbox on the server and isn't authenticated by the server attempts to send an email to a recipient that the server isn't authoritative for. Your log seems to be showing emails being sent from YOUR users to external recipients, which is authenticated relaying, which is how it's supposed to work.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • 1. Is there a test service for auth relaying!? 2. The users aren't valid users on the system and domain (chris.hindefjord.se) isn't supposed to be used for e-mail (hindefjord.se is though) – ChrisH Apr 22 '15 at 21:44
  • Why would you need an authenticated relay test? What use case would there be? What would that type of test help you prove or disprove? I'm not following your logic. – joeqwerty Apr 22 '15 at 21:49
  • Well there's ways to test it manually (i.e. https://rtcamp.com/tutorials/mail/server/testing/smtp/) Here's my thinking: Auth should only allow authenticated/existing users, but apparently it lets through non-existing users. As a developer this is something that you would test (otherwise the authentication is useless). – ChrisH Apr 22 '15 at 22:00
  • I can stop myself from sending/receiving emails, but the spam just keeps going!?!? – ChrisH Apr 23 '15 at 01:18
3

Something weird is going on on my mail server. I was mailing a friend and my mail bounced because the IP of my server had been blacklisted.

It appears like my server is being used for relaying spam mails. (see excerpt from log below)

Yes it is

I've checked my settings and they shouldn't allow relaying (see below). I've also checked with several test services online (which all cleared / says that relaying aren't allowed).

Your postfix configuration, especially on Postfix SMTP relay and access control section, is in default value. Fortunately, the default postfix configuration is safe enough so you don't have to worry about open relay.

As joeqwerty said in his answer, your server doesn't became open relay server. Your online test confirmed this.

Is there something I'm missing??

When your server is sending spam, it's likely you will overwhelmed by the huge mail.log because spammer tends to send email to thousands of recipients in a short time. At first, you will confused because so many data and you don't know where the source of spam.

One of the trick to isolate the postfix-spam problem is grep-ing postfix to narrow down a single queue. For example, in your mail.log I'll run this command

$ grep 4C6D3B84970 mail.log
Apr 22 21:11:20 u0903576-01 postfix/pickup[11973]: 4C6D3B84970: uid=33 from=<rita_robertson@chris.hindefjord.se>
Apr 22 21:11:20 u0903576-01 postfix/cleanup[11975]: 4C6D3B84970: message-id=<718f45a9d35b948e57f3c522547b3124@chris.hindefjord.se>
Apr 22 21:11:20 u0903576-01 postfix/qmgr[11974]: 4C6D3B84970: from=<rita_robertson@chris.hindefjord.se>, size=1129, nrcpt=1 (queue active)

There, you can look where the source of the spam. Apparently an user with uid 33 is the culprit. In the many system, uid=33 is www-data user. This user send email via sendmail not smtpd, so your smtpd_*_restriction has no effect at all. And by default postfix will trust (allow relaying) the email invoked by sendmail.

But why my www-data send the spam?

In many case, it's your web application who caused the spam outbreak. It tells script to send email to thousands recipient.

To completely stop spam you must hunt down the script and remove it. But it isn't the complete solution. The right and complete solution is rebuild the system and restore from good known backup. See our canonical question How do I deal with a compromised server?

Community
  • 1
masegaloeh
  • 17,978
  • 9
  • 56
  • 104
  • Thank you! Completely missed the uid.. Too frustrated I guess.. There have probably been some kind of breach in the site at chris.hindefjord.se (I've had problems with spam comments etc). I found to files in the root with "wrong owner" that I didn't recognize. My solution so far has been to turn off sendmail and use auth SMTP (to an external server) on the sites that need to be able to send mail. – ChrisH Apr 23 '15 at 17:55