4

I am using postfix with dovecot and virtual users on a centos 6 system.

I had a rush of spam recently, with tons of packs of 50 recipients delivered from an unknown account.

The current logging (maillog) does not display anything about SMTP authorizing process (restriction on SMTP is authorized users only)

All I have is the "entry point":

Oct 30 05:00:53 xxxxxxx postfix/qmgr[29457]: 7157E115443B: from=aaa@bbb.com, size=1463, nrcpt=50 (queue active)

then 50 of the following:

Oct 30 05:12:50 xxxxxxx postfix/qmgr[29457]: 7157E115443B: to=specialist@dddd.gov, relay=none, delay=19695

I tried adding -v to the master.cf line:

smtp      inet  n       -       n       -       -       smtpd -v

and it works - but it displays too much debugging info

How can I have only one entry in the maillog such as this:

Oct 30 06:20:21 server postfix/smtpd[27864]: xsasl_dovecot_handle_reply: auth reply: OK?2?user=user@domain.com

for every SMTP auth attempt? (and nothing else, no elevated logging level)

Nicolas Guérinet
  • 581
  • 5
  • 15
Liviu
  • 61
  • 1
  • 1
  • 2
  • I am confused: a) Are you receiving spam or is your system being used to spam others? I am not sure I can make sense of your question unless it's the latter. b) If you want to get more info on somebody who is being authorised to send (spam) - and you're using dovecot/sasl to authorise - why not look into the dovecot logs? – brokkr Oct 30 '15 at 12:30
  • Potential duplicate of http://serverfault.com/q/404883/37681 ? – HBruijn Oct 30 '15 at 12:33
  • My system was used to send spam, using an authenticated user. I am wondering how to see the user which was used to send messages, because the logs are missing this info - both sendmail and dovecot. – Liviu Oct 30 '15 at 13:21

2 Answers2

2

The authentication log entry should come from postfix/smtpd before the postfix/qmgr (queue active) message. It looks like we aren't seeing all the logs for that particular message ID 7157E115443B in the example, so maybe you had an issue with your logging facility.

If this question was still recent I would request that you run 'grep 7157E115443B mail.log' and provide the results so we could make sure that's not the case.

Dovecot logging settings are in /etc/dovecot/conf.d/10-logging.conf, where you can switch auth_verbose to yes which will show all failed logins, but the successful logins should already appear at the standard logging level.

When I send an email via postfix the order of operations should appear somewhat as follows in the mail log as per the postfix operation flow:

auth by smtpd:

Jan 27 09:09:55 mail postfix/smtpd[17400]: 2452C20028A: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=user@domain.com

cleanup:

Jan 27 09:09:55 mail postfix/cleanup[17633]: 2452C20028A: message-id=<xxxxxxxxxxxxxxxxxxxxx@domain.com>

qmgr queuing:

Jan 27 09:09:55 mail postfix/qmgr[5728]: 2452C20028A: from=<user@domain.com>, size=2704, nrcpt=1 (queue active)

smtp sends outbound:

Jan 27 09:09:55 mail postfix/smtp[17634]: 2452C20028A: to=<destination@domain2.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.3, delays=0.03/0/0/0.27, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 6B86C20028C)

qmgr removes from queue:

Jan 27 09:09:55 mail postfix/qmgr[5728]: 2452C20028A: removed

TraceElements
  • 39
  • 3
  • Thank you! Logs revealed: " `Username character disallowed by auth_username_chars: 0x0a`. It appears the Base64 encoded username included a `new line` char at the end, however the remaining was correct. – Faither Dec 24 '21 at 06:40
1

In the logs, the informations of SASL logging are on the line stmpd (without -v option) :

Oct 30 13:19:26 mailgw-out1 postfix/smtps/smtpd[27530]: EB4B2C19E2: client=xxx[1.2.3.4], sasl_method=PLAIN, sasl_username=user@domain

In qmgr, there is no auth, as it is the queue manager !

Check your queues (by mailq command) to see if there is a lot of mails. Check your logs on smptd to find the user, if it was authenticated...

Dom
  • 6,628
  • 1
  • 19
  • 24
  • This is exactly what I am missing! I don't have any **sasl_username** in my logs; what can I do to enable it? – Liviu Oct 30 '15 at 12:47
  • Then, the user was not authenticated before sending mails ! Check if your server is not an open relay... Look at the *postfix/smtp* lines to find the information – Dom Oct 30 '15 at 13:26
  • postfix/smtp lines show only details about outgoing connections, not about incoming – Liviu Oct 30 '15 at 13:40
  • Right, I made a typo. Check *postfix/smtpd* lines. You will have **postfix/smtpd[28185]: connect from host.tld[x.x.x.x]** – Dom Oct 30 '15 at 13:45
  • All I have is stuff like **connect from unknown[111.222.123.321]** - this way I tracked down the IP and blocked it; but I have nothing like **sasl_username=user@domain.com** to match against the legitimate users; this is the main question: **what switch/configuration to change in order to make it show in the logs?** – Liviu Oct 30 '15 at 13:49
  • There is no switch to do that. I suspect that the users don't need to be authenticated on your server. Do you check if your server is openrelay ? – Dom Oct 30 '15 at 13:50
  • absolutely: **554 5.7.1 : Relay access denied [703 ms]** – Liviu Oct 30 '15 at 14:28