0

I'm getting a huge amount of spamming attempts to random usernames. I know that it happens to all mail servers to some degree, but during the last two weeks there was so much that my VPS's disk allotment filled up just because of the size of the maillog files! One week's log was almost 7GB, and others were smaller but not normal. I'm a novice at reading logs, but here is a small randomly selected snippet:

Sep 11 03:53:16 vps-1011517-5697 postfix/qmgr[31514]: 05DEA31470BF: from=<glenda_fitzgerald@l4jp.com>, size=1165, nrcpt=1 (queue active)
Sep 11 03:53:16 vps-1011517-5697 postfix/qmgr[31514]: 05DEA31470BF: to=<smith88@yahoo.com>, relay=none, delay=358802, delays=358802/0.07/0/0, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta5.am0.yahoodns.net[66.196.118.34] while sending RCPT TO)
Sep 11 03:53:16 vps-1011517-5697 postfix/qmgr[31514]: 00B053186BAE: from=<minnie_duncan@l4jp.com>, size=1123, nrcpt=1 (queue active)
Sep 11 03:53:16 vps-1011517-5697 postfix/local[27246]: 00DAD31454C1: to=<ginger_walton@l4jp.com>, relay=local, delay=391867, delays=391867/0.13/0/0.02, dsn=4.1.1, status=SOFTBOUNCE (unknown user: "ginger_walton")
Sep 11 03:53:16 vps-1011517-5697 postfix/smtp[26812]: 0099B3136B26: to=<aziz.toska@gmail.com>, relay=gmail-smtp-in.l.google.com[74.125.204.27]:25, delay=107076, delays=107075/0/0.39/0.68, dsn=4.7.1, status=SOFTBOUNCE (host gmail-smtp-in.l.google.com[74.125.204.27] said: 550-5.7.1 [27.112.107.68       1] Our system has detected an unusual rate of 550-5.7.1 unsolicited mail originating from your IP address. To protect our 550-5.7.1 users from spam, mail sent from your IP address has been blocked. 550-5.7.1 Please visit 550-5.7.1  https://support.google.com/mail/?p=UnsolicitedIPError to review our 550 5.7.1 Bulk Email Senders Guidelines. q189si11097060pfq.189 - gsmtp (in reply to end of DATA command))
Sep 11 03:53:16 vps-1011517-5697 postfix/qmgr[31514]: 00ECD3169334: from=<lauren_christensen@l4jp.com>, size=1106, nrcpt=1 (queue active)
Sep 11 03:53:16 vps-1011517-5697 postfix/qmgr[31514]: 00ECD3169334: to=<judelaws67@yahoo.com>, relay=none, delay=246340, delays=246340/0.02/0/0, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta5.am0.yahoodns.net[66.196.118.34] while sending RCPT TO)
Sep 11 03:53:16 vps-1011517-5697 postfix/qmgr[31514]: 0231E3138414: from=<david_moon@l4jp.com>, size=1560, nrcpt=1 (queue active)
Sep 11 03:53:16 vps-1011517-5697 postfix/qmgr[31514]: 0231E3138414: to=<colbypeoples44@yahoo.com>, relay=none, delay=14482, delays=14482/0/0/0, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta5.am0.yahoodns.net[66.196.118.34] while sending RCPT TO)
Sep 11 03:53:16 vps-1011517-5697 postfix/qmgr[31514]: 062593144D72: from=<>, size=3463, nrcpt=1 (queue active)
Sep 11 03:53:16 vps-1011517-5697 postfix/qmgr[31514]: 08A1D31498F3: from=<>, size=3045, nrcpt=1 (queue active)
Sep 11 03:53:16 vps-1011517-5697 postfix/local[27247]: 062593144D72: to=<isabel_miles@l4jp.com>, relay=local, delay=396966, delays=396966/0.01/0/0, dsn=4.1.1, status=SOFTBOUNCE (unknown user: "isabel_miles")
Sep 11 03:53:16 vps-1011517-5697 postfix/qmgr[31514]: 0D692313F1DA: from=<>, size=3078, nrcpt=1 (queue active)
Sep 11 03:53:16 vps-1011517-5697 postfix/qmgr[31514]: 00EA0313F88E: from=<>, size=3464, nrcpt=1 (queue active)
Sep 11 03:53:16 vps-1011517-5697 postfix/local[27248]: 08A1D31498F3: to=<bridget_harrison@l4jp.com>, relay=local, delay=321787, delays=321787/0.02/0/0, dsn=4.1.1, status=SOFTBOUNCE (unknown user: "bridget_harrison")
Sep 11 03:53:16 vps-1011517-5697 postfix/qmgr[31514]: 0F2A33147B48: from=<>, size=3657, nrcpt=1 (queue active)
Sep 11 03:53:16 vps-1011517-5697 postfix/local[27246]: 0D692313F1DA: to=<freda_gordon@l4jp.com>, relay=local, delay=430240, delays=430240/0.02/0/0, dsn=4.1.1, status=SOFTBOUNCE (unknown user: "freda_gordon")
Sep 11 03:53:16 vps-1011517-5697 postfix/qmgr[31514]: 046C83133878: from=<shelley_garcia@l4jp.com>, size=1180, nrcpt=1 (queue active)
Sep 11 03:53:16 vps-1011517-5697 postfix/local[27247]: 00EA0313F88E: to=<amelia_hanson@l4jp.com>, relay=local, delay=425180, delays=425180/0.02/0/0, dsn=4.1.1, status=SOFTBOUNCE (unknown user: "amelia_hanson")
Sep 11 03:53:16 vps-1011517-5697 postfix/qmgr[31514]: 035633144D87: from=<>, size=3087, nrcpt=1 (queue active)
Sep 11 03:53:16 vps-1011517-5697 postfix/qmgr[31514]: 019673137E30: from=<marguerite_lee@l4jp.com>, size=1161, nrcpt=1 (queue active)
Sep 11 03:53:16 vps-1011517-5697 postfix/local[27248]: 0F2A33147B48: to=<della_wright@l4jp.com>, relay=local, delay=347073, delays=347073/0.02/0/0, dsn=4.1.1, status=SOFTBOUNCE (unknown user: "della_wright")
Sep 11 03:53:16 vps-1011517-5697 postfix/qmgr[31514]: 01F593146A8D: from=<>, size=3579, nrcpt=1 (queue active)
Sep 11 03:53:16 vps-1011517-5697 postfix/local[27246]: 035633144D87: to=<kelley_strickland@l4jp.com>, relay=local, delay=396952, delays=396952/0.02/0/0, dsn=4.1.1, status=SOFTBOUNCE (unknown user: "kelley_strickland")
Sep 11 03:53:16 vps-1011517-5697 postfix/smtp[27074]: 0423D31361AE: to=<ka-abdel@hotmail.fr>, relay=mx3.hotmail.com[65.55.37.72]:25, delay=33557, delays=33557/0.01/0.38/0.12, dsn=4.0.0, status=SOFTBOUNCE (host mx3.hotmail.com[65.55.37.72] said: 550 SC-002 (COL004-MC1F20) Unfortunately, messages from 27.112.107.68 weren't sent. Please contact your Internet service provider since part of their network is on our block list. You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors. (in reply to MAIL FROM command))
Sep 11 03:53:16 vps-1011517-5697 postfix/smtp[27074]: 0423D31361AE: lost connection with mx3.hotmail.com[65.55.37.72] while sending RCPT TO
Sep 11 03:53:16 vps-1011517-5697 postfix/qmgr[31514]: 078CF312D56D: from=<>, size=3751, nrcpt=1 (queue active)
Sep 11 03:53:16 vps-1011517-5697 postfix/local[27247]: 01F593146A8D: to=<eva_morrison@l4jp.com>, relay=local, delay=371261, delays=371261/0.02/0/0, dsn=4.1.1, status=SOFTBOUNCE (unknown user: "eva_morrison")
Sep 11 03:53:16 vps-1011517-5697 postfix/qmgr[31514]: 0CB143130F4A: from=<>, size=3022, nrcpt=1 (queue active)
Sep 11 03:53:16 vps-1011517-5697 postfix/local[27248]: 078CF312D56D: to=<gwen_mendoza@l4jp.com>, relay=local, delay=321700, delays=321700/0.01/0/0, dsn=4.1.1, status=SOFTBOUNCE (unknown user: "gwen_mendoza")
Sep 11 03:53:16 vps-1011517-5697 postfix/qmgr[31514]: 02A0C31284D7: from=<>, size=3032, nrcpt=1 (queue active)
Sep 11 03:53:16 vps-1011517-5697 postfix/local[27246]: 0CB143130F4A: to=<marcia_harvey@l4jp.com>, relay=local, delay=242903, delays=242903/0.01/0/0, dsn=4.1.1, status=SOFTBOUNCE (unknown user: "marcia_harvey")

Three musings:

  • My understanding of "SOFTBOUNCE" doesn't fit the situation - an invalid username should be a hard bounce, right? Anyway, I would rather not have any bounce at all, as it's a waste of resources as well as giving the spammer too much info.
  • I don't understand the text of the complaint from Google's server - the number "500-5.7.1" seems to be randomly inserted in the sentence. But I assume that all those outgoing bounces could be construed as spam in of themselves if there are enough of them, right?
  • The complaint from French Hotmail about a blocklist could be caused by my server or someone else's; a check of 107 blacklists reported my IP on just two of them, so I don't think I have real spam generators on my website or anything like that.

Anyway, I only have one valid username on the domain, so is it possible to configure postfix to simply drop any attempts at mail to any other username? I would be happy if no bounces were sent and nothing was even entered in the log file, because as I said, the log files themselves are filling up. Or if there is a better way of handling this sort of attack, I'm all ears.

EDIT #1: In response to the comment asking about connect/disconnect entries, I searched for the first occurrence of " connect " (with spaces around it - otherwise I get all the "lost connection" entries), and then grepped subsequent references to the same mailserver. Here is the first sequence of those, which occur within a two-second span so are probably related to the same email attempt:

Sep 11 03:53:25 vps-1011517-5697 postfix/smtpd[20505]: connect from simcoe209srvr.owm.bell.net[184.150.200.209]
Sep 11 03:53:25 vps-1011517-5697 postfix/smtpd[20505]: setting up TLS connection from simcoe209srvr.owm.bell.net[184.150.200.209]
Sep 11 03:53:26 vps-1011517-5697 postfix/smtpd[20505]: TLS connection established from simcoe209srvr.owm.bell.net[184.150.200.209]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bi
ts)
Sep 11 03:53:26 vps-1011517-5697 postfix/smtpd[20505]: NOQUEUE: reject: RCPT from simcoe209srvr.owm.bell.net[184.150.200.209]: 450 4.1.1 <louise_bryant@l4jp.com>: Recipient address
 rejected: User unknown in local recipient table; from=<> to=<louise_bryant@l4jp.com> proto=ESMTP helo=<torfep04.bell.net>
Sep 11 03:53:27 vps-1011517-5697 postfix/smtpd[20505]: disconnect from simcoe209srvr.owm.bell.net[184.150.200.209]

These were not sequential entries in the log; there were volumes of unrelated entries during the same two seconds. But if you want me to search for something related in the midst, just tell me what to look for.

EDIT #2: In response to JennyD, here is my /etc/postfix/main.cf (with comments removed, of course):

soft_bounce = yes
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_owner = postfix
myhostname = l4jp.com
mydomain = l4jp.com
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         xxgdb $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.3.3/samples
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
# THE FOLLOWING IS FROM: http://www.anchor.com.au/hosting/dedicated/Postfix-SASL-setup
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
    reject_unauth_destination
smtpd_tls_security_level = may
smtpd_tls_key_file = /etc/ssl/smtpd.key
smtpd_tls_cert_file = /etc/ssl/smtpd.crt
smtpd_tls_auth_only = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
#My settings for virtual mailbox domains (which I don't think I actually use for anything)
virtual_mailbox_domains = /etc/postfix/vhosts.txt
virtual_mailbox_base = /var/spool/vmail
virtual_mailbox_maps = hash:/etc/postfix/vmaps.txt
virtual_minimum_uid = 100
virtual_uid_maps = static:101
virtual_gid_maps = static:101
message_size_limit = 30720000

EDIT #3: Dom recommended softbounce=no. I sent a test email before and after making that change - here are the relevant log entries (from-address sanitized):

Sep 12 20:38:39 vps-1011517-5697 postfix/smtpd[5343]: connect from gateway21.websitewelcome.com[192.185.45.43]
Sep 12 20:38:39 vps-1011517-5697 postfix/smtpd[5343]: setting up TLS connection from gateway21.websitewelcome.com[192.185.45.43]
Sep 12 20:38:39 vps-1011517-5697 postfix/smtpd[5343]: TLS connection established from gateway21.websitewelcome.com[192.185.45.43]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Sep 12 20:38:40 vps-1011517-5697 postfix/smtpd[5343]: NOQUEUE: reject: RCPT from gateway21.websitewelcome.com[192.185.45.43]: 450 4.1.1 <testing@l4jp.com>: Recipient address rejected: User unknown in local recipient table; from=<myotheremail@otherdomain.com> to=<testing@l4jp.com> proto=ESMTP helo=<gateway21.websitewelcome.com>
Sep 12 20:38:40 vps-1011517-5697 postfix/smtpd[5343]: disconnect from gateway21.websitewelcome.com[192.185.45.43]

Sep 12 20:43:06 vps-1011517-5697 postfix/smtpd[6400]: connect from gateway23.websitewelcome.com[192.185.50.119]
Sep 12 20:43:06 vps-1011517-5697 postfix/smtpd[6400]: setting up TLS connection from gateway23.websitewelcome.com[192.185.50.119]
Sep 12 20:43:07 vps-1011517-5697 postfix/smtpd[6400]: TLS connection established from gateway23.websitewelcome.com[192.185.50.119]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Sep 12 20:43:07 vps-1011517-5697 postfix/smtpd[6400]: NOQUEUE: reject: RCPT from gateway23.websitewelcome.com[192.185.50.119]: 550 5.1.1 <testing@l4jp.com>: Recipient address rejected: User unknown in local recipient table; from=<myotheremail@otherdomain.com> to=<testing@l4jp.com> proto=ESMTP helo=<gateway23.websitewelcome.com>
Sep 12 20:43:07 vps-1011517-5697 postfix/smtpd[6400]: disconnect from gateway23.websitewelcome.com[192.185.50.119]

There were five entries in both cases - the only difference in the log was the error code (as expected). But after the change I got an actual bounce message to the address from which I sent the test. Isn't that a bad thing to send to spammers?

EDIT #4: In response to masegaloeh's comment asking for all entries related to the same message queue ID. The ID he gave as an example was from the original files before I turned off soft_bounce, but I suspect one without soft_bounce is more useful, so here is a very recent random example:

[root](10:27:06)[~]$ grep E6CBF312663B /var/log/maillog
Sep 15 10:26:11 vps-1011517-5697 postfix/cleanup[10347]: E6CBF312663B: message-id=<20160915012611.E6CBF312663B@l4jp.com>
Sep 15 10:26:11 vps-1011517-5697 postfix/bounce[10292]: 47A8E3126F85: sender non-delivery notification: E6CBF312663B
Sep 15 10:26:11 vps-1011517-5697 postfix/qmgr[8701]: E6CBF312663B: from=<>, size=3801, nrcpt=1 (queue active)
Sep 15 10:26:11 vps-1011517-5697 postfix/local[10477]: E6CBF312663B: to=<eula_mcdonald@l4jp.com>, relay=local, delay=0, delays=0/0/0/0, dsn=5.1.1, status=bounced (unknown user: "eula_mcdonald")
Sep 15 10:26:11 vps-1011517-5697 postfix/qmgr[8701]: E6CBF312663B: removed

The current log file has grown to 1.2GB in only about 2.5 days. I cannot sustain this pace...

EDIT #5: Next, masegaloeh asked for this:

[root](09:03:50)[/var/log]$ grep 47A8E3126F85 maillog
Sep 15 10:26:10 vps-1011517-5697 postfix/pickup[10444]: 47A8E3126F85: uid=500 from=<eula_mcdonald@l4jp.com>
Sep 15 10:26:10 vps-1011517-5697 postfix/cleanup[10347]: 47A8E3126F85: message-id=<7adc4f0bc266b560e0ec0521654f81b8@l4jp.com>
Sep 15 10:26:10 vps-1011517-5697 postfix/qmgr[8701]: 47A8E3126F85: from=<eula_mcdonald@l4jp.com>, size=1153, nrcpt=1 (queue active)
Sep 15 10:26:11 vps-1011517-5697 postfix/smtp[9981]: 47A8E3126F85: to=<nashvilleguy717@gmail.com>, relay=gmail-smtp-in.l.google.com[64.233.189.27]:25, delay=1.7, delays=0.02/0.39/0.51/0.75, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[64.233.189.27] said: 550-5.7.1 [27.112.107.68       1] Our system has detected an unusual rate of 550-5.7.1 unsolicited mail originating from your IP address. To protect our 550-5.7.1 users from spam, mail sent from your IP address has been blocked. 550-5.7.1 Please visit 550-5.7.1  https://support.google.com/mail/?p=UnsolicitedIPError to review our 550 5.7.1 Bulk Email Senders Guidelines. n130si231260oig.169 - gsmtp (in reply to end of DATA command))
Sep 15 10:26:11 vps-1011517-5697 postfix/bounce[10292]: 47A8E3126F85: sender non-delivery notification: E6CBF312663B
Sep 15 10:26:11 vps-1011517-5697 postfix/qmgr[8701]: 47A8E3126F85: removed

EDIT #6: After taking Michael Hampton's suggested actions, I looked at a tail of the log again. The words "accepted for delivery" caught my eye, because I'm not sending or receiving any real mail - here is the series related to the one I noticed:

[root](15:01:16)[/var/log]$ grep 638BD3122039 maillog
Sep 17 14:59:34 vps-1011517-5697 postfix/pickup[8959]: 638BD3122039: uid=500 from=<juanita_ellis@l4jp.com>
Sep 17 14:59:34 vps-1011517-5697 postfix/cleanup[9099]: 638BD3122039: message-id=<106604bcf476c97586ba8590c7db683e@l4jp.com>
Sep 17 14:59:34 vps-1011517-5697 postfix/qmgr[7492]: 638BD3122039: from=<juanita_ellis@l4jp.com>, size=1185, nrcpt=1 (queue active)
Sep 17 14:59:38 vps-1011517-5697 postfix/smtp[9109]: 638BD3122039: to=<john.timmermans@philips.com>, relay=gw-eur1.smtp.philips.com[212.159.218.9]:25, delay=3.6, delays=0.07/0.01/1.6/2, dsn=2.0.0, status=sent (250 2.0.0 kVzb1t0041UaJoz01VzcmY mail accepted for delivery)
Sep 17 14:59:38 vps-1011517-5697 postfix/qmgr[7492]: 638BD3122039: removed

Of course there is no juanita_ellis here. What could cause that message to get sent? Am I really sending spam???

OsakaWebbie
  • 183
  • 1
  • 11
  • I don't see any connections or disconnections in that log snippet. Are there any logged at all? Also, what version of Postfix is this, and on what Linux distribution? – Michael Hampton Sep 12 '16 at 05:26
  • Postfix version 2.3.3, on CentOS 5. What is some example text I could grep for to look for connections and disconnections in the log? Sorry I'm such a noob at this. – OsakaWebbie Sep 12 '16 at 06:06
  • I edited my question with something about connect/disconnect - I hope it's what you wanted to see. – OsakaWebbie Sep 12 '16 at 07:17
  • 1
    Possible duplicate of [Fighting Spam - What can I do as an: Email Administrator, Domain Owner, or User?](http://serverfault.com/questions/419407/fighting-spam-what-can-i-do-as-an-email-administrator-domain-owner-or-user) – Jenny D Sep 12 '16 at 07:23
  • @JennyD: That gives a lot of general advise, but nothing about HOW to do any of the things they suggest in a Postfix configuration. I don't think I'm doing anything especially stupid - I don't use port 25, I'm not running an open relay (I don't think), and I even set up SPF a while ago (although that would not help with my current problem). What I'm asking is how to actual implement things like the "Reject anything that looks too suspicious" section of that tutorial, or even stricter - as I said, I'm happy to reject anything to any username except the one I use. – OsakaWebbie Sep 12 '16 at 09:22
  • As your question is currently written, it's broad. If you want to have configuration help, you need to post your current configuration and not just the log entries. As for the link to the Fighting Spam question, you should consider it a starting point of the research you need to do. In your case, I'd start with looking at incoming blacklists and greylists. – Jenny D Sep 12 '16 at 09:28
  • Okay, I added my current configuration. I don't remember how much of it is exactly like the default that comes with Postfix - I set up my server a long time ago, and most of my attention was on the web stuff, not email. – OsakaWebbie Sep 12 '16 at 10:01
  • Why using "soft_bounce = yes" ? The default is "no" to reject the errors like these ! See http://www.postfix.org/postconf.5.html#soft_bounce – Dom Sep 12 '16 at 10:24
  • I don't know why - I assume I got such advice from somewhere when I originally set up the server. I'm happy to try changing it to no. – OsakaWebbie Sep 12 '16 at 11:07
  • You should see in your logs "NOQUEUE: reject: RCPT from xxxx: 5xx" – Dom Sep 12 '16 at 11:13
  • Hmm, I have another problem: I just noticed that nothing is currently writing to the log file - it stopped in mid-entry 6.5 hours ago (perhaps I messed it up by looking at it with the less command). I tried doing a logrotate to jar it loose (I had already deleted the numbered files to free up server space) but just got "Segmentation fault". Not finding anything via google that seems applicable. Why is my file stuck? – OsakaWebbie Sep 12 '16 at 11:14
  • Okay, got file unstuck (restarted syslog). Will edit question with test results. – OsakaWebbie Sep 12 '16 at 11:48
  • Even with soft_bounce=no, in about 26 hours my maillog has grown by 600MB! At this pace I will run out of server space again in less than two weeks just from the log files. – OsakaWebbie Sep 13 '16 at 14:12
  • Can you grab all lines in one queue id? For example in your log above, issuing command `grep 05DEA31470BF maillog` will print all the relevant maillog of one email... – masegaloeh Sep 14 '16 at 07:36
  • @masegaloeh: Okay, I did that - see "Edit #4". – OsakaWebbie Sep 15 '16 at 01:37
  • try to `grep 47A8E3126F85 maillog`. We need to define where the source of the spam come from. Queue id E6CBF312663B only contains bounce message. – masegaloeh Sep 16 '16 at 14:24
  • Okay, see edit #5. I don't know what to look for, but hopefully this tells you what you're after. – OsakaWebbie Sep 17 '16 at 00:08
  • Possible duplicate of [How do I deal with a compromised server?](http://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server) – HopelessN00b Sep 18 '16 at 17:31
  • Why was my question's only up vote negated, and again accused of being a duplicate? I work very hard to search for answers/similar questions before posting, but my questions always get low/no votes, accusations of duplicates, etc., and rarely even get "answers" (only comments). I try to obey the Stack Exchange culture - what am I doing wrong? In this case, I didn't know my server was compromised until the very end, so it's nothing like a post about what to do AFTER one knows it's compromised. I DO know what to do now (and have done it); my question was the journey to get to this point. – OsakaWebbie Sep 19 '16 at 02:03

1 Answers1

3

I don't see mynetworks = specified in your Postfix configuration main.cf.

If this is not specified, then anyone on the same local network as you can relay mail through your server without authentication, making your mail server at least a somewhat open relay. If your system has a global IP address, for instance because you're hosted at a VPS provider of some sort (like Digital Ocean), then that makes it open to attack from machines nearby, hosted at that same provider.

This should be fixed immediately.

To lock it down so that only the local host can send unauthenticated mail through the server:

mynetworks = 127.0.0.0/8 [::1]/128

Also, consider deleting any queued mail (spam!) on the server, so that Postfix doesn't attempt to resend it.

View the queue with mailq and if you don't see anything legitimate, delete everything with postsuper -d ALL.


Your last edit makes it clear that a local process on your system is generating the mail. The process is running as uid 500, which is most likely your account. So it looks like you've been compromised. Nuke it from orbit; it's the only way to be sure.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • Thanks. I added your suggested `mynetworks` setting, and after seeing that `mailq` contained way more than I could look through for real mail (I only get a couple messages a month or so, so I don't expect anything), I also ran `postsuper -d ALL`, which deleted 48,893 messages! With less volume in the log (although still growing faster than I'd think) I'm more able to spot oddities - I will put one of them in the question as edit #6. – OsakaWebbie Sep 17 '16 at 06:05
  • @OsakaWebbie Your last edit makes it clear that a local process on your system is generating the mail. The process is running as uid 500, which is most likely _your_ account. So it looks like you've been compromised. Nuke it from orbit; it's the only way to be sure. – Michael Hampton Sep 17 '16 at 06:31
  • Okay. (Well, not really okay, but you know what I mean.) Thanks for the clarity. I'm pretty sure I know where the breach is (an old Joomla website), which I have intended to replace for a long time but hadn't gotten that elusive Round TUIT. I've stopped postfix (I can do without it for a bit) and will now nuke the site and replace with something built from scratch. – OsakaWebbie Sep 17 '16 at 13:20