Securing smtp with login

3

1

I have a ispconfig server, and it seems that someone is using it to send spam. I got about 130 "Mail Delivery System" emails about declined send email.

This spammer uses my email address as sent from address, so I get all these email addresses to my mail. I am using Postfix and Courier. I installed my server according to this guide: http://www.howtoforge.com/perfect-server-debian-lenny-ispconfig3-p3 I did this a few months ago.

My question: Can I secure my server to require login to be able to send email, and if so... how?

Thanks!

EDIT Some data from mail.log, these kind of error show up constantly:

Jun 15 17:58:16 bolt postfix/qmgr[10712]: CC7DA1242AE: from=<paul@*****.se>, size=3782, nrcpt=1 (queue active)
Jun 15 17:58:16 bolt postfix/smtp[11337]: CC7DA1242AE: to=<luissantos@cmlisboa.pt>, relay=none, delay=4641, delays=4640/0.01/0.32/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=cmlisboa.pt type=MX: Host not found, try again)
Jun 15 17:58:19 bolt postfix/smtpd[10836]: connect from static-200-105-220-154.acelerate.net[200.105.220.154]
Jun 15 17:58:20 bolt postfix/smtpd[10836]: NOQUEUE: reject: RCPT from static-200-105-220-154.acelerate.net[200.105.220.154]: 550 5.1.1 <advertising@*****.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<anteroomtw91@radarsync.com> to=<advertising@*****.com> proto=ESMTP helo=<static-200-105-220-154.acelerate.net>
Jun 15 17:58:20 bolt postfix/smtpd[10836]: lost connection after DATA (0 bytes) from static-200-105-220-154.acelerate.net[200.105.220.154]
Jun 15 17:58:20 bolt postfix/smtpd[10836]: disconnect from static-200-105-220-154.acelerate.net[200.105.220.154]
Jun 15 17:58:29 bolt postfix/smtpd[10834]: connect from unknown[62.176.172.226]
Jun 15 17:58:32 bolt postfix/smtpd[10834]: 386791241F9: client=unknown[62.176.172.226]
Jun 15 17:58:34 bolt postfix/cleanup[10975]: 386791241F9: message-id=<000701cc2b75$143a39f0$adc130a2@jsp.fi>
Jun 15 17:58:34 bolt postfix/qmgr[10712]: 386791241F9: from=<inezreilly_wp@jsp.fi>, size=867, nrcpt=1 (queue active)
Jun 15 17:58:35 bolt postfix/smtpd[10834]: disconnect from unknown[62.176.172.226]
Jun 15 17:58:35 bolt amavis[11084]: (11084-17) Blocked SPAM, [62.176.172.226] [62.176.172.226] <inezreilly_wp@jsp.fi> -> <*****@*****>, Message-ID: <000701cc2b75$143a39f0$adc130a2@jsp.fi>, mail_id: XczovKoMBYNr, Hits: 18.471, size: 867, 833 ms
Jun 15 17:58:35 bolt postfix/smtp[10732]: 386791241F9: to=<*****@*****>, relay=127.0.0.1[127.0.0.1]:10024, delay=3.5, delays=2.7/0/0/0.83, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=11084-17 - SPAM)
Jun 15 17:58:35 bolt postfix/qmgr[10712]: 386791241F9: removed
Jun 15 17:58:43 bolt postfix/smtpd[10836]: warning: 178.121.154.194: address not listed for hostname mm-194-154-121-178.dynamic.pppoe.mgts.by
Jun 15 17:58:43 bolt postfix/smtpd[10836]: connect from unknown[178.121.154.194]
Jun 15 17:58:45 bolt postfix/smtpd[10727]: connect from unknown[180.134.223.86]

EDIT #2 Got some more info from the logs, this is a send request:

mail.info.1:Jun 15 16:41:57 bolt amavis[5399]: (05399-06) Passed CLEAN, [110.139.48.64] [110.139.48.64] <paul@*****.se> -> <jteixeira@bcp.pt>, Message-ID: <CHILKAT-MID-7c54ebcf-5501-de9b-f0b1-4f0234290d8d@HP-IRISH>, mail_id: 35l56Ramx6Nc, Hits: -2.941, size: 3329, queued_as: 2485770086, 136 ms
mail.info.1:Jun 15 16:41:57 bolt postfix/smtp[4743]: 375C570082: to=<jteixeira@bcp.pt>, relay=127.0.0.1[127.0.0.1]:10024, delay=4.8, delays=4.7/0/0/0.14, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=05399-06, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 2485770086)

Which apparently got through. Any ideas how to restrict this?

Paul Peelen

Posted 2011-06-15T14:58:17.690

Reputation: 189

Answers

1

An smtp-server has to accept mails without authentication, otherwise no one would be able to send you an e-mail, because every smtp-server out there has to know a user/password for your server.

but (!), your server must not accept any mails without authentication when the desired recipient does not belong to your domain(s) (the hosts for which your smtpd should handle/receive mails) (see 'open relay'). When handling mails to recipients outside your domain(s), the sender should be authenticated.

see (/etc/postfix/)main.cf:

smtpd_recipient_restrictions =
        [...]
    permit_sasl_authenticated,
        [...]
    reject_unauth_destination,

This means, you permit a delivery when the user is authenticated (here using SASL, thats the easiest way), otherwise, every other mail with a RCPT TO: not belonging to the destinations specified through mydestinations= will be rejected.

Additionally you should disable clear text login. AUTH should be only available when the connection is secure:

smtpd_tls_auth_only = yes

I doubt your postfix is an open relay, because one has to deliberately mess with the configuration to achieve this (nowadays), but you should check!

When a spammer is using your e-mail-address as a from: there's not much you can do :(

Hope this helps.

trurl

Posted 2011-06-15T14:58:17.690

Reputation: 2 102

Thank you for your answer. I checked my prefs in main.cf, and found out that restrictions are set to: smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination As for "smtpd_tls_auth_only" it didn't exists in my conf so I added it. Just got another 45 mails. I still don't really understand how it can be possible though, its my server telling me (MAILER-DEAMON) that the email address does not exist, therefore it must be send thru my server. right? – Paul Peelen – 2011-06-15T15:41:07.747

The sequence of those statements in smtpd_r_r= is crucial. First: check if your server is sending any undesired mails (/var/log/mail.log). If so, stop your server. Second: Check mynetworks= and mysql-virtual_recipient.cf. What are those maps permitting? – trurl – 2011-06-15T15:45:37.163

This is mynetworks: mynetworks = 127.0.0.0/8 [::1]/128. mysql-virtual_recipient.cf points to a database table that is empty. There happens alot of stuff in mail.log, but from what I can see its blocking of incomming spam messages, mainly to one certain client. Can't really distinguish sending from receiving though. – Paul Peelen – 2011-06-15T15:58:06.150

Asked: 2011-06-15T14:58:17.690

Viewed: 2 163 times

Active: 2017-10-07T04:39:42.513