3
1
I have a ispconfig server, and it seems that someone is using it to send spam. I got about 130 "Mail Delivery System" emails about declined send email.
This spammer uses my email address as sent from address, so I get all these email addresses to my mail. I am using Postfix and Courier. I installed my server according to this guide: http://www.howtoforge.com/perfect-server-debian-lenny-ispconfig3-p3 I did this a few months ago.
My question: Can I secure my server to require login to be able to send email, and if so... how?
Thanks!
EDIT Some data from mail.log, these kind of error show up constantly:
Jun 15 17:58:16 bolt postfix/qmgr[10712]: CC7DA1242AE: from=<paul@*****.se>, size=3782, nrcpt=1 (queue active)
Jun 15 17:58:16 bolt postfix/smtp[11337]: CC7DA1242AE: to=<luissantos@cmlisboa.pt>, relay=none, delay=4641, delays=4640/0.01/0.32/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=cmlisboa.pt type=MX: Host not found, try again)
Jun 15 17:58:19 bolt postfix/smtpd[10836]: connect from static-200-105-220-154.acelerate.net[200.105.220.154]
Jun 15 17:58:20 bolt postfix/smtpd[10836]: NOQUEUE: reject: RCPT from static-200-105-220-154.acelerate.net[200.105.220.154]: 550 5.1.1 <advertising@*****.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<anteroomtw91@radarsync.com> to=<advertising@*****.com> proto=ESMTP helo=<static-200-105-220-154.acelerate.net>
Jun 15 17:58:20 bolt postfix/smtpd[10836]: lost connection after DATA (0 bytes) from static-200-105-220-154.acelerate.net[200.105.220.154]
Jun 15 17:58:20 bolt postfix/smtpd[10836]: disconnect from static-200-105-220-154.acelerate.net[200.105.220.154]
Jun 15 17:58:29 bolt postfix/smtpd[10834]: connect from unknown[62.176.172.226]
Jun 15 17:58:32 bolt postfix/smtpd[10834]: 386791241F9: client=unknown[62.176.172.226]
Jun 15 17:58:34 bolt postfix/cleanup[10975]: 386791241F9: message-id=<000701cc2b75$143a39f0$adc130a2@jsp.fi>
Jun 15 17:58:34 bolt postfix/qmgr[10712]: 386791241F9: from=<inezreilly_wp@jsp.fi>, size=867, nrcpt=1 (queue active)
Jun 15 17:58:35 bolt postfix/smtpd[10834]: disconnect from unknown[62.176.172.226]
Jun 15 17:58:35 bolt amavis[11084]: (11084-17) Blocked SPAM, [62.176.172.226] [62.176.172.226] <inezreilly_wp@jsp.fi> -> <*****@*****>, Message-ID: <000701cc2b75$143a39f0$adc130a2@jsp.fi>, mail_id: XczovKoMBYNr, Hits: 18.471, size: 867, 833 ms
Jun 15 17:58:35 bolt postfix/smtp[10732]: 386791241F9: to=<*****@*****>, relay=127.0.0.1[127.0.0.1]:10024, delay=3.5, delays=2.7/0/0/0.83, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=11084-17 - SPAM)
Jun 15 17:58:35 bolt postfix/qmgr[10712]: 386791241F9: removed
Jun 15 17:58:43 bolt postfix/smtpd[10836]: warning: 178.121.154.194: address not listed for hostname mm-194-154-121-178.dynamic.pppoe.mgts.by
Jun 15 17:58:43 bolt postfix/smtpd[10836]: connect from unknown[178.121.154.194]
Jun 15 17:58:45 bolt postfix/smtpd[10727]: connect from unknown[180.134.223.86]
EDIT #2 Got some more info from the logs, this is a send request:
mail.info.1:Jun 15 16:41:57 bolt amavis[5399]: (05399-06) Passed CLEAN, [110.139.48.64] [110.139.48.64] <paul@*****.se> -> <jteixeira@bcp.pt>, Message-ID: <CHILKAT-MID-7c54ebcf-5501-de9b-f0b1-4f0234290d8d@HP-IRISH>, mail_id: 35l56Ramx6Nc, Hits: -2.941, size: 3329, queued_as: 2485770086, 136 ms
mail.info.1:Jun 15 16:41:57 bolt postfix/smtp[4743]: 375C570082: to=<jteixeira@bcp.pt>, relay=127.0.0.1[127.0.0.1]:10024, delay=4.8, delays=4.7/0/0/0.14, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=05399-06, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 2485770086)
Which apparently got through. Any ideas how to restrict this?
Thank you for your answer. I checked my prefs in main.cf, and found out that restrictions are set to: smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination As for "smtpd_tls_auth_only" it didn't exists in my conf so I added it. Just got another 45 mails. I still don't really understand how it can be possible though, its my server telling me (MAILER-DEAMON) that the email address does not exist, therefore it must be send thru my server. right? – Paul Peelen – 2011-06-15T15:41:07.747
The sequence of those statements in smtpd_r_r= is crucial. First: check if your server is sending any undesired mails (/var/log/mail.log). If so, stop your server. Second: Check mynetworks= and mysql-virtual_recipient.cf. What are those maps permitting? – trurl – 2011-06-15T15:45:37.163
This is mynetworks:
mynetworks = 127.0.0.0/8 [::1]/128
.mysql-virtual_recipient.cf
points to a database table that is empty. There happens alot of stuff in mail.log, but from what I can see its blocking of incomming spam messages, mainly to one certain client. Can't really distinguish sending from receiving though. – Paul Peelen – 2011-06-15T15:58:06.150