How do I block Postfix from sending spam?

0

My postfix is sending spam from a random-name@mydomain.com address. How is this possible and how do I allow only www-data@localhost to send and postfix to only deliver from myname@mydomain.com to myname@gmail.com (as in my aliases list)?

Here's my main.cf:

    # See /usr/share/postfix/main.cf.dist for a commented, more complete version


    # Debian specific:  Specifying a file name will cause the first
    # line of that file to be used as the name.  The Debian default
    # is /etc/mailname.
    #myorigin = *** My main domain ***

    smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
    biff = no

    # appending .domain is the MUA's job.
    append_dot_mydomain = no

    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h

    readme_directory = no

    # TLS parameters
    smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
    smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
    smtpd_use_tls=yes
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.

    myhostname = *** My hostname ***
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    myorigin = $mydomain
    mydestination = $myhostname, localhost.$mydomain, $mydomain, localhost
    mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
    mailbox_size_limit = 0
    recipient_delimiter = +
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_security_options = noanonymous noplaintext
    smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination permit_inet_interfaces
    smtpd_tls_security_level = may

    virtual_alias_domains = *** My aliases ***
    virtual_alias_maps = hash:/etc/postfix/virtual
    smtpd_tls_auth_only = yes


smtpd_client_restrictions = permit_mynetworks, reject
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, permit
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_end_of_data_restrictions = check_policy_service unix:private/policy
smtp_sasl_auth_enable = no
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, hash:/etc/postfix/sender_access, permit
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_helo_access hash:/etc/postfix/sender_access, reject_non_fqdn_hostname, reject_invalid_hostname, permit
smtpd_recipient_restrictions = reject_unauth_pipelining, reject_unauth_destination, reject_non_fqdn_recipient, permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/etc/postfix/sender_access, reject_rbl_client relays.ordb.org, reject_rbl_client list.dsbl.org, reject_rbl_client sbl-xbl.spamhaus.org, check_policy_service unix:private/spfpolicy, check_policy_service inet:127.0.0.1:10023, permit
transport_maps = hash:/etc/postfix/transport

lohis

Posted 2015-04-16T13:36:57.527

Reputation: 41

2Are you sure it is your postfix that is actually sending the spam? Could it be someone spoofing your address? – Julian Knight – 2015-04-16T13:57:23.100

I see the spam messages in postfix mail queue. My service provider is blocking port 25 now, because of the spam. That's why the spams stay in queue. – lohis – 2015-04-17T01:27:00.757

Sorry, my postfix skills are rather too rusty! I had nightmares trying to get my server right and I tend not to touch it if I can help!! Though I know I need to rebuild the email part. Have you done the usual checks of logs, logins, IPTABLES, etc. to ensure you don't have an unwanted visitor? Also have you checked all clients that connect to make sure they aren't compromised? – Julian Knight – 2015-04-17T09:31:57.990

Did you check if is one user that is sending spams or there are more than one ? Did you check also if you have open relay ? – Ylli Frroku – 2017-06-02T12:51:16.733

try to remove permit from smtpd_client_restrictions – Ylli Frroku – 2017-06-02T13:00:41.880

Answers

0

See if setting relay_recipient_maps properly fixes it.

I think this is the problem...

You are right to set reject_unauth_destination, but the server basically doesn't have explicit instructions on what an "unauth destination" actually is. If it's not an account or forward on your machine, it should not be authorized to relay unless it a sasl authentication or a permitted network machine.

Spammers are sending forged messages to your machine, which is unable to deliver them to non-existent accounts. Since it can't tell whether they are "unauth" desintations, it attempts to treat them as legit SMTP errors but not as unauthorized and, therefore, sends the error back to the "originating" MTA (which is either forged or misconfigured).

On a properly configured mail server, deferrals should be pretty unusual. If you feel safe doing it, and are sure that you won't delete anything legitimate, run postsuper -d ALL deferred to delete all deferred mail in queue. If I'm right, the queue shouldn't fill up like that again. for

Bolwerk

Posted 2015-04-16T13:36:57.527

Reputation: 381

I don't see any spams for now, but now the virtual mapping doesn't work. I.e. I try to send mail to virtualdomain@mydomain.com and it should map it to mymailbox@gmail.com. But I think postfix is now rejecting everyone except the ones in reject_unauth_destination list? – lohis – 2015-04-19T06:33:53.233

Sorry, the spamming did now start again. – lohis – 2015-04-19T06:39:55.980

The from address in all spams are randomname@mydomain.com, and I don't send any mail from my own domain. So how do I block all other from addresses than localhost? – lohis – 2015-04-19T07:14:03.437

Hmm, have you inspected the messages in the queue to see where they are coming from? Run a command on a message in the queue like postcat -q EDKJGJ443 where the jibberishy part is a queue id. – Bolwerk – 2015-04-19T10:53:35.667

Can you also post some log information that results when you attempt to send to your virtual alias? – Bolwerk – 2015-04-19T11:30:55.310

Here's a spam: Apr 19 17:11:28 **** postfix/qmgr[16273]: E7B1C93A: from=<annmarie_prince@****.com>, size=839, nrcpt=1 (queue active) Apr 19 17:11:28 **** postfix/discard[22745]: E7B1C93A: to=***spamreciever***@gmail.com, relay=none, delay=0.05, delays=0.05/0/0/0, dsn=2.0.0, status=sent (gmail.com) Apr 19 17:11:28 **** postfix/qmgr[16273]: E7B1C93A: removed

– lohis – 2015-04-19T14:23:05.410

And here's my own email: Apr 19 16:12:46 **** postfix/smtpd[16610]: NOQUEUE: reject: RCPT from mail-qc0-f176.google.com[209.85.216.176]: 554 5.7.1 <mail-qc0-f176.google.com[209.85.216.176]>: Client host rejected: Access denied; from=mygmail@gmail.com to=me@mydomain.com proto=ESMTP helo=<mail-qc0-f176.google.com>

– lohis – 2015-04-19T14:25:09.530

What version of postfix are you using? – Bolwerk – 2015-04-19T14:48:55.560

Is the line virtual_alias_domains configured like so: virtual_alias_domains = mydomain.com? That obfuscation is a bit ambiguous. – Bolwerk – 2015-04-19T15:00:09.147

Asked: 2015-04-16T13:36:57.527

Viewed: 3 080 times

Active: 2020-01-29T17:01:40.197