0

I am running a Postfix mailserver on Ubuntu 19.10 and have mynetworks set to localhost so any attempts to relay email are blocked - i.e.:

telnet emailserver.com 25
helo testing.com
mail from:<test@testing.com>
rcpt to:<someone@gmail.com>
554 5.7.1 <someone@gmail.com>: Relay access denied

However the email server has just been added to a blacklist and looking through the mail log around that time and I see lines like this:

postfix/qmgr[1887]: 9B5D41BAA34: from=<yuze88@21cn.com>, size=2536, nrcpt=20 (queue active)
postfix/smtp[6764]: 53FA21B94EE: to=<original@fortunecook.de>, relay=mx00.kundenserver.de[212.227.15.41]:25, delay=41155, delays=41154/0.96/0.1/0, dsn=4.0.0, status=deferred (host mx00.kundenserver.de[212.227.15.41] refused to talk to me: 554-kundenserver.de (mxeue011) Nemesis ESMTP Service not available 554-No SMTP service 554-Bad DNS PTR resource record. 554
postfix/error[6700]: 9B5D41BAA34: to=<jorg.stuttgart@web.de>, relay=none, delay=30007, delays=30007/0.02/0/0, dsn=4.0.0, status=deferred (delivery temporarily suspended: host mx-ha02.web.de[212.227.17.8] refused to talk to me: 554-web.de (mxweb113) Nemesis ESMTP Service not available 554-No SMTP service 554-Bad DNS PTR resource record. 554

The from addresses are all different and not users that exist on the server so I can't work out what could be wrong. The mail log has been filling up with messages like the ones above since 10:29 on the 23rd December and looks normal prior to this.

So it would appear my server is sending spam but according to tests I have done relaying is denied and as the from email doesn't match any user I don't know who's login may have been compromised, if this is the issue?

Here are the relevant sections from my configuration:

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

# Restrictions
smtpd_helo_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_invalid_helo_hostname,
        reject_non_fqdn_helo_hostname
smtpd_recipient_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_non_fqdn_recipient,
        reject_unknown_recipient_domain,
        reject_unlisted_recipient,
        reject_unauth_destination
smtpd_sender_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_non_fqdn_sender,
        reject_unknown_sender_domain
smtpd_relay_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        defer_unauth_destination

mydestination = localhost

Looking at the mail log some more it looks like the emails may be getting relayed through my server:

Dec 23 10:56:06 rwshosting1810 postfix/qmgr[1887]: E99061B9FB8: from=<yuze88@21cn.com>, size=1911, nrcpt=20 (queue active)
Dec 23 10:56:07 rwshosting1810 postfix/qmgr[1887]: BDF221B9FC3: from=<yuze88@21cn.com>, size=2754, nrcpt=20 (queue active)
Dec 23 10:56:07 rwshosting1810 amavis[14683]: (14683-12) Passed CLEAN {RelayedInbound}, [188.162.43.235]:38411 [188.162.43.235] <yuze88@21cn.com> -> <eleichtfuss@freenet.de>,<singlemail1@freenet.de>,<chris.seil@gmx.at>,<simon-aufischer@gmx.at>,<drwaltersiefert@gmx.de>,<m.mahamied@gmx.de>,<macpaper66@gmx.de>,<peter.gidai@gmx.de>,<rene-herpich@gmx.de>,<w.herauf@gmx.de>,<zarkaban@gmx.de>,<reinhardt-kunze@kabelbw.de>,<siegfried.osterkorn@tele2.at>,<uranas@uranas.de>,<klaus.renner@volksstimme.de>,<andreas.br@web.de>,<capdesign@web.de>,<cyberjoerg@web.de>,<markus.84034@web.de>,<wi_felix@web.de>, Queue-ID: E99061B9FB8, Message-ID: <2df69ac9c2e93c30172294c733f5dfd3f6af2385@21cn.com>, mail_id: LkGzeR7_Yuv4, Hits: 1.885, size: 1911, queued_as: BDF221B9FC3, 1112 ms
Dec 23 10:57:40 rwshosting1810 postfix/smtp[12908]: C1F771B9FC6: to=<yuze88@21cn.com>, relay=mta.21cn.com[183.61.185.83]:25, delay=1.8, delays=0.01/0.01/1.6/0.22, dsn=5.0.0, status=bounced (host mta.21cn.com[183.61.185.83] said: 501 Syntax: MAIL FROM: <address> zm-as1 (in reply to MAIL FROM command))

Looking at more of the logs it would seem that yuze88@21cn.com uses a range of different IP addresses in different subnets. If I then search on the IP address in the logs then I see entries like this:

Dec 23 12:52:58 rwshosting1810 postfix/submission/smtpd[16065]: connect from unknown[188.162.199.142]
Dec 23 12:52:58 rwshosting1810 postfix/submission/smtpd[16065]: lost connection after CONNECT from unknown[188.162.199.142]
Dec 23 12:52:58 rwshosting1810 postfix/submission/smtpd[16065]: disconnect from unknown[188.162.199.142] commands=0/0
Dec 23 12:52:59 rwshosting1810 amavis[21295]: (21295-07) Passed CLEAN {RelayedInbound}, [188.162.199.142]:11962 [188.162.199.142] <a1596410@correo.uia.mx> -> <bernd.j.h@arcor.de>,<andre.zeiger@azmedien.ch>,<mandisstyromull@bluewin.ch>,<stojanovic1982@gmx.at>,<hp-erhard@gmx.de>,<konrad.adelhard@gmx.de>,<mark.weinhardt@gmx.de>,<maxi.dwenger@gmx.de>,<white-colly@gmx.de>,<bernardo_1955@hotmail.de>,<boztepe061@hotmail.de>,<cafe-ollo@hotmail.de>,<s.eisenblaetter64@hotmail.de>,<salvatore.manduca@sbsport.ch>,<raoul.biernat@t-online.de>,<baedmaen70@web.de>,<comun@web.de>,<dom58@web.de>,<kallmeyerfrank@web.de>,<keller-volkmarsen@web.de>, Queue-ID: D80F51BA7EC, Message-ID: <ac4c6b1a113aef1c3fc147141fcbf3ffdc2007cc57@correo.uia.mx>, mail_id: w5hrPYA4CZZC, Hits: 5.681, size: 1964, queued_as: 58BA61BA7ED, 1377 ms      
Dec 23 12:53:00 rwshosting1810 postfix/submission/smtpd[14803]: warning: hostname client.yota.ru does not resolve to address 188.162.199.142: Name or service not known

Thanks Robin

Robin Wilson
  • 241
  • 2
    [Edit] your question to include your configuration. Especially mynetworks and smtpd_recipient_restrictions and smtpd_relay_restrictions is of interest. – vidarlo Dec 26 '19 at 13:18
  • 1
    Thanks @vidarlo, I should have thought of this. Have edited my question to add these lines. – Robin Wilson Dec 26 '19 at 15:01
  • 1
    What appears in mail.log? Is it possible that the user is in fact authenticated? Try to track the session of the message by grep "yuze88@21cn.com" /var/mail.log, which should give you the IP. Then grep "ip address here" /var/mail.log. Update your question with the new information :) Additionally, mydestination directive is also worth checking. – vidarlo Dec 26 '19 at 15:24
  • Thank you @vidarlo, I have ameded my question with the details you mentioned. Looking at the log I'm not entirely sure what is going on. – Robin Wilson Jan 02 '20 at 19:59
  • The server is now blacklisted on Sender Score Reputation Network, Spamhaus ZEN, TRUNCATE and UCEPROTECTL1 so is definately spamming even though according to the hardening guide I believe I am following everything. Any ideas would be greatly appreciated. – Robin Wilson Feb 06 '20 at 00:33
  • Ok think I have fixed it now. I had to add some additional configuration values. I had authentication required on the incoming server (SMTPD) but not on the outgoing server (SMTP) so sending an email with telnet failed but the outgoing server wasn't sufficiently locked down. These were the settings I added: smtp_sasl_auth_enable = yes, smtp_sasl_security_options = noanonymous, smtp_sasl_password_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf. I think this has hopefully done the trick. – Robin Wilson Feb 06 '20 at 01:04

1 Answers1

0

I have had the same output. Although I use SASL with saslauthd -a shadow my host was used as a spam relay. I noticed that the realm of SASL did not not comply with my real realm, that's because I had used a different hostname for my server before I took it into production. After syncing the SASL realm with the real hostname of the server, the authorization is working now.

BeastOfCaerbannog
  • 16,936
Gerhard Lehmann
  • 1