Hi,
XFORWARD access is opend by smtpd_authorized_xforward_hosts. The default is empty, wich means, nobody can use xforward. That's since postfix 2.1. (http://www.postfix.org/postconf.5.html#smtpd_authorized_xforward_hosts) Possibly smtpd_authorized_xclient_hosts could help an attacker to fool you. If you don't have any smtpd_authorized_xforward_hosts (and maybe smtpd_authorized_xclient_hosts) i assume you don't drilling the right hole. If the mail comes in from a host you are relaying for, i'd suggest to block him in your firewall and get his admin out of his bed. If the mail comes in from a webmail service, you are providing, you should get the acoount(s) that are hacked and disable their login). Willi Am 11.01.2016 um 04:12 schrieb Steven Kiehl: > Thanks for the tip, Robert. However, I have all that configured currently, > plus additional measures. > My setup is on Postfix 2.7.0, so I'm wondering if there are some XFORWARD > bugs in there. I'm in the process of upgrading that because I don't have > too many other options at the moment. > > If anyone has more advice on disabling XFORWARD support on 2.7.0 or 2.9+, > please let me know. I see no point in having it for a basic mail server > host setup. As far as I can tell, the moment I start up postfix, junk > starts flying in with these XFORWARD commands, and moments later the queue > fills up with deferred messages refused from remote hosts. > > > On Sun, Jan 10, 2016 at 8:37 PM, Wolfe, Robert <robert.wo...@robertwolfe.org >> wrote: > >> Ooops. Didn’t reply to the list. L >> >> >> >> Hope this will help you a bit: >> >> >> >> >> http://www.linuxquestions.org/questions/linux-security-4/how-to-postfix-disable-relay-forwarding-mail-security-redhat-5-1-a-643331/ >> >> >> >> >> >> *From:* owner-postfix-us...@postfix.org [mailto: >> owner-postfix-us...@postfix.org] *On Behalf Of *Steven Kiehl >> *Sent:* Sunday, January 10, 2016 7:21 PM >> *To:* postfix-users@postfix.org >> *Subject:* Problem with XFORWARD relay hack >> >> >> >> Good evening, >> >> >> >> I've had no trouble solving my issues with my postfix/dovecot setup with >> manpages and the like before, but this new issue has me subscribing to the >> mailing list because this is urgent. I've been the victim of an XFORWARD >> relay hack of sorts on my postfix server. I'm not sure how many messages >> got through, but they all sent from a domain that I web service but don't >> mail service. >> >> >> >> Essentially, someone found a way to connect to my server, sent an XFORWARD >> SOURCE=LOCAL command, and attempted to send thousands of messages via relay >> one after another with a reset command after each message was completed, so >> they could maintain the connection. My problem is that I don't have any >> XFORWARD settings defined in my config and I can't find anything that would >> normally authorize or deauthorize these commands. >> >> >> >> I deleted over 47000 messages stuck in queue after I'm pretty sure I've >> been blocked by all major mailing services. >> >> >> >> How do I disable XFORWARD in a postfix/dovecot setup? >> >
