Thanks for the tips. I can confirm that there were no xforward hosts allowed, but I was getting daemon error emails showing xforward mail conversations, which I couldn't explain. May have hammered at the wrong hole. Either way, the server's toast now. Time for a new server...
On Sun, Jan 10, 2016 at 11:03 PM, wilfried.es...@essignetz.de < wilfried.es...@essignetz.de> wrote: > Hi, > > > XFORWARD access is opend by smtpd_authorized_xforward_hosts. The default > is empty, wich means, nobody can use xforward. That's since postfix 2.1. > (http://www.postfix.org/postconf.5.html#smtpd_authorized_xforward_hosts) > > Possibly smtpd_authorized_xclient_hosts could help an attacker to fool you. > > If you don't have any smtpd_authorized_xforward_hosts (and maybe > smtpd_authorized_xclient_hosts) i assume you don't drilling the right hole. > > If the mail comes in from a host you are relaying for, i'd suggest to > block him in your firewall and get his admin out of his bed. > > If the mail comes in from a webmail service, you are providing, you > should get the acoount(s) that are hacked and disable their login). > > > Willi > > > Am 11.01.2016 um 04:12 schrieb Steven Kiehl: > > Thanks for the tip, Robert. However, I have all that configured > currently, > > plus additional measures. > > My setup is on Postfix 2.7.0, so I'm wondering if there are some XFORWARD > > bugs in there. I'm in the process of upgrading that because I don't have > > too many other options at the moment. > > > > If anyone has more advice on disabling XFORWARD support on 2.7.0 or 2.9+, > > please let me know. I see no point in having it for a basic mail server > > host setup. As far as I can tell, the moment I start up postfix, junk > > starts flying in with these XFORWARD commands, and moments later the > queue > > fills up with deferred messages refused from remote hosts. > > > > > > On Sun, Jan 10, 2016 at 8:37 PM, Wolfe, Robert < > robert.wo...@robertwolfe.org > >> wrote: > > > >> Ooops. Didn’t reply to the list. L > >> > >> > >> > >> Hope this will help you a bit: > >> > >> > >> > >> > >> > http://www.linuxquestions.org/questions/linux-security-4/how-to-postfix-disable-relay-forwarding-mail-security-redhat-5-1-a-643331/ > >> > >> > >> > >> > >> > >> *From:* owner-postfix-us...@postfix.org [mailto: > >> owner-postfix-us...@postfix.org] *On Behalf Of *Steven Kiehl > >> *Sent:* Sunday, January 10, 2016 7:21 PM > >> *To:* postfix-users@postfix.org > >> *Subject:* Problem with XFORWARD relay hack > >> > >> > >> > >> Good evening, > >> > >> > >> > >> I've had no trouble solving my issues with my postfix/dovecot setup with > >> manpages and the like before, but this new issue has me subscribing to > the > >> mailing list because this is urgent. I've been the victim of an > XFORWARD > >> relay hack of sorts on my postfix server. I'm not sure how many > messages > >> got through, but they all sent from a domain that I web service but > don't > >> mail service. > >> > >> > >> > >> Essentially, someone found a way to connect to my server, sent an > XFORWARD > >> SOURCE=LOCAL command, and attempted to send thousands of messages via > relay > >> one after another with a reset command after each message was > completed, so > >> they could maintain the connection. My problem is that I don't have any > >> XFORWARD settings defined in my config and I can't find anything that > would > >> normally authorize or deauthorize these commands. > >> > >> > >> > >> I deleted over 47000 messages stuck in queue after I'm pretty sure I've > >> been blocked by all major mailing services. > >> > >> > >> > >> How do I disable XFORWARD in a postfix/dovecot setup? > >> > > > >
