On Fri, 21 Oct 2016 22:56:45 +0200 Paul van der Vlis <p...@vandervlis.nl> wrote:
> Hello Angelo and others, > > Op 21-10-16 om 22:24 schreef Fazzina, Angelo: > > So what is SASL using in Postfix ? > > Is Postfix calling SASL, which calls PAM, which calls LDAP, to > > check the Password? > > Postfix is calling saslauthd, which calls PAM, which calls unix > passwords. > > > You must follow the trail of how they got the password if you say > > you changed it and it does not help. > > I don't think they have a correct username/password combination, > because the username is wrong. > > Maybe it's possible to log the username/password Postfix get? > > Maybe they are using some kind of trick to let Postfix think the mail > comes from localhost. > > With regards, > Paul van der Vlis. > > > > -ALF > > > > -Angelo Fazzina > > Operating Systems Programmer / Analyst > > University of Connecticut, UITS, SSG-Linux/ M&C > > 860-486-9075 > > > > -----Original Message----- > > From: owner-postfix-us...@postfix.org > > [mailto:owner-postfix-us...@postfix.org] On Behalf Of Paul van der > > Vlis Sent: Friday, October 21, 2016 4:16 PM To: > > postfix-users@postfix.org Subject: Open relay > > > > Hello, > > > > I have a big problem, someone is using my mailserver for sending > > spam. I see it in de logs. I can block the IP but then they use > > other IP's. > > > > So far I know my server is up-to-date and correct configured. And > > when I do some open relay tests, everything is OK. Like this ones: > > http://www.mailradar.com/openrelay/ > > http://mxtoolbox.com/diagnostic.aspx > > > > The name of my mailserver is mail.vandervlis.nl, so far I see the > > spammers are using port 587. Please feel free to do tests. > > > > What I see in the logs and in the headers of the spam is that they > > are using authentication. But the username is not correct. On my > > server I use usernames like "john", and this username lookslike an > > e-mail address, so with an "@" in it. The part before the @ is a > > correct username on my server, but when I change the password it > > does not help. All spam is recognizeble by this authenticated > > username. > > > > In the headers I see this as the first "received" (I've changed the > > authenticated sender for privacy): > > ---- > > Received: from [127.0.0.1] (87-92-55-206.bb.dnainternet.fi > > [87.92.55.206]) (Authenticated sender: p...@puk.nl) > > by mail.vandervlis.nl (Postfix) with ESMTPSA id 774B23E0285; > > Fri, 21 Oct 2016 18:57:14 +0200 (CEST) > > ---- > > As would my server sent it to my server... > > > > Does somebody have a clou here? > > > > With regards, > > Paul van der Vlis. > > > > > > Some settings and logs: > > > > smtpd_relay_restrictions = > > permit_mynetworks, > > permit_sasl_authenticated, > > check_sender_access hash:/etc/postfix/whitelist, > > reject_invalid_hostname, > > reject_non_fqdn_sender, > > reject_non_fqdn_recipient, > > reject_unknown_sender_domain, > > reject_unknown_recipient_domain, > > reject_unauth_pipelining, > > reject_unauth_destination, > > check_policy_service unix:private/shadelist, > > reject_rbl_client bl.spamcop.net, > > reject_rbl_client zen.spamhaus.org, > > reject_rbl_client ix.dnsbl.manitu.net, > > permit > > > > smtpd_tls_cert_file = /etc/postfix/tls/*.vandervlis.nl.pem > > smtpd_use_tls = yes > > smtpd_sasl_auth_enable = yes > > smtpd_sasl_exceptions_networks = $mynetworks > > smtpd_tls_loglevel = 1 > > smtpd_tls_auth_only = yes > > smtpd_sasl_security_options = noanonymous > > smtpd_sasl_tls_security_options = noanonymous > > broken_sasl_auth_clients = yes > > smtpd_sasl_authenticated_header = yes > > > > Oct 21 16:54:31 sigmund postfix/smtpd[2158]: D34743E027B: > > client=unknown[94.26.41.188], sasl_method=PLAIN, > > sasl_username=p...@puk.nl > > > > > > > Perhaps I'm being a bit anal here, and given my skill level (or lack thereof) I should stay of of this, but is this actually an open relay in the strict sense? Maybe that is a red herring. If they are using 587, that would be the master.cf file, not main.cf. submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING
