Op 22-10-16 om 18:23 schreef /dev/rob0: > On Sat, Oct 22, 2016 at 04:15:41PM +0200, Paul van der Vlis wrote:
> The only actual conclusion is that you have failed to put forth the > necessary information, as Bill [I think] pointed you to the > http://www.postfix.org/DEBUG_README.html#mail link. The problem is that somebody did send spam using port 587 with a not excisting username, and I am interested how that is possible. sigmund:/var/log# postconf -Mf smtp inet n - - - - smtpd -v 26 inet n - - - - smtpd 465 inet n - - - - smtpd submission inet n - - - - smtpd pickup fifo n - - 60 1 pickup cleanup unix n - - - 0 cleanup qmgr fifo n - - 300 1 qmgr rewrite unix - - - - - trivial-rewrite bounce unix - - - - 0 bounce defer unix - - - - 0 bounce trace unix - - - - 0 bounce verify unix - - - - 1 verify flush unix n - - 1000? 0 flush proxymap unix - - n - - proxymap smtp unix - - - - - smtp relay unix - - - - - smtp showq unix n - - - - showq error unix - - - - - error local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient} uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -d -t$nexthop -f$sender $recipient scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} amavis unix - - n - 2 smtp -o smtp_data_done_timeout=1200 -o disable_dns_lookups=yes 127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes shadelist unix - n n - - spawn user=nobody argv=/usr/bin/perl /usr/local/bin/shadelist.pl -w nlwhitelist.dnsbl.bit.nl tlsmgr unix - - - 1000? 1 tlsmgr scache unix - - - - 1 scache discard unix - - - - - discard retry unix - - - - - error ------------------------------------------------------------------------------------- sigmund:/var/log# saslfinger -s saslfinger - postfix Cyrus sasl configuration zo okt 23 00:09:27 CEST 2016 version: 1.0.4 mode: server-side SMTP AUTH -- basics -- postconf: warning: /etc/postfix/main.cf: unused parameter: mailman_destination_recipient_limit=1 postconf: warning: /etc/postfix/main.cf: unused parameter: tls_daemon_random_source=dev:/dev/urandom Postfix: 2.11.3 System: Debian GNU/Linux 8 \n \l -- smtpd is linked to -- postconf: warning: /etc/postfix/main.cf: unused parameter: mailman_destination_recipient_limit=1 postconf: warning: /etc/postfix/main.cf: unused parameter: tls_daemon_random_source=dev:/dev/urandom postconf: warning: /etc/postfix/main.cf: unused parameter: mailman_destination_recipient_limit=1 postconf: warning: /etc/postfix/main.cf: unused parameter: tls_daemon_random_source=dev:/dev/urandom libsasl2.so.2 => /usr/lib/i386-linux-gnu/libsasl2.so.2 (0xb73d1000) -- active SMTP AUTH and TLS parameters for smtpd -- broken_sasl_auth_clients = yes smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_exceptions_networks = $mynetworks smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = noanonymous smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/postfix/tls/*.vandervlis.nl.pem smtpd_tls_loglevel = 1 smtpd_tls_protocols = !SSLv2, !SSLv3 smtpd_use_tls = yes postconf: warning: /etc/postfix/main.cf: unused parameter: mailman_destination_recipient_limit=1 postconf: warning: /etc/postfix/main.cf: unused parameter: tls_daemon_random_source=dev:/dev/urandom -- listing of /usr/lib/sasl2 -- totaal 52 drwxr-xr-x 2 root root 4096 okt 20 02:47 . drwxr-xr-x 88 root root 40960 okt 20 06:40 .. -rw-r--r-- 1 root root 4 okt 20 03:13 berkeley_db.active -rw-r--r-- 1 root root 4 sep 25 2015 berkeley_db.txt -- listing of /etc/postfix/sasl -- totaal 12 drwxr-xr-x 2 root root 4096 jul 22 2009 . drwxr-xr-x 4 root root 4096 okt 22 14:49 .. -rw-r--r-- 1 root root 49 jul 22 2009 smtpd.conf postconf: warning: /etc/postfix/main.cf: unused parameter: mailman_destination_recipient_limit=1 postconf: warning: /etc/postfix/main.cf: unused parameter: tls_daemon_random_source=dev:/dev/urandom -- content of /etc/postfix/sasl/smtpd.conf -- pwcheck_method: saslauthd mech_list: PLAIN LOGIN -- content of /etc/postfix/sasl/smtpd.conf -- pwcheck_method: saslauthd mech_list: PLAIN LOGIN postconf: warning: /etc/postfix/main.cf: unused parameter: mailman_destination_recipient_limit=1 postconf: warning: /etc/postfix/main.cf: unused parameter: tls_daemon_random_source=dev:/dev/urandom -- active services in /etc/postfix/master.cf -- postconf: warning: /etc/postfix/main.cf: unused parameter: mailman_destination_recipient_limit=1 postconf: warning: /etc/postfix/main.cf: unused parameter: tls_daemon_random_source=dev:/dev/urandom # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) postconf: warning: /etc/postfix/main.cf: unused parameter: mailman_destination_recipient_limit=1 postconf: warning: /etc/postfix/main.cf: unused parameter: tls_daemon_random_source=dev:/dev/urandom smtp inet n - - - - smtpd -v 26 inet n - - - - smtpd 465 inet n - - - - smtpd submission inet n - - - - smtpd pickup fifo n - - 60 1 pickup cleanup unix n - - - 0 cleanup qmgr fifo n - - 300 1 qmgr rewrite unix - - - - - trivial-rewrite bounce unix - - - - 0 bounce defer unix - - - - 0 bounce trace unix - - - - 0 bounce verify unix - - - - 1 verify flush unix n - - 1000? 0 flush proxymap unix - - n - - proxymap smtp unix - - - - - smtp relay unix - - - - - smtp showq unix n - - - - showq error unix - - - - - error local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient} uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -d -t$nexthop -f$sender $recipient scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} amavis unix - - n - 2 smtp -o smtp_data_done_timeout=1200 -o disable_dns_lookups=yes 127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes shadelist unix - n n - - spawn user=nobody argv=/usr/bin/perl /usr/local/bin/shadelist.pl -w nlwhitelist.dnsbl.bit.nl tlsmgr unix - - - 1000? 1 tlsmgr scache unix - - - - 1 scache discard unix - - - - - discard retry unix - - - - - error -- mechanisms on localhost -- -- end of saslfinger output -- ----------------------------------------------------------------------- In the headers I see this as the first "received" (I've changed the authenticated sender for privacy): ---- Received: from [127.0.0.1] (87-92-55-206.bb.dnainternet.fi [87.92.55.206]) (Authenticated sender: p...@puk.nl) by mail.vandervlis.nl (Postfix) with ESMTPSA id 774B23E0285; Fri, 21 Oct 2016 18:57:14 +0200 (CEST) ---- ----------------------------------------------------------------------- One of the spammer IP's in action, firewall logging: Oct 21 20:03:37 sigmund kernel: [143870.420796] FW:IN=eth0 OUT= MAC=52:54:00:0e:95:f1:08:81:f4:8d:d8:89:08:00 SRC=185.81.81.172 DST=91.198.178.50 LEN=5 2 TOS=0x00 PREC=0x00 TTL=56 ID=37620 DF PROTO=TCP SPT=44816 DPT=587 WINDOW=5816 RES=0x00 ACK URGP=0 ------------------------------------------------------------------------ With regards, Paul van der Vlis. -- Paul van der Vlis Linux systeembeheer Groningen https://www.vandervlis.nl/
