0

It seems that our mail server is being used to send spam.

  • The sender of the email is a spoofed real account on our server.
  • There is no email in the sent history for that account.

I would like to know if there is any way to prevent this. Any advice is welcome.

Postfix log:

May  9 22:12:21 mx postfix/submission/smtpd[1885206]: warning: hostname 201-91-101-26.customer.tdatabrasil.net.br does not resolve to address 201.91.101.26: Name or service not known
May  9 22:12:21 mx postfix/submission/smtpd[1885206]: connect from unknown[201.91.101.26]
May  9 22:12:27 mx postfix/submission/smtpd[1885206]: Anonymous TLS connection established from unknown[201.91.101.26]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256
May  9 22:12:29 mx postfix/submission/smtpd[1885206]: 984BB13B35D: client=unknown[201.91.101.26], sasl_method=PLAIN, [email protected]
May  9 22:12:31 mx postfix/sender-cleanup/cleanup[1892316]: 984BB13B35D: replace: header MIME-Version: 1.0 from unknown[201.91.101.26]; from=<[email protected]> to=<****@yahoo.com.br> proto=ESMTP helo=<EHZDDZCUEY0FN7B75U0HKZOH1JP2P2UI>: Mime-Version: 1.0
May  9 22:12:32 mx postfix/qmgr[944]: 984BB13B35D: from=<[email protected]>, size=18836, nrcpt=1 (queue active)
May  9 22:12:32 mx postfix/smtp[1892491]: 984BB13B35D: to=<****@yahoo.com.br>, relay=smtp.****.****.com[192.***.***.***]:587, delay=3.9, delays=3.6/0.01/0.13/0.13, dsn=2.0.0, status=sent (250 Ok)
May  9 22:12:32 mx postfix/qmgr[944]: 984BB13B35D: removed
May  9 22:12:35 mx postfix/submission/smtpd[1885206]: E344C13B35D: client=unknown[201.91.101.26], sasl_method=PLAIN, [email protected]
# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
allow_min_user = yes
anvil_rate_time_unit = 60s
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 7200s
compatibility_level = 2
default_process_limit = 5000
disable_vrfy_command = yes
header_checks = pcre:/etc/postfix/maps/header_checks.pcre
inet_interfaces = all
inet_protocols = ipv4
mailbox_size_limit = 20000000000
maximal_backoff_time = 7200s
maximal_queue_lifetime = 7200s
message_size_limit = 52428800
milter_default_action = accept
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_protocol = 6
minimal_backoff_time = 1600s
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = my-domain.net
myhostname = mx.my-domain.net
mynetworks = 127.0.0.0/8 [::1]/128 [fe80::]/64 192.168.18.0/24 10.102.0.0/16 172.18.0.0/16 10.102.0.0/16
non_smtpd_milters = inet:127.0.0.1:11332
policyd-spf_time_limit = 3600
postscreen_bare_newline_action = enforce
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org*3 bl.mailspike.net b.barracudacentral.org*2 bl.spameatingmonkey.net dnsbl.sorbs.net psbl.surriel.com list.dnswl.org=127.0.[0..255].0*-2 list.dnswl.org=127.0.[0..255].1*-3 list.dnswl.org=127.0.[0..255].[2..3]*-4
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_whitelist_threshold = -1
postscreen_greet_action = enforce
queue_run_delay = 200s
readme_directory = no
recipient_delimiter = +
relayhost = [smtp.****.****.com]:587
sender_dependent_relayhost_maps = texthash:/etc/postfix/relayhost_map
smtp_destination_concurrency_limit = 10
smtp_discard_ehlo_keywords = size
smtp_header_checks = pcre:/etc/postfix/maps/sender_header_filter.pcre
smtp_initial_destination_concurrency = 2
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = texthash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sender_dependent_authentication = yes
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtp_tls_security_level = may
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP
smtpd_client_message_rate_limit = 100
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access hash:/etc/postfix/client_access.map, reject_unknown_reverse_client_hostname
smtpd_delay_reject = yes
smtpd_error_sleep_time = 1s
smtpd_hard_error_limit = 20
smtpd_helo_required = yes
smtpd_helo_restrictions = check_helo_access pcre:/etc/postfix/helo_access.map permit_mynetworks permit_sasl_authenticated reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname
smtpd_milters = inet:127.0.0.1:11332
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain, check_policy_service inet:localhost:65265, reject_rbl_client zen.spamhaus.org
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = /var/spool/postfix/private/auth
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf mysql:/etc/postfix/mysql-virtual-alias-maps.cf mysql:/etc/postfix/mysql-virtual-sender-maps.cf
smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch, check_sender_access hash:/etc/postfix/sender_access.map, reject_non_fqdn_sender, reject_sender_login_mismatch
smtpd_soft_error_limit = 10
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_auth_only = yes
smtpd_tls_chain_files = /etc/postfix/ssl/key /etc/postfix/ssl/cert
smtpd_tls_dh1024_param_file = /etc/postfix/dhparams.pem
smtpd_tls_exclude_ciphers = aNULL, SEED, CAMELLIA, RSA+AES
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_security_level = may
smtputf8_enable = no
strict_mailbox_ownership = no
tls_high_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
tls_preempt_cipherlist = yes
tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map
tls_ssl_options = NO_COMPRESSION, NO_RENEGOTIATION
transport_maps = hash:/etc/postfix/transport
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_limit = 20000000000
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_transport = lmtp:inet:localhost:24
# postconf -M
smtp       inet  n       -       n       -       1       postscreen
smtpd      pass  -       -       n       -       -       smtpd
tlsproxy   unix  -       -       n       -       0       tlsproxy
dnsblog    unix  -       -       n       -       0       dnsblog
submission inet  n       -       -       -       -       smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_reject_unlisted_recipient=no -o smtpd_sasl_authenticated_header=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unknown_reverse_client_hostname,reject -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING -o cleanup_service_name=sender-cleanup
smtps      inet  n       -       n       -       -       smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_reject_unlisted_recipient=no -o smtpd_sasl_authenticated_header=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unknown_reverse_client_hostname,reject -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING -o cleanup_service_name=sender-cleanup
pickup     fifo  n       -       y       60      1       pickup -o content_filter= -o receive_override_options=no_header_body_checks
cleanup    unix  n       -       y       -       0       cleanup
qmgr       unix  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       y       1000?   1       tlsmgr
rewrite    unix  -       -       y       -       -       trivial-rewrite
bounce     unix  -       -       y       -       0       bounce
defer      unix  -       -       y       -       0       bounce
trace      unix  -       -       y       -       0       bounce
verify     unix  -       -       y       -       1       verify
flush      unix  n       -       y       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       y       -       -       smtp
relay      unix  -       -       y       -       -       smtp
showq      unix  n       -       y       -       -       showq
error      unix  -       -       y       -       -       error
retry      unix  -       -       y       -       -       error
discard    unix  -       -       y       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       n       -       -       lmtp
anvil      unix  -       -       y       -       1       anvil
scache     unix  -       -       y       -       1       scache
maildrop   unix  -       n       n       -       -       pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp       unix  -       n       n       -       -       pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail     unix  -       n       n       -       -       pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp      unix  -       n       n       -       -       pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n       n       -       2       pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman    unix  -       n       n       -       -       pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
sender-cleanup unix n    -       -       -       0       cleanup -o syslog_name=postfix/sender-cleanup -o header_checks=pcre:/etc/postfix/maps/sender_header_filter.pcre
policyd-spf unix -       n       n       -       0       spawn user=policyd-spf argv=/usr/bin/policyd-spf
smtp-amavis unix -       -       n       -       2       smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=20 -o smtp_tls_security_level=none
127.0.0.1:10025 inet n   -       n       -       -       smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions=reject_unauth_pipelining -o smtpd_end_of_data_restrictions= -o mynetworks=127.0.0.0/8 -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters -o smtp_tls_security_level=none
slowrelay  unix  -       -       n       -       2       smtp -o smtp_mx_session_limit=5
gmail-smtp unix  -       -       n       -       1       smtp -o syslog_name=postfix/gmail -o smtp_destination_concurrency_limit=1 -o smtp_destination_recipient_limit=1 -o anvil_rate_time_unit=60s -o smtpd_client_message_rate_limit=100
docomo-smtp unix -       -       n       -       1       smtp -o smtp_destination_concurrency_limit=1 -o smtp_destination_recipient_limit=1 -o anvil_rate_time_unit=60s -o smtpd_client_message_rate_limit=100
au-smtp    unix  -       -       n       -       1       smtp -o smtp_destination_concurrency_limit=1 -o smtp_destination_recipient_limit=1 -o anvil_rate_time_unit=60s -o smtpd_client_message_rate_limit=100
softbank-smtp unix -     -       n       -       1       smtp -o smtp_destination_concurrency_limit=1 -o smtp_destination_recipient_limit=1 -o anvil_rate_time_unit=60s -o smtpd_client_message_rate_limit=100
ymobile-smtp unix -      -       n       -       1       smtp -o smtp_destination_concurrency_limit=1 -o smtp_destination_recipient_limit=1 -o anvil_rate_time_unit=60s -o smtpd_client_message_rate_limit=100
icloud-smtp unix -       -       n       -       1       smtp -o smtp_destination_concurrency_limit=1 -o smtp_destination_recipient_limit=1 -o anvil_rate_time_unit=30s -o smtpd_client_message_rate_limit=5
ms-smtp    unix  -       -       n       -       1       smtp -o smtp_destination_concurrency_limit=1 -o smtp_destination_recipient_limit=1 -o anvil_rate_time_unit=30s -o smtpd_client_message_rate_limit=5
1
  • [RESOLVED] Following the advice, I changed the mynetworks setting to 127.0.0.1 only, and the incorrect relay no longer occurs. Prior to this setting, IPTABLES prohibited access from some realms, and as soon as this was relaxed, sporadic unauthorized relays were occurring on multiple accounts. Now, relays no longer occur even when IPTABLES restrictions are removed.
    – adm
    Commented May 26, 2022 at 2:02

2 Answers 2

2

As the other answer already correctly concluded, malicious party obtained the password of some account on your server. Probably, it was too weak. Or user of that account catched the malware who stole saved password from their email client storage.

I strongly suggest you to do the following things to counteract:

  1. Use fail2ban to monitor Postfix logs to stop brute forcers. This way you'll reduce chances to crack even dictionary-like passwords.

  2. Use postfwd2 or any other capable Postfix policy daemon to limit the amount of mail each user can send. E.g. if normally user doesn't send more than 200 mails per day and more than 50 per hour, set this as the limit, and the possibility to abuse your service will be limited. Even if the account is hacked, they won't be able to go past those limits. As a bonus, you'll get notified about problems early, either because user will complain that they suddenly hit the limit or because you'll be able to monitor the log file of the policy daemon.

And the additional suggestion.

mynetworks = 127.0.0.0/8 [::1]/128 [fe80::]/64 192.168.18.0/24 10.102.0.0/16 172.18.0.0/16 10.102.0.0/16

This is bad. Best mynetworks is only localhost, and even that is disputable. Better remove everything, leave only 127.0.0.1 and [::1] and force everybody else to authenticate. This will make things much more controllable.

1
  • I have this mail server running as a director, so I mistakenly thought I needed to put a series of hosts into mynetworks. I followed your advice and put mynetworks on localhost only and it worked fine. Fail2ban was already activated. I will be setting up postfwd2.
    – adm
    Commented May 13, 2022 at 1:34
1

Given the parameters of your smtpd_*_restrictions in your configuration, only mynetworks and sasl_authenticated can send e-mail through your server which is OK.

The sender of the email is a spoofed real account on our server.

According to the log, the user managed to successfully authenticate. This was not a spoofed account.

There is no email in the sent history for that account.

Conclusion: This account has been hacked

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .