View Single Post
  #1  
Old 29th September 2009, 00:23
Mole Mole is offline
Member
 
Join Date: Apr 2008
Location: Latvia
Posts: 83
Thanks: 1
Thanked 0 Times in 0 Posts
Default E-mail server receive and send spams

Hello!
I tried to solve this problem, spending time in google and other forums, finding information...
I think I did many things...but!

The problem is that my e-mail server sends and receive thousands of spam and I'm listed in http://www.mxtoolbox.com/blacklists.aspx in 5-7lists.

What I have:
OpenSuse10.3
Postfix 2.6.5
Cyrus SASL 2.1.22
Postgrey 1.32
ISPconfig 2.2.33

Here are:
1) /etc/postfix/main.cf:
Code:
####################################################################################
###GENERAL SETTINGS
####################################################################################
mail_owner = postfix
masquerade_exceptions = root
masquerade_classes = envelope_sender, header_sender, header_recipient
myhostname = myhostname.$mydomain
inet_interfaces = all
inet_protocols = all
biff = yes
masquerade_domains = 
#mydestination = $myhostname, localhost.$mydomain
defer_transports = 
mynetworks_style = subnet
disable_dns_lookups = no
relayhost = 
mailbox_command = 
mailbox_transport = 
strict_8bitmime = no
disable_mime_output_conversion = no
mailbox_size_limit = 0
message_size_limit = 10240000
mydomain = ardit.lv
mynetworks = 127.0.0.0/8
delay_warning_time = 1h
message_strip_characters = \0
setgid_group = maildrop

####################################################################################
###MAPS
####################################################################################
canonical_maps = hash:/etc/postfix/canonical
#virtual_alias_maps = hash:/etc/postfix/virtual
virtual_alias_domains = hash:/etc/postfix/virtual
relocated_maps = hash:/etc/postfix/relocated
transport_maps = hash:/etc/postfix/transport
sender_canonical_maps = hash:/etc/postfix/sender_canonical
virtual_maps = hash:/etc/postfix/virtusertable
alias_maps = hash:/etc/aliases
header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = regexp:/etc/postfix/mime_header_checks
body_checks = regexp:/etc/postfix/body_checks

####################################################################################
###DIRECTORIES
####################################################################################
readme_directory = /usr/share/doc/packages/postfix/README_FILES
mail_spool_directory = /var/mail
program_directory = /usr/lib/postfix
mydestination = /etc/postfix/local-host-names
sample_directory = /usr/share/doc/packages/postfix/samples
manpage_directory = /usr/share/man
html_directory = /usr/share/doc/packages/postfix/html

####################################################################################
###PATHS
####################################################################################
sendmail_path = /usr/sbin/sendmail
mailq_path = /usr/bin/mailq
newaliases_path = /usr/bin/newaliases
daemon_directory = /usr/lib/postfix
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
mydestination = /etc/postfix/local-host-names

####################################################################################
###DEBUG
####################################################################################
debug_peer_level = 2
debugger_command =
	 PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
	 xxgdb $daemon_directory/$process_name $process_id & sleep 5

####################################################################################
###SASL
####################################################################################
smtp_sasl_auth_enable = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_type = cyrus
#smtpd_sasl_path = private/auth
smtpd_sasl_path = smtpd
smtpd_sasl_mechanism_filter = !gssapi, !external, static:all
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

####################################################################################
###TLS
####################################################################################
smtpd_use_tls = yes
smtp_use_tls = yes
smtpd_tls_auth_only = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

####################################################################################
###RULES AGAINST SPAMS ETC. MALWARES
####################################################################################
smtpd_sender_restrictions = 
	    warn_if_reject,
	    hash:/etc/postfix/access_client,
	    permit_sasl_authenticated,
	    permit_mynetworks,
	    reject_non_fqdn_sender,
	    reject_unknown_sender_domain,
	    reject_rbl_client list.dsbl.org,
	    reject_rbl_client zen.spamhaus.org,
	    permit

smtpd_client_restrictions =
	    permit_sasl_authenticated,
	    check_client_access hash:/etc/postfix/access_client,
	    reject_rbl_client relays.mail-abuse.org,
	    reject_rbl_client relays.ordlb.org,
	    reject_rhsbl_sender dsn.rfc-ignorant.org,
#	    reject_unknown_client,
	    reject_rbl_client list.dsbl.org,
	    reject_rbl_client zen.spamhaus.org,
	    permit_mynetworks,
	    reject_unauth_pipelining,
	    permit 

smtpd_helo_restrictions = 
	    permit_sasl_authenticated,
	    permit_mynetworks, 
	    reject_invalid_hostname, 
	    reject_unknown_hostname,
	    reject_non_fqdn_hostname,
	    reject_rbl_client list.dsbl.org,
	    reject_rbl_client zen.spamhaus.org,
	    regexp:/etc/postfix/helo.regexp, 
	    permit

bounce_size_limit = 1024
smtpd_helo_required = yes
smtpd_delay_reject = yes
strict_rfc821_envelopes = yes
disable_vrfy_command = yes
default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using $rbl_domain${rbl_reason?; $rbl_reason}

access_map_reject_code = 554
invalid_hostname_reject_code = 554
multi_recipient_bounce_reject_code = 554
non_fqdn_reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 554
unknown_hostname_reject_code = 554
unknown_client_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_sender_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554

notify_classes = resource,software

smtpd_recipient_restrictions = 
	    warn_if_reject,
	    permit_sasl_authenticated,
	    permit_mynetworks,
	    check_relay_domains,
	    reject_non_fqdn_sender,
	    reject_non_fqdn_recipient,
	    reject_unknown_sender_domain,
	    reject_unknown_recipient_domain,
	    reject_unauth_destination,
	    reject_unauth_pipelining,
	    check_policy_service inet:127.0.0.1:6000,
	    check_policy_service inet:127.0.0.1:10023,
	    #check_sender_access hash:/etc/postfix/verify_sender_map,
	    reject_rbl_client cbl.abuseat.org,
	    reject_rbl_client sbl-xbl.spamhaus.org,
	    reject_rbl_client bl.spamcop.net, 
	    reject_rbl_client rblmap.tu-berlin.de,
	    reject_rbl_client relays.ordb.org,
	    reject_rbl_client dnsbl.sorbs.org,
	    reject_rbl_client opm.blitzed.org,
	    reject_rbl_client blackholes.easynet.nl,
	    reject_rbl_client ix.dnsbl.manitu.net,
	    reject_rbl_client dsn.rfc-ignorant.org,
	    reject_rbl_client proxies.relays.monkeys.com,
	    reject_rbl_client dul.dnsbl.sorbs.net,
	    reject_rbl_client list.dsbl.org,
	    reject_rbl_client multi.uribl.com,
	    reject_rbl_client zen.spamhaus.org,
	    reject_rbl_client bogusmx.rfc-ignorant.org,
#	    check_client_access hash:/etc/postfix/helo_client_exceptions,
	    check_client_access hash:/etc/postfix/rbl_client_exceptions,
	    permit
2) Body checks is made after this How To: http://www.malware.com.br/postfix.txt

3) /etc/postfix/rbl_client_exceptions contains my client domain names:
Code:
.domain.com OK
.........
4) hello.regexp contains:
Code:
/^localhost$/ 550 Don't use my own hostname
/^host\.domain\.com$/ 550 Don't use my own hostname
/^127\.0\.0\.1$/ 550 Don't use my own IP address
/^\[180\.169\.9\.91]$/ 550 Don't use my own IP address
/^\[180\.169\.9\.92]$/ 550 Don't use my own IP address
#/^[0-9.]+$/ 550 Your software is not RFC 2821 compliant
#/^[0-9]+(\.[0-9]+){3}$/ 550 Your software is not RFC 2821 compliant
~
5) /etc/access_client contains:
Code:
####################################################
###Manually founded
####################################################
216.52.192.0/24 REJECT
63.251.178.28 REJECT
158.36.80.149 REJECT
82.128.0.0/24 REJECT
65.55.92.0/24 REJECT
206.46.232.0/24 REJECT
65.55.92.88 REJECT
65.55.37.0/24 REJECT
58.36.80.149 REJECT
116.228.146.94REJECT
195.248.241.211 REJECT
203.34.37.27 REJECT
210.241.225.190 REJECT
167.206.112.6 REJECT
96.57.243.42 REJECT
207.157.105.74 REJECT
41.222.193.35 REJECT
203.39.191.100 REJECT
216.201.209.161 REJECT
80.232.169.191 REJECT
202.22.159.237 REJECT
84.238.0.4 REJECT

####################################################
###Whitelist
####################################################
.myclient1.com OK
.myclient2.com OK
...........
.myclient3.com OK
.gov OK
.gov.lv OK

#####################################################
### ALL Bad IP's from http://www.unixhub.com/block.html###
#####################################################
after updeiting these file I use postmap /etc/postfix/appropriate_map_file

7) /etc/postfix/master.cf:
Code:
#
# Postfix master process configuration file.  For details on the format
# of the file, see the Postfix master(5) manual page.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
#submission inet n      -       n       -       -       smtpd
#	-o smtpd_etrn_restrictions=reject
#	-o smtpd_client_restrictions=permit_sasl_authenticated,reject
#smtps    inet  n       -       n       -       -       smtpd -o smtpd_tls_wrappermode=yes
#  -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
smtps   inet n   -   n   - - smtpd
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_reject_unlisted_sender=yes
      -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
      -o broken_sasl_auth_clients=yes
#submission   inet    n       -       n       -       -       smtpd
#  -o smtpd_etrn_restrictions=reject
#  -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#628      inet  n       -       n       -       -       qmqpd
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       n       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       n       -       -       smtp
	-o fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
#localhost:10025 inet	n	-	n	-	-	smtpd -o content_filter=
scache	  unix	-	-	n	-	1	scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
cyrus	  unix	-	n	n	-	-	pipe
  user=cyrus argv=/usr/lib/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
uucp	  unix	-	n	n	-	-	pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
procmail  unix  -       n       n       -       -       pipe
  flags=R user=nobody argv=/usr/bin/procmail -t -m /etc/procmailrc ${sender} ${recipient}
retry     unix  -       -       n       -       -       error
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
8) netstat -tap
Code:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   
tcp        0      0 *:imaps                 *:*                     LISTEN      3302/couriertcpd    
tcp        0      0 *:pop3s                 *:*                     LISTEN      3334/couriertcpd    
tcp        0      0 *:mysql                 *:*                     LISTEN      2361/mysqld         
tcp        0      0 *:corba-iiop-ssl        *:*                     LISTEN      5647/rpc.rquotad    
tcp        0      0 *:pop3                  *:*                     LISTEN      3317/couriertcpd    
tcp        0      0 localhost.localdoma:783 *:*                     LISTEN      6329/spamd.pid      
tcp        0      0 *:sunrpc                *:*                     LISTEN      3421/portmap        
tcp        0      0 *:imap                  *:*                     LISTEN      3280/couriertcpd    
tcp        0      0 *:www-http              *:*                     LISTEN      2953/httpd2-prefork 
tcp        0      0 *:smtps                 *:*                     LISTEN      5314/master         
tcp        0      0 *:hosts2-ns             *:*                     LISTEN      2889/ispconfig_http 
tcp        0      0 *:ftp                   *:*                     LISTEN      5756/proftpd: (acce 
tcp        0      0 myhost.mydomain.l:domain *:*                     LISTEN      5621/named          
tcp        0      0 localhost.locald:domain *:*                     LISTEN      5621/named          
tcp        0      0 *:ssh                   *:*                     LISTEN      3234/sshd           
tcp        0      0 localhost.localdoma:953 *:*                     LISTEN      5621/named          
tcp        0      0 *:smtp                  *:*                     LISTEN      5314/master         
tcp        0      0 *:https                 *:*                     LISTEN      2953/httpd2-prefork 
tcp        0      0 localhost.loc:lanserver *:*                     LISTEN      3429/famd           
tcp        0      0 myhost.mydomain.lv:38451 mta-v9.mail.vip.mu:smtp ESTABLISHED 5266/smtp           
tcp        0      0 myhost.mydomain.lv:33570 mfe1.sinos.net:smtp     ESTABLISHED 5332/smtp           
tcp        0      0 myhost.mydomain.lv:57976 server4.camintel.c:smtp ESTABLISHED 3051/smtp           
tcp        0      0 myhost.mydomain.lv:ftp   customer-2:compaq-https ESTABLISHED 5582/proftpd: mole  
tcp        0      0 myhost.mydomain.lv:47469 fr-end-01.ipteleco:smtp ESTABLISHED 5336/smtp           
tcp        0      0 myhost.mydomain.lv:54602 mta-v2.mail.vip.sp:smtp TIME_WAIT   -                   
tcp        0      0 myhost.mydomain.lv:38921 de.mx.aol.com:smtp      TIME_WAIT   -                   
tcp        0      0 myhost.mydomain.lv:37318 mx-ha01.web.de:smtp     TIME_WAIT   -                   
tcp        0      0 myhost.mydomain.lv:41672 mxf2.rambler.ru:smtp    TIME_WAIT   -                   
tcp        0      1 myhost.mydomain.lv:55333 211.76.133.78:smtp      FIN_WAIT1   -                   
tcp        0      0 myhost.mydomain.lv:50394 server-0076f.dnspr:smtp ESTABLISHED 3033/smtp           
tcp        0      1 myhost.mydomain.lv:50499 eowyn.portugalmail:smtp SYN_SENT    5481/smtp
10) created post-rule-setup.sh script as described in http://www.howtoforge.com/forums/showthread.php?t=6393 and http://www.howtoforge.com/forums/showthread.php?t=36299 and here are source
Inserted almost ALL bad IPS
Code:
##############################
##############################
##############################
# For AUTH-SMTP###############
##############################
iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --destination-port 465 -j ACCEPT

######################################################
###Blocking incoming for smtp port 25
######################################################
######################################################
# My own blaclikst of IP's
######################################################
iptables -A INPUT -p tcp -s 158.26.80.149 --dport 25 -j REJECT
iptables -A INPUT -p tcp -s 63.251.178.28 --dport 25 -j REJECT
iptables -A INPUT -p tcp -s 216.52.192.104 --dport 25 -j REJECT
iptables -A INPUT -p tcp -s 216.52.192.8 --dport 25 -j REJECT
...............
iptables -A OUTPUT -p tcp -s 204.126.12.0/23 --dport 21 -j REJECT
iptables -A OUTPUT -p tcp -s 204.126.140.0/23 --dport 21 -j REJECT

In process solving the problem I added almost all INPUT and OUTPUT IP addresses from this blackIPlist: http://blacklist.linuxadmin.org/

But the problem is, that after system reboot, iptables locks and does not start, so I manually have to delete /var/lock/bastille. After that I restart FW, but all rules ar gone...

All installed as described in http://www.howtoforge.com/perfect_server_opensuse10.3... 1.5 years mail server lives without big problems, but all started last week...dead line was last Thursday ;-(

11) /var/log/messages:
Code:
Sep 28 12:28:28 myhost named[4739]: unexpected RCODE (REFUSED) resolving 'ondasnet.com.br/MX/IN': IP_
Sep 28 12:28:28 myhost named[4739]: unexpected RCODE (SERVFAIL) resolving 'inter.net.co/MX/IN': IP_#53
Sep 28 12:28:29 myhost named[4739]: FORMERR resolving 'hotmail.com.pe/MX/IN': IP_#53
Sep 28 12:28:29 myhost named[4739]: FORMERR resolving 'hotmail.com.pe/MX/IN': IP_#53
Sep 28 12:28:29 myhost named[4739]: unexpected RCODE (SERVFAIL) resolving 'colombianet.net/MX/IN': IP_#53
Sep 28 12:28:29 myhost named[4739]: FORMERR resolving 'hotmail.com.pe/MX/IN': IP_#53
Sep 28 12:28:30 myhost named[4739]: unexpected RCODE (SERVFAIL) resolving 'colombianet.net/MX/IN': IP_#53
Sep 28 12:28:54 myhost named[4739]: lame server resolving 'ahcrucha.hurtad.plaza.cl' (in 'plaza.cl'?): IP_#53
Sep 28 12:28:54 myhost named[4739]: lame server resolving 'ajahuel.paine.plaza.cl' (in 'plaza.cl'?): IP_#53
Sep 28 12:28:54 myhost named[4739]: lame server resolving 'andbello.florid.plaza.cl' (in 'plaza.cl'?): IP_#53
Sep 28 12:28:54 myhost named[4739]: lame server resolving 'anglica.plaza.cl' (in 'plaza.cl'?): IP_#53
12) /var/log/mail.err:
Code:
Sep 28 11:45:19 myhost postfix/bounce[9990]: fatal: lock file defer 42F952F96E8: Resource temporarily unavailable
Sep 28 11:46:05 myhost postfix/bounce[11012]: fatal: lock file defer 41C74EE2F14: Resource temporarily unavailable
Sep 28 11:46:14 myhost postfix/bounce[11003]: fatal: lock file defer E25FD77AA7E: Resource temporarily unavailable
Sep 28 11:46:58 myhost postfix/bounce[9942]: fatal: lock file defer 176FF519632: Resource temporarily unavailable
Sep 28 21:09:21 myhost postfix/master[5313]: fatal: open lock file pid/master.pid: unable to set exclusive lock: Resource temporarily unavailable
13) I have no DNS server on my server, DNS entries manages my data center ISP...

14)I have fail2ban installed and configured and DenyHosts.

15) Also system is checked using rkhunter-1.3.4 and chkrootkit...

I have aprr. 10 clients with appr. 30 emails. But my /var/spool/postfix/incoming folder contains >160 000 entries (messages), /var/spool/postfix/active folder contains max size - 20 000 entries...

I can delete all recors from these folders, but they are back after few seconds.
There are messages with "Australian National Lotteries", "Nigeria e-mails", spam meils to big amount of aol and yahho users (existing, non-existing) etc...

Today after some searches in google I make SASL authentification to SMTP server, so, without authorizing and check TLS box e-mails cann not be sent! But these also do not solve the problem!

I don't know, what else You should know to help me...?

Is there any chance to win the spammers and get back my normal mail server process?

Last edited by Mole; 29th September 2009 at 03:26.
Reply With Quote
Sponsored Links