#1  
Old 8th May 2009, 06:50
bzzik bzzik is offline
Member
 
Join Date: Aug 2008
Posts: 67
Thanks: 1
Thanked 2 Times in 2 Posts
Exclamation Is my postfix hacked?

Hi guys! I really need help in my matter!

Yesterday I analyzed mail logs and noticed something really strange. I think my postfix is hacked. We do not use our mail server too much, but maillog is full of unrecognized records. Here is the part of it:

Quote:
May 8 07:32:55 s2 postfix/qmgr[10256]: 7FDF11049C6: to=<hemingway@ctv.es>, relay=none, delay=75981, delays=75981/0/0/0, dsn=4.0.0, status=deferred (delivery temporarily suspended: host inw.wanadoo.es
[62.36.20.20] refused to talk to me: 550 Reverse DNS lookup failed for host 87.226.13.245.)
May 8 07:32:55 s2 postfix/qmgr[10256]: 71C79104A43: from=<info@banesnet.es>, size=2453, nrcpt=50 (queue active)
May 8 07:32:55 s2 postfix/qmgr[10256]: 71C79104A43: to=<davidmorg@mixmail.com>, relay=none, delay=73514, delays=73514/0/0/0, dsn=4.0.0, status=deferred (delivery temporarily suspended: host ing.wanad
oo.es[62.36.20.73] refused to talk to me: 550 Reverse DNS lookup failed for host 87.226.13.245.)
May 8 07:32:55 s2 postfix/qmgr[10256]: 71C79104A43: to=<davidsuescunm@wanadoo.es>, relay=none, delay=73514, delays=73514/0/0/0, dsn=4.0.0, status=deferred (delivery temporarily suspended: host inw.wa
nadoo.es[62.36.20.20] refused to talk to me: 550 Reverse DNS lookup failed for host 87.226.13.245.)
May 8 07:32:55 s2 postfix/qmgr[10256]: 7C1C210479C: from=<info@bancaja.es>, size=2421, nrcpt=50 (queue active)
May 8 07:32:55 s2 postfix/qmgr[10256]: 72A04104B17: from=<>, size=5258, nrcpt=1 (queue active)
May 8 07:32:55 s2 postfix/qmgr[10256]: 980FF10483E: from=<info@bancaja.es>, size=2395, nrcpt=50 (queue active)
May 8 07:32:55 s2 postfix/qmgr[10256]: 93DE41049B6: from=<info@santandersupernet.es>, size=3322, nrcpt=50 (queue active)
May 8 07:32:55 s2 postfix/qmgr[10256]: 93DE41049B6: to=<asoto4@bellsouth.net>, relay=none, delay=76076, delays=76076/0/0/0, dsn=4.0.0, status=deferred (delivery temporarily suspended: host gateway-f1
.isp.att.net[204.127.217.16] refused to talk to me: 550-87.226.13.245 blocked by ldapu=rblmx,dc=att,dc=net 550 Error - Blocked for abuse. See http://att.net/blocks)
May 8 07:32:55 s2 postfix/qmgr[10256]: 9CEC21049E1: from=<info@santandersupernet.es>, size=3322, nrcpt=50 (queue active)
May 8 07:32:55 s2 postfix/qmgr[10256]: 9CEC21049E1: to=<reyamartinez@bellsouth.net>, relay=none, delay=75833, delays=75833/0.01/0/0, dsn=4.0.0, status=deferred (delivery temporarily suspended: host g
ateway-f1.isp.att.net[204.127.217.16] refused to talk to me: 550-87.226.13.245 blocked by ldapu=rblmx,dc=att,dc=net 550 Error - Blocked for abuse. See http://att.net/blocks)
May 8 07:32:55 s2 postfix/qmgr[10256]: 9CEC21049E1: to=<reyangel117@comcast.net>, relay=none, delay=75833, delays=75833/0.01/0/0, dsn=4.0.0, status=deferred (delivery temporarily suspended: host mx1b
.comcast.net[76.96.62.116] refused to talk to me: 554 IMTA22.westchester.pa.mail.comcast.net comcast 87.226.13.245 Comcast requires that all mail servers must have a PTR record with a valid Reverse DN
S entry. Currently your mail server does not fill that requirement. For more information, refer to: http://help.comcast.net/content/faq/PTR)
May 8 07:32:55 s2 postfix/qmgr[10256]: 9CEC21049E1: to=<reyalice@juno.com>, relay=none, delay=75833, delays=75833/0.02/0/0, dsn=4.0.0, status=deferred (delivery temporarily suspended: host mx.dca.unt
d.com[64.136.44.37] refused to talk to me: 550 Access denied...4f513585c185a9a9616014d901bdb901804d3d59f 0658d50a9b4f050e990904495cdad1090ad6420e100...)
May 8 07:32:55 s2 postfix/qmgr[10256]: 95BDD1049BC: from=<info@santandersupernet.es>, size=3322, nrcpt=50 (queue active)
May 8 07:32:55 s2 postfix/qmgr[10256]: 9750E1047F7: from=<info@bancaja.es>, size=2395, nrcpt=50 (queue active)
May 8 07:32:55 s2 postfix/qmgr[10256]: 6F4F8104704: from=<oficina@banestnet.es>, size=2466, nrcpt=50 (queue active)
May 8 07:32:55 s2 postfix/qmgr[10256]: 6AA8C1047BD: from=<info@bancaja.es>, size=2421, nrcpt=50 (queue active)
May 8 07:32:55 s2 postfix/qmgr[10256]: 6A0111046F2: from=<oficina@banestnet.es>, size=2466, nrcpt=50 (queue active)
May 8 07:32:55 s2 postfix/qmgr[10256]: 6C3D210492F: from=<info@bancaja.es>, size=2395, nrcpt=50 (queue active)
May 8 07:32:55 s2 postfix/qmgr[10256]: 6C3D210492F: to=<jesussv@wanadoo.es>, relay=none, delay=213500, delays=213500/0.01/0/0, dsn=4.0.0, status=deferred (delivery temporarily suspended: host inw.wan
adoo.es[62.36.20.20] refused to talk to me: 550 Reverse DNS lookup failed for host 87.226.13.245.)
May 8 07:32:55 s2 postfix/qmgr[10256]: 634571047A1: from=<info@bancaja.es>, size=2421, nrcpt=50 (queue active)
May 8 07:32:55 s2 postfix/qmgr[10256]: 634571047A1: to=<keliichang@comcast.net>, relay=none, delay=327123, delays=327123/0/0/0, dsn=4.0.0, status=deferred (delivery temporarily suspended: host mx1b.c
omcast.net[76.96.62.116] refused to talk to me: 554 IMTA22.westchester.pa.mail.comcast.net comcast 87.226.13.245 Comcast requires that all mail servers must have a PTR record with a valid Reverse DNS
entry. Currently your mail server does not fill that requirement. For more information, refer to: http://help.comcast.net/content/faq/PTR)
May 8 07:32:55 s2 postfix/qmgr[10256]: 634571047A1: to=<keithevan@cox.net>, relay=none, delay=327123, delays=327123/0/0/0, dsn=4.0.0, status=deferred (delivery temporarily suspended: host mx.west.cox
May 8 07:32:56 s2 postfix/qmgr[10256]: 303C410494A: to=<mha@eresmas.com>, relay=none, delay=213333, delays=213332/0.82/0/0, dsn=4.0.0, status=deferred (delivery temporarily suspended: host ine.wanado
o.es[62.36.20.20] refused to talk to me: 550 Reverse DNS lookup failed for host 87.226.13.245.)
May 8 07:32:56 s2 postfix/qmgr[10256]: E3BD71048A3: to=<harppo_nene@eresmas.com>, relay=none, delay=248015, delays=248014/0.69/0/0, dsn=4.0.0, status=deferred (delivery temporarily suspended: host in
e.wanadoo.es[62.36.20.20] refused to talk to me: 550 Reverse DNS lookup failed for host 87.226.13.245.)
May 8 07:32:56 s2 postfix/qmgr[10256]: E1B1310480D: to=<ishtarkmm@eresmas.com>, relay=none, delay=214804, delays=214804/0.67/0/0, dsn=4.0.0, status=deferred (delivery temporarily suspended: host ine.
wanadoo.es[62.36.20.20] refused to talk to me: 550 Reverse DNS lookup failed for host 87.226.13.245.)
May 8 07:32:56 s2 postfix/qmgr[10256]: 08B9E10479B: to=<agfg@eresmas.com>, relay=none, delay=326939, delays=326939/0.64/0/0, dsn=4.0.0, status=deferred (delivery temporarily suspended: host ine.wanad
oo.es[62.36.20.20] refused to talk to me: 550 Reverse DNS lookup failed for host 87.226.13.245.)
May 8 07:32:56 s2 postfix/qmgr[10256]: 08B9E10479B: to=<agnogales@eresmas.com>, relay=none, delay=326939, delays=326939/0.64/0/0, dsn=4.0.0, status=deferred (delivery temporarily suspended: host ine.
wanadoo.es[62.36.20.20] refused to talk to me: 550 Reverse DNS lookup failed for host 87.226.13.245.)
May 8 07:32:56 s2 postfix/smtp[21724]: certificate verification failed for mx.terra.es: num=19:self signed certificate in certificate chain
May 8 07:32:56 s2 postfix/smtp[21724]: certificate verification failed for mx.terra.es: num=24:invalid CA certificate
May 8 07:32:56 s2 postfix/smtp[21724]: certificate verification failed for mx.terra.es: num=26:unsupported certificate purpose
May 8 07:32:56 s2 postfix/smtp[21724]: certificate verification failed for mx.terra.es: num=10:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21724]: certificate verification failed for mx.terra.es:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21724]: certificate verification failed for mx.terra.es:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21724]: certificate verification failed for mx.terra.es: num=10:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21724]: certificate verification failed for mx.terra.es:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21724]: certificate verification failed for mx.terra.es:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21725]: certificate verification failed for mx.terra.es: num=19:self signed certificate in certificate chain
May 8 07:32:56 s2 postfix/smtp[21725]: certificate verification failed for mx.terra.es: num=24:invalid CA certificate
May 8 07:32:56 s2 postfix/smtp[21725]: certificate verification failed for mx.terra.es: num=26:unsupported certificate purpose
May 8 07:32:56 s2 postfix/smtp[21725]: certificate verification failed for mx.terra.es: num=10:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21725]: certificate verification failed for mx.terra.es:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21725]: certificate verification failed for mx.terra.es:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21725]: certificate verification failed for mx.terra.es: num=10:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21725]: certificate verification failed for mx.terra.es:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21725]: certificate verification failed for mx.terra.es:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21709]: certificate verification failed for mail.aselegal.com: num=18:self signed certificate
May 8 07:32:56 s2 postfix/smtp[21659]: 1B3CD1048F0: to=<jrsamada@ramonsamada.es>, relay=none, delay=245073, delays=245072/0.12/1/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name ser
vice error for name=ramonsamada.es type=MX: Host not found, try again)
May 8 07:32:56 s2 postfix/smtp[21740]: certificate verification failed for tnetmx.telefonica.net: num=19:self signed certificate in certificate chain
May 8 07:32:56 s2 postfix/smtp[21740]: certificate verification failed for tnetmx.telefonica.net: num=24:invalid CA certificate
May 8 07:32:56 s2 postfix/smtp[21740]: certificate verification failed for tnetmx.telefonica.net: num=26:unsupported certificate purpose
May 8 07:32:56 s2 postfix/smtp[21740]: certificate verification failed for tnetmx.telefonica.net: num=10:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21740]: certificate verification failed for tnetmx.telefonica.net:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21740]: certificate verification failed for tnetmx.telefonica.net:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21740]: certificate verification failed for tnetmx.telefonica.net: num=10:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21740]: certificate verification failed for tnetmx.telefonica.net:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21740]: certificate verification failed for tnetmx.telefonica.net:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21696]: certificate verification failed for mail.envalladolid.com: num=18:self signed certificate
May 8 07:32:56 s2 postfix/smtp[21696]: certificate verification failed for mail.envalladolid.com: num=10:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21696]: certificate verification failed for mail.envalladolid.com:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21696]: certificate verification failed for mail.envalladolid.com:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21691]: 738FC1049C2: host mailin-02.mx.aol.com[205.188.249.91] said: 421 SERVICE NOT AVAILABLE, TEMPORARY DNS FAILURE (in reply to MAIL FROM command)
May 8 07:32:56 s2 postfix/smtp[21741]: certificate verification failed for mx.terra.es: num=19:self signed certificate in certificate chain
May 8 07:32:56 s2 postfix/smtp[21741]: certificate verification failed for mx.terra.es: num=24:invalid CA certificate
May 8 07:32:56 s2 postfix/smtp[21741]: certificate verification failed for mx.terra.es: num=26:unsupported certificate purpose
May 8 07:32:56 s2 postfix/smtp[21741]: certificate verification failed for mx.terra.es: num=10:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21741]: certificate verification failed for mx.terra.es:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21741]: certificate verification failed for mx.terra.es:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21741]: certificate verification failed for mx.terra.es: num=10:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21741]: certificate verification failed for mx.terra.es:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21741]: certificate verification failed for mx.terra.es:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21747]: 980FF10483E: to=<m.marsan@tiscali.it>, relay=imp-1.mail.tiscali.it[213.205.33.248]:25, delay=214747, delays=214746/0.74/0.42/0, dsn=4.0.0, status=deferred (host
imp-1.mail.tiscali.it[213.205.33.248] refused to talk to me: 554 imp-1.mail.tiscali.it ESMTP server not available if you do not have a reverse dns mapping)
May 8 07:32:56 s2 postfix/smtp[21673]: 1FFFF104B60: to=<maite@todoyoga.es>, relay=none, delay=58192, delays=58190/0.24/0.99/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service
error for name=todoyoga.es type=MX: Host not found, try again)
May 8 07:32:56 s2 postfix/smtp[21731]: connect to mail.q8online.com[195.39.142.2]: Connection refused (port 25)
May 8 07:32:56 s2 postfix/smtp[21731]: 7FDF11049C6: to=<helpdesk@q8online.com>, relay=none, delay=75982, delays=75981/0.68/0.5/0, dsn=4.4.1, status=deferred (connect to mail.q8online.com[195.39.142.2
]: Connection refused)
May 8 07:32:56 s2 postfix/smtp[21708]: 754B810452E: to=<pilarm.hoces.sspa@deandalucia.es>, relay=none, delay=246705, delays=246704/0.55/0.65/0, dsn=4.4.3, status=deferred (Host or domain name not fou
nd. Name service error for name=deandalucia.es type=MX: Host not found, try again)
May 8 07:32:56 s2 postfix/smtp[21726]: certificate verification failed for relay.unizar.es: num=19:self signed certificate in certificate chain
May 8 07:32:56 s2 postfix/smtp[21707]: 771BB1047A8: host mailin-02.mx.aol.com[205.188.249.91] said: 421 SERVICE NOT AVAILABLE, TEMPORARY DNS FAILURE (in reply to MAIL FROM command)
Many .es domain names, but our mail server is in .lv zone! And we do not have so much users, to send SO MANY emails!!!

What steps should I take now? Is it trojan horse on my server or something???

P.S.
I am using CentoOS 5.2 (Perfect server install)

Last edited by bzzik; 8th May 2009 at 12:51.
Reply With Quote
Sponsored Links
  #2  
Old 8th May 2009, 10:36
maikcat maikcat is offline
Junior Member
 
Join Date: May 2009
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default

have you checked that your relay is not open?

please post main.cf so that we can help you.


cheers,

maik
Reply With Quote
  #3  
Old 8th May 2009, 10:59
bzzik bzzik is offline
Member
 
Join Date: Aug 2008
Posts: 67
Thanks: 1
Thanked 2 Times in 2 Posts
Default

Thanks for you answer!

Sry, I am new to mail server. How do I check this?

P.S.
I can post configs only in the evening - I am at work now.
Reply With Quote
  #4  
Old 8th May 2009, 11:26
maikcat maikcat is offline
Junior Member
 
Join Date: May 2009
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default

you must have something inside main.cf like this:

mynetworks = 192.168.1.0/24 <--your local net
fallback_relay =
mydestination = test.gr
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_authenticated-header = yes
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination

the above are for authanticating users to enable to relay mail through
your server.

try this to check your mail server
telnet ip 25

you will get smtp banner like

220 Esmtp service

then type

ehlo localhost.localdomain

you should get something like

250-PIPELINING
250-SIZE 15000000
250-ETRN
250-AUTH PLAIN LOGIN <--this means that your sever can authenticate clients to allow them to relay
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

if there is not the above line ,means that your server allows relay based
on ip address origin only.
check main.cf... (my networks setting..)

have a nice day

michael

ps: if you want to enable auth to work you MUST start saslauthd service as well..
Reply With Quote
  #5  
Old 8th May 2009, 12:48
bzzik bzzik is offline
Member
 
Join Date: Aug 2008
Posts: 67
Thanks: 1
Thanked 2 Times in 2 Posts
Default

maikcat I really appreciate your help.

I will look in the evening and will post what I found there I did not even thought, that something like this is possible (real newbie I am in mails servers)...

P.S.
Btw, when I was analyzing logs, I noticed taht this started in April 25th. Till that time, everything was fine.
Reply With Quote
  #6  
Old 8th May 2009, 21:52
bzzik bzzik is offline
Member
 
Join Date: Aug 2008
Posts: 67
Thanks: 1
Thanked 2 Times in 2 Posts
Default

Here is main.cf options:

Quote:
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject _unauth_destination
mynetworks = 127.0.0.0/8
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
And more from telnet:

Quote:
250-PIPELINING
250-SIZE 40960000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
So as I understand I have relay opened. Should I simply make smtpd_sasl_auth_enable = yes to NO ? And what I will loose after that? I do not so good in all this... I hope you will help me to understand.

Thank you!

P.S.
I made all setting to postfix using this article:
http://www.howtoforge.com/perfect-server-centos-5.2-p5

P.P.S.
I have tested my server for OPEN Relay here http://www.myiptest.com/staticpages/...pen-relay-test and got the answer:
>Unable to relay: Invalid response code received from server
> This server is NOT Open Relay

Last edited by bzzik; 8th May 2009 at 23:07.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Postfix not responding to telnet CarbonCopy Server Operation 6 8th May 2009 05:39
Undelivered Mail Returned to Sender Error202 General 5 7th May 2009 11:14
localhost postfix/master: fatal: bind 127.0.0.1 port 125: Permission denied g18c Installation/Configuration 4 24th March 2009 17:39
Centos 4.4 32bit Hangs, High Server load 3cwired_com Server Operation 11 16th November 2006 15:47
Verify email setup meekish Installation/Configuration 28 27th October 2006 15:36


All times are GMT +2. The time now is 12:13.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.