#1  
Old 26th December 2009, 23:51
svehex svehex is offline
Junior Member
 
Join Date: Dec 2009
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default Postfix is sending spam

I really need your help. My Postfix server is sending out spam (I know it's real because I received one myself). It seem to have started on December 19 2009.

I've followed the howto's to set up a secure postfix server, as far as I could without limiting the options beyond my needs.

I'm sure I've got SSL, TLS and no relay running, but it still spews out spam.

I turned it back on for about an hour and got over 1000 lines in my mail.log.

I'm not an expert, so I could really use some help to stop this and secure my mailserver. I have a web shop, so www-data has to be able to send mail.

Please let me know what other info you need. The mail logs can be found here (since they're too large to upload):http://heksebua.com/logs/mail/
Reply With Quote
Sponsored Links
  #2  
Old 27th December 2009, 10:00
Miguel Miguel is offline
HowtoForge Supporter
 
Join Date: Sep 2007
Location: Maasmechelen - Belgium
Posts: 18
Thanks: 0
Thanked 2 Times in 2 Posts
Default

For one,

change the permissions on the files so that I can read them. I can see a listing of your logs, but have an access denied when I trie to read them.

I your server is sending out spam, than you also have to take into account the possibility of being blacklisted is when it is reported.

Do this online check to see I there might be an open relay on your server:

http://www.abuse.net/relay.html

Kind regards,

Miguel
Reply With Quote
  #3  
Old 27th December 2009, 13:17
svehex svehex is offline
Junior Member
 
Join Date: Dec 2009
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default

The permissions have been changed. (664)
I've already run the check. I isn't open for relay (as previously mentioned).
Reply With Quote
  #4  
Old 27th December 2009, 13:26
Miguel Miguel is offline
HowtoForge Supporter
 
Join Date: Sep 2007
Location: Maasmechelen - Belgium
Posts: 18
Thanks: 0
Thanked 2 Times in 2 Posts
Default

As far as I can tell from the log files, the mails are being send by the user www-data and errors that your db is older than the source file.

Send me your main.cf file to miguel.brams'at'wiedewaratje.be to look at.

From what I see is that postfix is not the culprit, but a script on your server that is sending out these mails.

Also install and run rkhunter (if you haven't done so) to see is there is a type of rootkit or other that is sending mails.

My best bet for the moment is that your webserver (one of the sites) is sending out the mails.

Kind regards,

Miguel
Reply With Quote
  #5  
Old 27th December 2009, 14:31
svehex svehex is offline
Junior Member
 
Join Date: Dec 2009
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default

My prime suspect is oscommerce, judging by who the mails are sent to.. I've sent you the main.cf. The database error is older than the spam.

I've run chkrootkit and rkhunter and nothing was found.
Reply With Quote
  #6  
Old 27th December 2009, 14:53
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,721 Times in 2,562 Posts
Default

Are you running the latest version of OSCommerce, or is it an older one?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #7  
Old 27th December 2009, 14:56
svehex svehex is offline
Junior Member
 
Join Date: Dec 2009
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default

I use v2.2rc2
Reply With Quote
  #8  
Old 28th December 2009, 16:15
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,721 Times in 2,562 Posts
Default

I don't know if this helps, but I suggest you update to v2.2rc2a.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #9  
Old 28th December 2009, 21:40
svehex svehex is offline
Junior Member
 
Join Date: Dec 2009
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default

I did so yesterday. The only differences are small changes to sessions and compatibility.

Other things that have been done so far:

main.cf:

smtpd_sasl_local_domain = $mydomain
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_authenticated_header = yes --> Logs header information
broken_sasl_auth_clients = yes

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client, reject_unauth_destination

dovecot.conf.
auth default {
mechanisms = plain login
passdb pam {
}
userdb passwd {
}
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
}

Configured oscommerce to send e-mails from another address.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Postfix not responding to telnet CarbonCopy Server Operation 6 8th May 2009 05:39
localhost postfix/master: fatal: bind 127.0.0.1 port 125: Permission denied g18c Installation/Configuration 4 24th March 2009 17:39
Ubuntu 8.04 Spamsnake - all SA scores 0.00 Thomas_Powers HOWTO-Related Questions 23 24th June 2008 17:37
Centos 4.4 32bit Hangs, High Server load 3cwired_com Server Operation 11 16th November 2006 15:47
Verify email setup meekish Installation/Configuration 28 27th October 2006 15:36


All times are GMT +2. The time now is 22:10.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.