amavis and DDOS attacks

Discussion in 'ISPConfig 3 Priority Support' started by misterm, Nov 29, 2014.

Thread Status:
Not open for further replies.
  1. misterm

    misterm Member

    Hello everyone
    Knowing that it's the weekend, I'll paused issue.
    My problem is linked to Amavis
    Does it can prohibit the IP localhost, to send messages?
    Are you can configure or justify that only the server IP and not the local IP?
    For this reason my server and DDOS attacked through amavis to send for registered users.
    Thank you for your help
    Important to me

  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Amavis is running on port, this port cant be reached from outside, so it cant be attacked with a dos attack from a external server. If you would bind amavis to the server IP instead of localhost, then everyone would be able to use amavisd to send emails trough your server and to attack amavisd.
  3. misterm

    misterm Member

    Till explains me better your message, because the, you say again something that is not true

  4. till

    till Super Moderator Staff Member ISPConfig Developer

    If its not true what I say, then you know it better and there is no further explanation required ;)
  5. misterm

    misterm Member

    if till, say the truth, why via amavis, hackers can easily entered via a registered user and sending emails via a fixed IP address that has nothing to do with the IP address of the server.

    Is the function DNSSEC protects this abuse?

    Or you have another means such as email security external web example

    For sincerment grieve as I tell you that you do not tell the truth Till, but why with the Managing tool you create, there is no possibility to built a system that will allow constraint such bullshit.



  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Email can not be passed directly directly from a registered email user.

    I guess you dont really understand whats happening and therefor claim that someone is doing something with your amavis just because you see amavis headers in the email (which are in all emails of your server btw). Here some basics on how the mail system works:

    Postfix receives a email, then forwards it to amavis and amavis pases it back to postfix for either local or external delivery.

    Now I try to guess whats your problem is, someone cracked one of your clients email accounts and sends spam over it. This happens quite regular these days and is not related to your server setup at all, there are several windows tojans out there that grep the passwords of user accounts from the mail programs (Otlook, thunderbird, etc.) on infected windows desktops and hand them over to botnets which misuse the provider servers (your server) then to send spam.

    To stop that, change the password of the mail account, delete the spam messages from the mailqueue and inform your client that he shall scan his desktop with a antivirus software and that he shall not enter the new password until his system is clean.
  7. misterm

    misterm Member

    Gateway, you mean

    Hi Till
    In this tutorial, I like problem yet.
    The address I have to add here:
    Must be the gateway of my server or ip of my server?
    Is that faut'il add anything or not?
    Such as:
    Also, in the config amavis, should not add this also, in addition to the configuration of the server sends?

  8. till

    till Super Moderator Staff Member ISPConfig Developer

    Thats the IP address of your server, not the gateway.
  9. misterm

    misterm Member

    When you send a message packet (Spam) with this error message:

    there to there a disabled function in postfix or in an application on the server?

  10. till

    till Super Moderator Staff Member ISPConfig Developer

    There was nothing after "sasl_username="? Or did you remove it or was it maybe in the next line of the log?
  11. misterm

    misterm Member

    not till, there is a user @ just after, why this is important with respect to the answer you will give me?
    Thank you for your help
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    This is important as the email address that is shown there is the user that has been authenticated correctly to send this email. The message you posted is not an error btw, its a success message. Postfix reported that this user has been authenticated correctly by using the correct password and send a email.

    So if this mail was spam, then you should change the password of this account and inform the user that owns the account to check hos computer for viruses and trojans before he enters the new password again in his mail client.
  13. misterm

    misterm Member

    there nothing else to do except change the password or other things?

  14. till

    till Super Moderator Staff Member ISPConfig Developer

    If you use a courier mailserver and this address is currently sending, then you should also restart saslauthd to ensure that it reads the new login details from mysql immediately.
  15. misterm

    misterm Member

    you will take me to the one of, but in wheezy how you restart the command you just tell me?
    thank you
  16. till

    till Super Moderator Staff Member ISPConfig Developer

    The command is:

    /etc/init.d/saslauthd restart
  17. misterm

    misterm Member


    error wheezy

  18. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, then you most likely use dovecot and not courier. In this case, you can restart dovecot.
  19. misterm

    misterm Member

    hank you
    out context in postfix, it is to say it to send messages through port 587 or 465 and not via the natural harbor (25)

    good for you

  20. till

    till Super Moderator Staff Member ISPConfig Developer

    Messages are send on port 25. Ports 587 and 465 are additional ports to deliver emails from the mail client to postfix.
Thread Status:
Not open for further replies.

Share This Page