Is my postfix is hacked?

Discussion in 'Server Operation' started by bzzik, May 8, 2009.

  1. bzzik

    bzzik New Member

    Is my postfix hacked?

    Hi guys! I really need help in my matter!

    Yesterday I analyzed mail logs and noticed something really strange. I think my postfix is hacked. We do not use our mail server too much, but maillog is full of unrecognized records. Here is the part of it:

    Many .es domain names, but our mail server is in .lv zone! And we do not have so much users, to send SO MANY emails!!!

    What steps should I take now? Is it trojan horse on my server or something???

    I am using CentoOS 5.2 (Perfect server install)
    Last edited: May 8, 2009
  2. maikcat

    maikcat New Member

    have you checked that your relay is not open?

    please post so that we can help you.


  3. bzzik

    bzzik New Member

    Thanks for you answer!

    Sry, I am new to mail server. How do I check this?

    I can post configs only in the evening - I am at work now.
  4. maikcat

    maikcat New Member

    you must have something inside like this:

    mynetworks = <--your local net
    fallback_relay =
    mydestination =
    smtpd_sasl_local_domain =
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_security_options = noanonymous
    smtpd_sasl_authenticated-header = yes
    broken_sasl_auth_clients = yes
    smtpd_recipient_restrictions =

    the above are for authanticating users to enable to relay mail through
    your server.

    try this to check your mail server
    telnet ip 25

    you will get smtp banner like

    220 Esmtp service

    then type

    ehlo localhost.localdomain

    you should get something like

    250-SIZE 15000000
    250-AUTH PLAIN LOGIN <--this means that your sever can authenticate clients to allow them to relay
    250 DSN

    if there is not the above line ,means that your server allows relay based
    on ip address origin only.
    check (my networks setting..)

    have a nice day


    ps: if you want to enable auth to work you MUST start saslauthd service as well..
  5. bzzik

    bzzik New Member

    maikcat I really appreciate your help.

    I will look in the evening and will post what I found there :) I did not even thought, that something like this is possible (real newbie I am in mails servers)...

    Btw, when I was analyzing logs, I noticed taht this started in April 25th. Till that time, everything was fine.
  6. bzzik

    bzzik New Member

    Here is options:

    And more from telnet:

    So as I understand I have relay opened. Should I simply make smtpd_sasl_auth_enable = yes to NO ? And what I will loose after that? I do not so good in all this... I hope you will help me to understand.

    Thank you!

    I made all setting to postfix using this article:

    I have tested my server for OPEN Relay here and got the answer:
    >Unable to relay: Invalid response code received from server
    > This server is NOT Open Relay
    Last edited: May 8, 2009
  7. falko

    falko Super Moderator ISPConfig Developer

    That's a good thing. :)
    But it is still possible that spammers abuse web applications on your server (like contact forms, gustbooks, etc.).
  8. bzzik

    bzzik New Member


    But what I think, that I am a victim of Backscatter mails. Can you advice me something regarding it?

    How do I check this?
  9. falko

    falko Super Moderator ISPConfig Developer

    That's difficult to check. You can have a look at Apache's access logs to see if there's a contact form/guestbook/whatever that is accessed again and again from the same IP.
  10. bzzik

    bzzik New Member

    I do not think that it is from guestbooks/forms. What I have done: I stopped postfix for about 3 hours. Then I started it again and look into logs. Immediately after start I got tons of mails in queue (I am not posting all of them):

    And then activity started again:

    These .es domains - can I simply somehow ban them? What I am suffering from? :(
  11. maikcat

    maikcat New Member

  12. bzzik

    bzzik New Member

    maikcat sry - I have not provided all file. I have it like this at the moment:

    Do you really think I need to set local_recipient_maps to empty value? This will turn off local recipient checking :(
  13. maikcat

    maikcat New Member

    yes it will turn off local recipient check,

    the reason i believe you need this is for avoiding spammers
    to querie your mail server for valid users (they also use VRFY and EXPN commands as well).

    the use of luser_relay is for creating a bucket ,so that your system
    will never try to send back mail telling that the x mailbox doesnt exists,
    the drawback of this approach is that if a valid user sends mail to one
    of yours account but he mistyped his mail,he will never know that his
    mail never reached the intended recipient, the advantage is that
    your queue will never be full with postfix trying to send back notifications
    to spammers (who will probably provided erroneous from: address..)

  14. matiasCU

    matiasCU New Member

    bzzik your problem was solved?

    Hi bzzik:
    Could you solve the bounce problem?

    I'm having apparentry the same problem, that it is killing my server.

    Hi maikcat:
    Look this:

    This would be the solution?
    local_recipient_maps =
    luser_relay = someuser@mydomain.tld

  15. falko

    falko Super Moderator ISPConfig Developer

  16. matiasCU

    matiasCU New Member

    Hi Falko:
    No. I'm doing direct from my server, I'm not using relay. Why ask this?

    I think the attack is Backscatter for the messages I have in the queue of deferred look this:

    I've made the changes mentioned maikcat, also erased the deferred queue, with postsuper -d ALL deferred command.
    Apparently now the queue is empty, but I have to continue to monitor the operation of the server.
  17. falko

    falko Super Moderator ISPConfig Developer

    Do your domains have proper A and MX records? What about SPF and PTR records?
  18. matiasCU

    matiasCU New Member

    Sry for the delay... Yes I have A, MX, and txt SPF record for the domain.
    The only thing I can get to be in the unusual configuration is that I have 2 MX records plus, that not responding "the concept of nolisting" 86400 IN MX 5 86400 IN MX 10 86400 IN MX 20 86400 IN A 190.xx.yy.z1 86400 IN A 190.xx.yy.z2 86400 IN A 190.xx.yy.z3 86400 IN TXT "v=spf1 ip4:190.xx.yy.z2 a mx ptr ~all"

    Obviously in dummy1 and dummy2 I don't have mail server.
  19. falko

    falko Super Moderator ISPConfig Developer

    Please delete the MX records for 86400 IN MX 5 86400 IN MX 20
  20. matiasCU

    matiasCU New Member

    Please tell me why should I delete?


Share This Page