Is my postfix is hacked?

Discussion in 'Server Operation' started by bzzik, May 8, 2009.

  1. bzzik

    bzzik New Member

    Is my postfix hacked?

    Hi guys! I really need help in my matter!

    Yesterday I analyzed mail logs and noticed something really strange. I think my postfix is hacked. We do not use our mail server too much, but maillog is full of unrecognized records. Here is the part of it:

    Many .es domain names, but our mail server is in .lv zone! And we do not have so much users, to send SO MANY emails!!!

    What steps should I take now? Is it trojan horse on my server or something???

    P.S.
    I am using CentoOS 5.2 (Perfect server install)
     
    Last edited: May 8, 2009
  2. maikcat

    maikcat New Member

    have you checked that your relay is not open?

    please post main.cf so that we can help you.


    cheers,

    maik
     
  3. bzzik

    bzzik New Member

    Thanks for you answer!

    Sry, I am new to mail server. How do I check this?

    P.S.
    I can post configs only in the evening - I am at work now.
     
  4. maikcat

    maikcat New Member

    you must have something inside main.cf like this:

    mynetworks = 192.168.1.0/24 <--your local net
    fallback_relay =
    mydestination = test.gr
    smtpd_sasl_local_domain =
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_security_options = noanonymous
    smtpd_sasl_authenticated-header = yes
    broken_sasl_auth_clients = yes
    smtpd_recipient_restrictions =
    permit_sasl_authenticated,
    permit_mynetworks,
    reject_unauth_destination

    the above are for authanticating users to enable to relay mail through
    your server.

    try this to check your mail server
    telnet ip 25

    you will get smtp banner like

    220 Esmtp service

    then type

    ehlo localhost.localdomain

    you should get something like

    250-PIPELINING
    250-SIZE 15000000
    250-ETRN
    250-AUTH PLAIN LOGIN <--this means that your sever can authenticate clients to allow them to relay
    250-ENHANCEDSTATUSCODES
    250-8BITMIME
    250 DSN

    if there is not the above line ,means that your server allows relay based
    on ip address origin only.
    check main.cf... (my networks setting..)

    have a nice day

    michael

    ps: if you want to enable auth to work you MUST start saslauthd service as well..
     
  5. bzzik

    bzzik New Member

    maikcat I really appreciate your help.

    I will look in the evening and will post what I found there :) I did not even thought, that something like this is possible (real newbie I am in mails servers)...

    P.S.
    Btw, when I was analyzing logs, I noticed taht this started in April 25th. Till that time, everything was fine.
     
  6. bzzik

    bzzik New Member

    Here is main.cf options:

    And more from telnet:

    So as I understand I have relay opened. Should I simply make smtpd_sasl_auth_enable = yes to NO ? And what I will loose after that? I do not so good in all this... I hope you will help me to understand.

    Thank you!

    P.S.
    I made all setting to postfix using this article:
    http://www.howtoforge.com/perfect-server-centos-5.2-p5

    P.P.S.
    I have tested my server for OPEN Relay here http://www.myiptest.com/staticpages/index.php/open-relay-test and got the answer:
    >Unable to relay: Invalid response code received from server
    > This server is NOT Open Relay
     
    Last edited: May 8, 2009
  7. falko

    falko Super Moderator ISPConfig Developer

    That's a good thing. :)
    But it is still possible that spammers abuse web applications on your server (like contact forms, gustbooks, etc.).
     
  8. bzzik

    bzzik New Member

    Ok!

    But what I think, that I am a victim of Backscatter mails. Can you advice me something regarding it?

    How do I check this?
     
  9. falko

    falko Super Moderator ISPConfig Developer

    That's difficult to check. You can have a look at Apache's access logs to see if there's a contact form/guestbook/whatever that is accessed again and again from the same IP.
     
  10. bzzik

    bzzik New Member

    I do not think that it is from guestbooks/forms. What I have done: I stopped postfix for about 3 hours. Then I started it again and look into logs. Immediately after start I got tons of mails in queue (I am not posting all of them):

    And then activity started again:

    These .es domains - can I simply somehow ban them? What I am suffering from? :(
     
  11. maikcat

    maikcat New Member

    the local_recipient_maps option in your
    set the
    local_recipient_maps =
    this will accept mail for whatever user (exist or not)
    combine it with
    luser_relay = testaccount@yourdomain.com

    this will stop bounced back messages...

    the side effect is that if someone mistypes a valid mail account
    he will never get notification back from you with his error.... :s


    cheers,
     
  12. bzzik

    bzzik New Member

    maikcat sry - I have not provided all main.cf file. I have it like this at the moment:

    Do you really think I need to set local_recipient_maps to empty value? This will turn off local recipient checking :(
     
  13. maikcat

    maikcat New Member

    yes it will turn off local recipient check,

    the reason i believe you need this is for avoiding spammers
    to querie your mail server for valid users (they also use VRFY and EXPN commands as well).

    the use of luser_relay is for creating a bucket ,so that your system
    will never try to send back mail telling that the x mailbox doesnt exists,
    the drawback of this approach is that if a valid user sends mail to one
    of yours account but he mistyped his mail,he will never know that his
    mail never reached the intended recipient, the advantage is that
    your queue will never be full with postfix trying to send back notifications
    to spammers (who will probably provided erroneous from: address..)

    cheers,
     
  14. matiasCU

    matiasCU New Member

    bzzik your problem was solved?

    Hi bzzik:
    Could you solve the bounce problem?

    I'm having apparentry the same problem, that it is killing my server.

    Hi maikcat:
    The
    Look this:

    This would be the solution?
    local_recipient_maps =
    luser_relay = someuser@mydomain.tld

    Thanks
     
  15. falko

    falko Super Moderator ISPConfig Developer

  16. matiasCU

    matiasCU New Member

    Hi Falko:
    No. I'm doing direct from my server, I'm not using relay. Why ask this?

    I think the attack is Backscatter for the messages I have in the queue of deferred look this:

    I've made the changes mentioned maikcat, also erased the deferred queue, with postsuper -d ALL deferred command.
    Apparently now the queue is empty, but I have to continue to monitor the operation of the server.
     
  17. falko

    falko Super Moderator ISPConfig Developer

    Do your domains have proper A and MX records? What about SPF and PTR records?
     
  18. matiasCU

    matiasCU New Member

    Sry for the delay... Yes I have A, MX, and txt SPF record for the domain.
    The only thing I can get to be in the unusual configuration is that I have 2 MX records plus, that not responding "the concept of nolisting"

    site.com. 86400 IN MX 5 dummy1.site.com.
    site.com. 86400 IN MX 10 mail.site.com.
    site.com. 86400 IN MX 20 dummy2.site.com.

    dummy1.site.com. 86400 IN A 190.xx.yy.z1
    mail.site.com. 86400 IN A 190.xx.yy.z2
    dummy2.site.com. 86400 IN A 190.xx.yy.z3

    site.com. 86400 IN TXT "v=spf1 ip4:190.xx.yy.z2 a mx ptr ~all"


    Obviously in dummy1 and dummy2 I don't have mail server.
     
  19. falko

    falko Super Moderator ISPConfig Developer

    Please delete the MX records for
    site.com. 86400 IN MX 5 dummy1.site.com.
    site.com. 86400 IN MX 20 dummy2.site.com.
     
  20. matiasCU

    matiasCU New Member

    Please tell me why should I delete?

    Tks
     

Share This Page