Postfix hack issues

Discussion in 'Server Operation' started by KenKnight, May 23, 2008.

  1. KenKnight

    KenKnight Member

    Hi All,

    It appears somehow, someone created a postfix user account that gave them access to relay spam through a clients server. I have the exact username and password, however, this user is not showing up in the virtualuser.db or anywhere that I know to look (ie shadow).

    What are the normal locations for the postfix users and does anyone have a suggestion on removing this account.

    Thanks,
    Ken
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    I assume you did a relay test on the server to ensure that it is not a open relay?
    Please post the content of the main.cf file, comments stripped.
     
  3. KenKnight

    KenKnight Member

    Hi Till,

    Thanks for the response. Here's the main.cf:


    smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
    biff = no

    append_dot_mydomain = no


    myhostname = debian.krausorders.com
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    myorigin = /etc/mailname
    relayhost = [smtp.nuvox.net]
    mynetworks = 127.0.0.0/8
    mailbox_command =
    mailbox_size_limit = 100000000
    recipient_delimiter = +
    inet_interfaces = all
    smtpd_sasl_local_domain =
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_security_options = noanonymous
    broken_sasl_auth_clients = yes
    smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,check_policy_service inet:127.0.0.1:60000
    smtpd_tls_auth_only = no
    smtp_use_tls = yes
    smtpd_use_tls = yes
    smtp_tls_note_starttls_offer = yes
    smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
    smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
    smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
    smtpd_tls_loglevel = 1
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    tls_random_source = dev:/dev/urandom
    home_mailbox = Maildir/

    virtual_maps = hash:/etc/postfix/virtusertable

    mydestination = /etc/postfix/local-host-names
    smtp_sasl_auth_enable = yes
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
    smtp_sasl_security_options = noanonymous
    message_size_limit = 20000000

    smtp_helo_required = yes
    invalid_hostname_reject_code = 554
    multi_hostname_reject_code = 554
    non_fqdn_reject_code = 554
    relay_domains_reject_code = 554
    unknown_address_reject_code = 554
    unknown_client_reject_code = 554
    unknown_hostname_reject_code = 554
    unknown_local_recipient_reject_code = 554
    unknown_relay_recipient_reject_code = 554
    unknown_sender_reject_code = 554
    unknown_virtual_alias_reject_code = 554
    unknown_virtual_mailbox_reject_code = 554
    unverified_recipient_reject_code = 554
    unverified_sender_reject_code = 554

    smtpd_recipient_restrictions =
    reject_invalid_hostname,
    reject_unknown_recipient_domain,
    reject_unauth_pipelining,
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination,
    reject_rbl_client sbl-xbl.spamhaus.org,
    reject_rbl_client bl.spamcop.net,
    permit
     
  4. falko

    falko Super Moderator ISPConfig Developer

    Is it possible that the spammer is using webmail to send mails?
     
  5. KenKnight

    KenKnight Member

    Hi Falko,

    No, they actually have a username and password. I know what both are through packet sniffing and have verified that I can login and send email with this info. So now the question is how do I kill this user pass. I have applied an ip ban to a range of IP addresses that this person is connecting from, but this is obviously a temporary measure.

    Thanks,
    Ken
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Are the users listed in /etc/passwd ?
     
  7. KenKnight

    KenKnight Member

    Hi Till,

    No, they're not listed in the /etc/passwd file. The username seems to have been created by a random generator and the password is the same as the username with the addition of a couple of extra charactors on the end.

    Thanks,
    Ken
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    Are you able to login with a username and password of random characters too?
     
  9. KenKnight

    KenKnight Member

    Hi Till,

    I can't use any random characters, however, if I use the ones I sniffed out then yes they work fine.

    Thanks,
    Ken
     
  10. falko

    falko Super Moderator ISPConfig Developer

    So you can log in with a username that does not exist in /etc/passwd?
     
  11. KenKnight

    KenKnight Member

    Hi Falko,

    Yes that is correct.

    Thanks,
    Ken
     
  12. falko

    falko Super Moderator ISPConfig Developer

    I see that you have some options twice in your main.cf. Can you remove the redundant lines and post the main.cf again (please wrap it in code tags).

    Are there any errors/warnings in your mail log?
     

Share This Page