sasl login and spam

Discussion in 'General' started by uturunco, Apr 4, 2010.

  1. uturunco

    uturunco New Member


    sorry if I am making an stupid question but I couldn't find the reason of my failure and since last week some guys are using my system to generate spam

    The methodology that they use is remote sasl login with a true user of my ispconfig system and send mail to a lot of account for example in

    I tried : change the password of my user. Delete my user (not remove it from the trash) , change the name in isp_user table of my db ispsconfig, but nothing stop the spammer, he/she continued login using this user !!

    I don't know how can somebody login (sasl) if I delete the user (repeat the only thing that I didn't want was clean my trash)

    I revised all the settings of postfix against perfect server setup and all is OK.

    all sounds like I am making a big and maybe stupid mistake by I couldn't find it, can someone helps me ?

    thanks !
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    It is not possible that they login trough the same sasl user after you changed the password. There are several possibilitys:

    1) Sasl is not enabled. Check if your server is a open relay:

    2) Your whole server had been hacked and they do not have to use a sasl login for that reason. Check your system with rkhunter and chkrootkit.

    3) The send the spam trough vulnerable php scripts, e.g. a cms system or contact form. This is the most likely reason for your problem:
  3. uturunco

    uturunco New Member

    thanks till

    yes, you are right . I checked my site with abuse net and it is an open relay (not anonymous , yes with a valid user)

    I followed all the steps in perfect server setup , can you tell me , where I should look for my mistake in configuration , to solve the problem ?

    thanks again
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Please post the content of the file /etc/postfix/
  5. uturunco

    uturunco New Member

    here it is :

    # See /usr/share/postfix/ for a commented, more complete version

    # Debian specific: Specifying a file name will cause the first
    # line of that file to be used as the name. The Debian default
    # is /etc/mailname.
    #myorigin = /etc/mailname

    smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
    biff = no

    # appending .domain is the MUA's job.
    append_dot_mydomain = no

    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h

    readme_directory = no

    # TLS parameters
    smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
    smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
    smtpd_use_tls = yes
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.

    myhostname = (replaced)
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    myorigin = /etc/mailname
    relayhost =
    mynetworks =
    mailbox_command = procmail -a "$EXTENSION"
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    inet_protocols = all
    smtpd_sasl_local_domain =
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_security_options = noanonymous
    broken_sasl_auth_clients = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/sender_access,permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
    smtpd_tls_auth_only = no
    smtp_use_tls = yes
    smtp_tls_note_starttls_offer = yes
    smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
    smtpd_tls_loglevel = 1
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    tls_random_source = dev:/dev/urandom
    virtual_maps = hash:/etc/postfix/virtusertable

    mydestination = /etc/postfix/local-host-names


    thanks for your help !
  6. falko

    falko Super Moderator ISPConfig Developer

    What's in /etc/postfix/sender_access?
  7. uturunco

    uturunco New Member

    for example lines like these:

    [email protected] REJECT
    [email protected] REJECT
    [email protected] REJECT
    [email protected] REJECT
    [email protected] REJECT
    [email protected] REJECT
    [email protected] REJECT

    I implemented this in the previous spam attack .

  8. till

    till Super Moderator Staff Member ISPConfig Developer

    From the postfix manual:

    You added check_sender_access before reject_unauth_destination, so your system became an open relay after you added this.
  9. uturunco

    uturunco New Member

    thansk a lot till !!

Share This Page