Semi-Open Relay

Discussion in 'ISPConfig 3 Priority Support' started by coolgoob, May 2, 2014.

  1. coolgoob

    coolgoob New Member

    Ok so I have a semi-open relay on my mail server.
    It requires a valid username but no password for that user to send mail.
    A spammer got hold of my account and began sending massive amounts of spam with it.
    Is it something in my main.cf? I checked the database and it seemed fine.

    Below is a copy of my main.cf
    # See /usr/share/postfix/main.cf.dist for a commented, more complete version


    # Debian specific: Specifying a file name will cause the first
    # line of that file to be used as the name. The Debian default
    # is /etc/mailname.
    #myorigin = /etc/mailname

    smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
    biff = no

    # appending .domain is the MUA's job.
    append_dot_mydomain = no

    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h

    readme_directory = /usr/share/doc/postfix

    # TLS parameters
    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    smtpd_tls_key_file = /etc/postfix/smtpd.key
    smtpd_use_tls = yes
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.

    myhostname = hcp.crimtechsecurity.com
    alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    myorigin = /etc/mailname
    mydestination = hcp.XXXXXXXX.com, localhost, localhost.localdomain
    relayhost =
    mynetworks = 127.0.0.0/8 [::1]/128
    mailbox_command = procmail -a "$EXTENSION"
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    html_directory = /usr/share/doc/postfix/html
    virtual_alias_domains =
    virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, prox
    y:mysql:/etc/postfix/mysql-virtual_email2email.cf, hash:/var/lib/mailman/data/vi
    rtual-mailman
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
    virtual_mailbox_base = /var/vmail
    virtual_uid_maps = static:5000
    virtual_gid_maps = static:5000
    inet_protocols = all
    smtpd_sasl_auth_enable = yes
    broken_sasl_auth_clients = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_recipient_restrictions = check_recipient_access mysql:/etc/postfix/mysql-v
    irtual_recipient.cf, permit_mynetworks, permit_sasl_authenticated, reject_unauth
    _destination
    smtpd_tls_security_level = may
    transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/
    postfix/mysql-virtual_transports.cf
    relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
    relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virt
    ual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipien
    t_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonica
    l_maps $relocated_maps $transport_maps $mynetworks
    smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual
    _sender.cf
    smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual
    _client.cf
    smtpd_client_message_rate_limit = 100
    maildrop_destination_concurrency_limit = 1
    maildrop_destination_recipient_limit = 1
    virtual_transport = dovecot
    header_checks = regexp:/etc/postfix/header_checks
    mime_header_checks = regexp:/etc/postfix/mime_header_checks
    nested_header_checks = regexp:/etc/postfix/nested_header_checks
    body_checks = regexp:/etc/postfix/body_checks
    owner_request_special = no
    dovecot_destination_recipient_limit = 1
    smtpd_sasl_type = dovecot
    smtpd_sasl_path = private/auth
    content_filter = amavis:[127.0.0.1]:10024
    receive_override_options = no_address_mappings
    message_size_limit = 0
    smtp_tls_security_level = may
    authorized_submit_users = !root, static:anyone
    smtpd_data_restrictions = reject_unauth_pipelining
     
  2. coolgoob

    coolgoob New Member

    Mail Logs

    This is what I am seeing on the maillogs:

    Apr 27 06:20:02 vps postfix/pickup[32222]: 7E93840E0D09: uid=105 from=<smmsp>
    Apr 27 06:20:02 vps postfix/cleanup[1451]: 7E93840E0D09: message-id=<20140427102
    002.7E93840E0D09@hcp.XXXXXXX>
    Apr 27 06:20:02 vps postfix/qmgr[3188]: 7E93840E0D09: from=<smmsp@hcp.crimtechse
    curity.com>, size=719, nrcpt=1 (queue active)
    Apr 27 06:20:03 vps postfix/smtpd[1464]: warning: database /var/lib/mailman/data
    /virtual-mailman.db is older than source file /var/lib/mailman/data/virtual-mailman
    Apr 27 06:20:03 vps postfix/smtpd[1464]: connect from localhost.localdomain[127.0.0.1]
    Apr 27 06:20:03 vps postfix/smtpd[1464]: 40E4640E0D0A: client=localhost.localdomain[127.0.0.1]
    Apr 27 06:20:03 vps postfix/cleanup[1451]: 40E4640E0D0A: message-id=<20140427102002.7E93840E0D09@hcp.XXXXXXX>
    Apr 27 06:20:03 vps postfix/qmgr[3188]: 40E4640E0D0A: from=<smmsp@hcp.XXXXXXX>, size=1231, nrcpt=1 (queue active)
    Apr 27 06:20:03 vps postfix/smtpd[1464]: disconnect from localhost.localdomain[127.0.0.1]
    Apr 27 06:20:03 vps amavis[26891]: (26891-09) Passed CLEAN {RelayedInbound}, <smmsp@hcp.XXXXXXX> -> <root@hcp.XXXXXXX>, Message-ID: <201404271
    02002.7E93840E0D09@hcp.XXXXXXX>, mail_id: 4RjEAHqiGNWi, Hits: -0.001, size: 719, queued_as: 40E4640E0D0A, 733 ms
    Apr 27 06:20:03 vps postfix/smtp[1453]: 7E93840E0D09: to=<root@hcp.XXXXXXX>, orig_to=<root>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.78, delays=0.02/0.02
    /0.04/0.7, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 40E4640E0D0A)
    Apr 27 06:20:03 vps postfix/qmgr[3188]: 7E93840E0D09: removed
    Apr 27 06:20:03 vps postfix/local[1467]: 40E4640E0D0A: to=<root@hcp.XXXXXXX>, relay=local, delay=0.09, delays=0.01/0.02/0/0.06, dsn=2.0.0, status=sent (del
    ivered to command: procmail -a "$EXTENSION")
    Apr 27 06:20:03 vps postfix/qmgr[3188]: 40E4640E0D0A: removed
    Apr 27 06:23:54 vps postfix/qmgr[3188]: DEE1740E1565: from=<lucky13cs@aol.com>, size=3760, nrcpt=20 (queue active)
    Apr 27 06:23:54 vps postfix/qmgr[3188]: 47E3440E1463: from=<rockersky95@aol.com>, size=5135, nrcpt=14 (queue active)
    Apr 27 06:23:54 vps postfix/qmgr[3188]: 7F55C40E1567: from=<mcikath@aol.com>, size=3809, nrcpt=14 (queue active)
    Apr 27 06:23:54 vps postfix/qmgr[3188]: 7DF0040E155E: from=<myers518@aol.com>, size=3777, nrcpt=20 (queue active)
    Apr 27 06:23:54 vps postfix/qmgr[3188]: 7F16840E156F: from=<lucky13krugrl@aol.com>, size=3150, nrcpt=11 (queue active)
    Apr 27 06:23:54 vps postfix/qmgr[3188]: 353F940E0D20: from=<reegb@aol.com>, size=5604, nrcpt=20 (queue active)
    Apr 27 06:23:54 vps postfix/qmgr[3188]: 377B940E14CF: from=<reegb@aol.com>, size=5579, nrcpt=20 (queue active)
    Apr 27 06:23:54 vps postfix/qmgr[3188]: 6079340E152F: from=<reegb@aol.com>, size=5522, nrcpt=20 (queue active)
    Apr 27 06:23:54 vps postfix/qmgr[3188]: 003F240E0CAB: from=<reegb@aol.com>, size=5596, nrcpt=20 (queue active)
    Apr 27 06:23:54 vps postfix/qmgr[3188]: 8A8B140E1571: from=<lucky13nic@aol.com>, size=3783, nrcpt=20 (queue active)
    Apr 27 06:23:54 vps postfix/qmgr[3188]: 8880140E0C95: from=<reegb@aol.com>, size=5511, nrcpt=20 (queue active)
    Apr 27 06:23:54 vps postfix/qmgr[3188]: EA2DA40E0C91: from=<rmshelton@aol.com>, size=5566, nrcpt=18 (queue active)
    Apr 27 06:23:54 vps postfix/smtp[1510]: 47E3440E1463: to=<tlsipeinsureance@dc.rr.com>, relay=cdptpa-pub-iedge-vip.email.rr.com[107.14.166.70]:25, delay=366219, delays=3
    66219/0.02/0.12/0, dsn=4.0.0, status=deferred (host cdptpa-pub-iedge-vip.email.rr.com[107.14.166.70] refused to talk to me: 554 ERROR: Mail Refused - See http://csi.clo
    udmark.com/reset-request/?ip
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    The question is were are the emails send to? Are the emails send to accounts that are on your server or are the emails send to accounts at other servers e.g. gmail?
     
  4. coolgoob

    coolgoob New Member

    Messages

    The messages were going outside of my server.

    I ran a check for malware and rkhunter on the server.

    It sucks because its my actual email address that they are using, but I tested last night and it appears the if you know a email address on the server you can relay using it.

    Any other logs or ideas?
     
  5. coolgoob

    coolgoob New Member

    Reboot fixed it

    A reboot resolved the problem. It was odd. I reset all mail passwords and rebooted.
    Maybe one of my mail clients were infected.
     

Share This Page