# postfix attack

## Darkshine

I have postfix 2.5.7 installed on my gentoo server. It have been configured using http://www.gentoo.org/doc/en/virt-mail-howto.xml guide - I've performed all the steps except the mailman-related.

Today I see that there are alot of incoming and outgoing connections to/from postfix and a lot of errors and bounces from it.  In /var/spool/postfix/defer* I see about 500 MB messages which have been deferred due to error response from the yahoo mail servers. Note that I have not send any emails today or yesterday from my mail server. It seems somebody used my postfix to send spam e-mails. But I believed my smtp is closed for anonymous because I have set a passwd for smtp...

What to check? Please, advise

----------

## xtz

/var/log/mail.log

 :Question: 

----------

## Darkshine

 *xtz wrote:*   

> /var/log/mail.log
> 
> 

 

I don't have /var/log/mail.log file, postfix generates its output into /var/log/messages. In the master.cf I've set '-v' flag for 'smtp' binary, so, during yesterday my /var/log/messages grown up to 10G size and it is very difficult to analyze it.

So, in some reasons my postfix was just an open relay during one or two days... I believed the following options in main.cf must prevent from using my smtp service as anonymous:

```
alias_maps = mysql:/etc/postfix/mysql-aliases.cf

virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-maps.cf

local_recipient_maps = $alias_maps $virtual_mailbox_maps unix:passwd.byname

```

where mysql-aliases.cf is:

```
user         = mailsql

password     = <my password>

dbname       = mailsql

table        = alias

select_field = destination

where_field  = alias

hosts        = unix:/var/run/mysqld/mysqld.sock

```

and mysql-virtual-maps.cf is:

```
user            = mailsql

password        = <my password>

dbname          = mailsql

table           = users

select_field    = maildir

where_field     = email

additional_conditions = and postfix = 'y'

hosts           = unix:/var/run/mysqld/mysqld.sock

```

Are an above options enough to prevent from using smtp as anonymous or not?

----------

## kashani

Post the output of postconf -n because that'll should us all the non default settings. Also turn off -v in your logs. You might want to search the forum for how to modify syslog-ng in order to put mail logs into mail.log. 

Chances are you've been joe-jobbed and there isn't anything you can do about it. Happens to my domain quite frequently. Some spammer uses a revolving set of domains as his From: address. You get the bounces. 

kashani

----------

## Darkshine

here is an output from "postconf -n". I've replaced some private data like hostname and domainname:

alias_maps = mysql:/etc/postfix/mysql-aliases.cf

command_directory = /usr/sbin

config_directory = /etc/postfix

daemon_directory = /usr/lib/postfix

data_directory = /var/lib/postfix

debug_peer_level = 2

default_destination_concurrency_limit = 10

home_mailbox = .maildir/

html_directory = /usr/share/doc/postfix-2.5.7/html

inet_interfaces = all

local_destination_concurrency_limit = 2

local_recipient_maps = $alias_maps $virtual_mailbox_maps unix:passwd.byname

local_transport = local

mail_owner = postfix

mailq_path = /usr/bin/mailq

manpage_directory = /usr/share/man

mydestination = <hostname> localhost

mydomain = <domainname>

myhostname = <hostname>

mynetworks = 0.0.0.0/0 127.0.0.0/8

newaliases_path = /usr/bin/newaliases

queue_directory = /var/spool/postfix

readme_directory = /usr/share/doc/postfix-2.5.7/readme

relocated_maps = mysql:/etc/postfix/mysql-relocated.cf

sample_directory = /etc/postfix

sendmail_path = /usr/sbin/sendmail

setgid_group = postdrop

smtp_tls_note_starttls_offer = yes

smtp_use_tls = yes

smtpd_error_sleep_time = 2s

smtpd_hard_error_limit = 20

smtpd_recipient_restrictions = permit_sasl_authenticated,  permit_mynetworks,  reject_unauth_destination

smtpd_sasl_auth_enable = yes

smtpd_sasl_local_domain =

smtpd_sasl_security_options = noanonymous

smtpd_soft_error_limit = 10

smtpd_tls_CAfile = /etc/postfix/cacert.pem

smtpd_tls_cert_file = /etc/postfix/newcert.pem

smtpd_tls_key_file = /etc/postfix/newkey.pem

smtpd_tls_loglevel = 3

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

smtpd_use_tls = yes

tls_random_source = dev:/dev/urandom

unknown_local_recipient_reject_code = 550

virtual_alias_maps = mysql:/etc/postfix/mysql-virtual.cf

virtual_gid_maps = static:1005

virtual_mailbox_base = /

virtual_mailbox_domains = <virtual hostname 1> <virtual hostname 2> <virtual hostname 3> <virtual hostname 4>

virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-maps.cf

virtual_minimum_uid = 1000

virtual_transport = virtual

virtual_uid_maps = static:1002

I added the following options few minutes ago and have not tested them yet. I stopped my postfix yesterday to analyze and fix the situation.

smtpd_error_sleep_time = 2s

smtpd_soft_error_limit = 10

smtpd_hard_error_limit = 20

Kashani, what do you mean saying "you've been joe-jobbed"?

----------

## kashani

 *Darkshine wrote:*   

> here is an output from "postconf -n". I've replaced some private data like hostname and domainname:
> 
> mynetworks = 0.0.0.0/0 127.0.0.0/8
> 
> 

 

Is the above actually correct is or is that more attempts to obscure data? Only *trusted* IPs should be part of mynetwork. Any IP within mynetwork will be allowed to relay. If you really have 0/0 as allowed networks you are indeed an open relay. I suggest, 127.0.0.0/8, your machines IP address/32, and maybe your local network if you have one.

Is google broken or something?  :Smile: 

http://en.wikipedia.org/wiki/Joe_job

kashani

----------

