Score:0

How to prevent unauthorized mails sent from my mail server?

bo flag

I have Postfix server that serves several domain names with SPF, DMARC, DKIM correctly set and tested many times. So no spoofing is taking place. However, despite all my efforts to tweak the Postfix configuration, outgoing spam messages like below regularly slip through the server:

Aug  5 08:37:38 mail postfix/error[9631]: BC96418C10: to=<[email protected]>, relay=none, delay=161913, delays=161238/676/0/0.04, dsn=4.4.2, status=deferred (delivery temporarily suspended: conversation with mx1.comcast.net[96.114.157.80] timed out while receiving the initial server greeting)
Aug  5 10:07:45 mail postfix/error[31924]: BC96418C10: to=<[email protected]>, relay=none, delay=167320, delays=166039/1281/0/0.04, dsn=4.4.3, status=deferred (delivery temporarily suspended: Host or domain name not found. Name service error for name=comcast.net type=MX: Host not found, try again)
Aug  5 11:23:43 mail postfix/error[18751]: BC96418C10: to=<[email protected]>, relay=none, delay=171878, delays=171438/440/0/0.12, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mx2.comcast.net[2001:558:fe21:2a::6]:25: Network is unreachable)
Aug  5 12:54:11 mail postfix/error[8920]: BC96418C10: to=<[email protected]>, relay=none, delay=177306, delays=175938/1367/0/0.06, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mx1.comcast.net[2001:558:fe16:1b::15]:25: Network is unreachable)
Aug  5 14:07:22 mail postfix/error[27186]: BC96418C10: to=<[email protected]>, relay=none, delay=181697, delays=181338/359/0/0.03, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mx2.comcast.net[2001:558:fe21:2a::6]:25: Network is unreachable)

Here are some Postfix settings that could be relevant:

virtual_alias_maps = hash:/etc/postfix/virtual
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
smtpd_sasl_auth_enable = yes
smtpd_tls_security_level = encrypt
smtp_tls_security_level = may
mailbox_size_limit = 0
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /ssl/ssl.key
smtpd_tls_CAfile = /ssl/ssl.ca
smtpd_tls_cert_file = /ssl/ssl.crt
smtp_use_tls = yes
smtpd_soft_error_limit = 5
smtpd_hard_error_limit = 10
milter_default_action = accept
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
smtpd_helo_required = yes
smtpd_sasl_auth_enable = yes

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination

smtpd_recipient_restrictions = permit_sasl_authenticated reject_unauth_destination check_policy_service unix:/var/spool/postfix/postgrey/socket permit_inet_interfaces

smtpd_sender_restrictions = reject_unknown_sender_domain,
    check_sender_access hash:/etc/postfix/access

All the legitimate e-mail accounts are listed in /etc/postfix/virtual and ideally only they should be able to send and nobody else. Also I've added all the IP addresses where those domains are actually hosted and therefore should be able to send mail through this mail server with mynetworks = setting.

So if I put:

smtpd_relay_restrictions = permit_mynetworks, reject

then spam is effectively prevented. However, in that case legitimate users are not able to connect to their mail accounts from email client programs like mobile phones. So I have to loosen up the above rule a bit as:

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination

Could anyone give me the right direction how to allow legitimate users to be able to use this mail server, at the same time preventing all other parties from sending anything from this mail server?

EDIT #1:

Thanks to anx' pointer I took further steps and here is the metadata extracted with the postcat -vq 3825218E12 command. The ID of the message is different, but the problem is same:

postcat: name_mask: all
postcat: inet_addr_local: configured 2 IPv4 addresses
postcat: inet_addr_local: configured 2 IPv6 addresses
*** ENVELOPE RECORDS deferred/3/3825218E12 ***
message_size:            8340             682               1               0            8340
message_arrival_time: Thu Aug 12 18:31:08 2021
create_time: Thu Aug 12 18:31:08 2021
named_attribute: log_ident=3825218E12
named_attribute: rewrite_context=remote
named_attribute: sasl_method=LOGIN
named_attribute: sasl_username=root
sender: [email protected]
named_attribute: log_client_name=unknown
named_attribute: log_client_address=93.122.252.5
named_attribute: log_client_port=8529
named_attribute: log_message_origin=unknown[93.122.252.5]
named_attribute: log_helo_name=213.233.88.90
named_attribute: log_protocol_name=ESMTP
named_attribute: client_name=unknown
named_attribute: reverse_client_name=unknown
named_attribute: client_address=93.122.252.5
named_attribute: client_port=8529
named_attribute: helo_name=213.233.88.90
named_attribute: protocol_name=ESMTP
named_attribute: client_address_type=2
named_attribute: dsn_orig_rcpt=rfc822;[email protected]
original_recipient: [email protected]
recipient: [email protected]
pointer_record:               0
*** MESSAGE CONTENTS deferred/3/3825218E12 ***
regular_text: Received: from 213.233.88.90 (unknown [93.122.252.5])
regular_text:   by mail.mydomain.tld (Postfix) with ESMTPSA id 3825218E12
regular_text:   for <[email protected]>; Thu, 12 Aug 2021 18:31:08 +0000 (UTC)
pointer_record:            9682
regular_text: DKIM-Filter: OpenDKIM Filter v2.11.0 mail.mydomain.tld 3825218E12
pointer_record:            9043
regular_text: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thebriefguy.com;
regular_text:   s=default; t=1628793068;
regular_text:   bh=2YMB5PSTO3RHAXFabkN43xdUCrxjEQOw0Xw/uLJ1zX8=;
regular_text:   h=From:To:Subject:Date:From;
regular_text:   b=edi8WNplYs2gx/aYmKl9vbY1OE3jfVZ284faDviyICbDTm51y5CgBXg3QzcSHuaL6
regular_text:    PsxGqHaqqXnF32EsA0UnqQ2q71Z8DVeEnQVp1njnqA3ECE3hiWj8UUeobRClZw7eEP
regular_text:    z2PK95dI6kfHlCcBnEgJph2pr5ilxDv4Brl9s02s7Q/2ikwHHGWh+8Gwr24CQfnBJK
regular_text:    lXrkBZVgmi65/6b6kVxmto+3oqV9avsd/9ja+CcMRs7+CsKjeHz7GA/9P3yB24/fNT
regular_text:    sAjWFvQA14zkcEjFpPmZFm/6ZjLkf0pi53vx+JamwdB5C4KzhDSKkgX6rXNYYwMu+o
regular_text:    jcADLvrnBCDtQ==
regular_text: Message-ID: <[email protected]>
pointer_record:             936
regular_text: From: Xfinity <[email protected]>
regular_text: To: [email protected]
regular_text: Subject: Important Update
regular_text: Date: Thu, 12 Aug 2021 11:31:06 -0700
regular_text: Organization: Xfinity
regular_text: MIME-Version: 1.0
regular_text: Content-Type: text/html; charset="utf-8"
regular_text: Content-Transfer-Encoding: quoted-printable
pointer_record:               0
regular_text:

I'm worried about these particular lines:

named_attribute: sasl_method=LOGIN
named_attribute: sasl_username=root

I've changed the root's password with:

saslpasswd2 root

however, I'm not sure how to interpret the above code and how exactly they were able to login as root. The mail server was freshly configured and I never touched sasl user root before, so I wonder does it come with some kind of default password and does it need always to be changed? Also I wonder is taken step sufficient to resolve the issue or there are some more additional steps recommended?

EDIT #2:

Here is the output of postconf -n command:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
default_destination_concurrency_limit = 1
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = all
initial_destination_concurrency = 1
mail_owner = postfix
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
milter_default_action = accept
mydestination = mail.mydomain.tld, mail, localhost
mydomain = mydomain.tld
myhostname = mail.mydomain.tld
mynetworks = REDACTED IP ADDRESS BLOCKS
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = inet:localhost:8891
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sender_bcc_maps = hash:/etc/postfix/bcc
sender_dependent_default_transport_maps = hash:/etc/postfix/dependent
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_security_level = may
smtp_use_tls = yes
smtpd_hard_error_limit = 10
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks permit_sasl_authenticated reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname check_helo_access hash:/etc/postfix/helo_access
smtpd_milters = inet:localhost:8891
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_non_fqdn_hostname reject_non_fqdn_sender reject_non_fqdn_recipient reject_unauth_destination reject_unauth_pipelining reject_invalid_hostname reject_unknown_reverse_client_hostname reject_rbl_client bl.spamcop.net reject_rhsbl_helo dbl.spamhaus.org reject_rhsbl_reverse_client dbl.spamhaus.org reject_rhsbl_sender dbl.spamhaus.org reject_rbl_client zen.spamhaus.org permit_dnswl_client swl.spamhaus.org
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject_rbl_client sbl.spamhaus.org permit
smtpd_sasl_auth_enable = yes
smtpd_sender_restrictions = permit_mynetworks permit_sasl_authenticated reject_unknown_sender_domain, check_sender_access hash:/etc/postfix/access reject_unknown_reverse_client_hostname reject_unknown_client_hostname
smtpd_soft_error_limit = 5
smtpd_tls_CAfile = /ssl/ssl.ca
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /ssl/ssl.crt
smtpd_tls_key_file = /ssl/ssl.key
smtpd_tls_security_level = encrypt
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual

And here is the output of postconf -M:

smtp       inet  n       -       n       -       -       smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_tls_security_level=may
pickup     unix  n       -       n       60      1       pickup
cleanup    unix  n       -       n       -       0       cleanup
qmgr       unix  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       n       1000?   1       tlsmgr
rewrite    unix  -       -       n       -       -       trivial-rewrite
bounce     unix  -       -       n       -       0       bounce
defer      unix  -       -       n       -       0       bounce
trace      unix  -       -       n       -       0       bounce
verify     unix  -       -       n       -       1       verify
flush      unix  n       -       n       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       n       -       -       smtp
relay      unix  -       -       n       -       -       smtp
showq      unix  n       -       n       -       -       showq
error      unix  -       -       n       -       -       error
retry      unix  -       -       n       -       -       error
discard    unix  -       -       n       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       n       -       -       lmtp
anvil      unix  -       -       n       -       1       anvil
scache     unix  -       -       n       -       1       scache
submission inet  n       -       n       -       -       smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_tls_security_level=may
smtps      inet  n       -       n       -       -       smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_tls_security_level=may -o smtpd_tls_wrappermode=yes
in flag
The log entries you posted show no signs of unauthorized mails being sent. That's just a general network error.
in flag
Your "loosened up rule" is missing the commas.
bo flag
Thanks for the update. I'm afraid they are sent from the server, because `mailq` command gets huge and I have to run `postsuper -d ALL`. And nobody on the hosted domains have anything with `[email protected]`.
bo flag
You can out comma, but also may not. It works either way.
Michael Hampton avatar
cz flag
Please post _all_ of the log entries corresponding to such a message, not just the single line.
Score:1
fr flag
anx

The reason your server is trying to relay this message does not seem obvious from anything you posted yet, but your next step should be:

Find where this message came from. That hexadecimal code (BC96418C10) known as the queue id is the keyword to look for in your logs to see who submitted this message to your server. You should also use the postcat to show the message and its associated metadata.

Both of that should help clarify when and how this message reached your server, and whether you have an abusive user, compromised user credentials, a hole in your restriction sets - or a server compromised altogether.


Now regarding your update: root is a bit odd username for authenticating to a mail system. But if nobody messed with that, those are the SASL credentials used to submit this message to your server.

named_attribute: sasl_method=LOGIN
named_attribute: sasl_username=root

With a look at your postfix config (try postconf -n and postconf -M) it would probably be more clear which program accepted that login (cyrus? dovecot?) and where to look to disable that user. You probably want to gather information on your sasl user database and post a new question regarding and problems with figuring out that part.

If the root user of the system does indeed have a password and it was used to send mail.. it may have been also used to log into the server. On many systems neither would the user root have a password setup, nor should passwords be a valid mechanism to obtain a remote shell, so there is a chance this compromise is limited to mails.

bo flag
Very much appreciated as I seem to be on right path to troubleshoot this further. I'm gonna accept this as the right answer. Meanwhile, would be really nice if you could read the edited part of the updated post above. Thanks a lot again!
bo flag
Thank you for the updated answer. I'm afraid creating another question would loose the whole context of the problem. So I've made another update with the outputs of `postconf -n` and `postconf -M` commands. Could you please help me to identify which program accepted that login? I don't think we have `cyrus`, but we do `dovecot`. What would be your next step to resolve this issue? BTW system's root user is set to nologin and it does not have password, so the `root` user in the log is different one, probably of mail system, but I'm not sure.
bo flag
Ok, per your suggestion I've created another question on https://serverfault.com/questions/1075116/how-to-prevent-sasl-username-root-from-loggin-in Could you please take a look?
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.