Score:0

Postfix Maildrop Directory Generating Unsolicited Email

us flag

I have recently set up up a Postfix Mail Server on Ubuntu 20.04. This server is used mainly to relay messages from authenticated users to the outside world. This is so applications such as payroll or our various web applications can send emails to users.

Since outgoing mail is sometimes marked as spam (resulting in non-delivery to the end-user) we have also set up postfix to save a copy of all messages to an archive mailbox in Dovecot which can be accessed by IMAP.

I have not yet started using it yet, but in testing it appears to be working.

I also receive daily server stats so I can monitor if it has been compromised, or is otherwise working correctly.

Today this showed my server sent an email that appears to be spam, and I do not understand where it came from.

My mail logs show it was received by the postfix/pickup process, which I believe means it was generated locally using the maildrop directory. However, I have no idea what could cause this.

Mail.log is below with my actual domain replaced with 'my-domain.co.uk'.

Oct 20 20:51:33 smtp postfix/pickup[122235]: 6932F1802EE: uid=0 from=<[email protected]>
Oct 20 20:51:33 smtp postfix/cleanup[122417]: 6932F1802EE: message-id=<[email protected]>
Oct 20 20:51:33 smtp postfix/qmgr[96237]: 6932F1802EE: from=<[email protected]>, size=362, nrcpt=2 (queue active)
Oct 20 20:51:33 smtp dovecot: lmtp(122427): Connect from local
Oct 20 20:51:33 smtp dovecot: lmtp(archive)<122427><6rUBHUVzcGE73gEAMbpG8w>: msgid=<[email protected]>: saved mail to INBOX
Oct 20 20:51:33 smtp dovecot: lmtp(122427): Disconnect from local: Client has quit the connection (state=READY)
Oct 20 20:51:33 smtp postfix/lmtp[122424]: 6932F1802EE: to=<[email protected]>, relay=smtp.my-domain.co.uk[private/dovecot-lmtp], delay=0.08, delays=0.02/0.02/0.03/0.01, dsn=2.0.0, status=sent (250 2.0.0 <[email protected]> 6rUBHUVzcGE73gEAMbpG8w Saved)
Oct 20 20:51:34 smtp postfix/smtp[122422]: 6932F1802EE: to=<[email protected]>, relay=smtp-in.libero.it[213.209.1.129]:25, delay=1.4, delays=0.02/0.02/0.52/0.89, dsn=2.0.0, status=sent (250 dHcbmPvGwsN2WdHcbmMIwS mail accepted for delivery)
Oct 20 20:51:34 smtp postfix/qmgr[96237]: 6932F1802EE: removed

Has my server been compromised somehow? If so how do I find the culprit?

Also, it looks like the maildrop directory is used by the daily cron job which sends me the Mail Stats, so I don't think I can simply disable the pickup process.

The last thing I have checked is the auth.log. The only successful logins in the last few days I am fairly confident are all me. Although there are a lot of failed attempts.

UPDATE: postconf -Mf output:

smtp       inet  n       -       y       -       -       smtpd
submission inet  n       -       y       -       -       smtpd
    -o syslog_name=postfix/submission
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_tls_auth_only=yes
pickup     unix  n       -       y       60      1       pickup
cleanup    unix  n       -       y       -       0       cleanup
qmgr       unix  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       y       1000?   1       tlsmgr
rewrite    unix  -       -       y       -       -       trivial-rewrite
bounce     unix  -       -       y       -       0       bounce
defer      unix  -       -       y       -       0       bounce
trace      unix  -       -       y       -       0       bounce
verify     unix  -       -       y       -       1       verify
flush      unix  n       -       y       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       y       -       -       smtp
relay      unix  -       -       y       -       -       smtp
    -o syslog_name=postfix/$service_name
showq      unix  n       -       y       -       -       showq
error      unix  -       -       y       -       -       error
retry      unix  -       -       y       -       -       error
discard    unix  -       -       y       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       y       -       -       lmtp
anvil      unix  -       -       y       -       1       anvil
scache     unix  -       -       y       -       1       scache
postlog    unix-dgram n  -       n       -       1       postlogd
maildrop   unix  -       n       n       -       -       pipe flags=DRhu
    user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp       unix  -       n       n       -       -       pipe flags=Fqhu
    user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail     unix  -       n       n       -       -       pipe flags=F user=ftn
    argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp      unix  -       n       n       -       -       pipe flags=Fq.
    user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n       n       -       2       pipe flags=R
    user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop}
    ${user} ${extension}
mailman    unix  -       n       n       -       -       pipe flags=FR
    user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop}
    ${user}

And postconf -n (again changing my actual domain to my-domain.co.uk)

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
always_bcc = [email protected]
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
compatibility_level = 2
inet_interfaces = all
inet_protocols = all
local_recipient_maps = hash:/etc/postfix/local_recipient_maps
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 50000000
mailbox_transport = lmtp:unix:private/dovecot-lmtp
mydestination = smtp.my-domain.co.uk, localhost
myhostname = smtp.my-domain.co.uk
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_cert_file = /etc/letsencrypt/live/smtp.my-domain.co.uk/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/smtp.my-domain.co.uk/privkey.pem
smtpd_tls_security_level = may
Nikita Kipriyanov avatar
za flag
A backscatter? Read http://www.postfix.org/BACKSCATTER_README.html . Or show us your postfix config (at least, `postconf -Mf` verbatim, read http://www.postfix.org/DEBUG_README.html#mail )
J. Easton avatar
us flag
Looking at the backscatter readme, I don't think this applies. There is no 'Recipient address rejected' messages in the mail log, or 'User unknown'. There is a copy of the email in the archive, but it has no content and has a subject of 'rerwd'. Which doesn't look like an undeliverable report. I've added the postfix config to my original question above.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.