Because it's bad form here to ask multiple questions in ONE entry, I'll be asking about specific
Dovecot entries, however this nightmare has been going on since about January 19 and it's now Feb 10! In the original situation, it took several days to be discovered by the spammers as crackable before we were inundated with their [expletive], and we just THOUGHT we had it fixed, brought it up again, and they cracked it again in about, oh, several hours - not sure exactly.
You can read up on the background here, but the short-short of that is this environ was established circa 1997 and has been using Postfix with Dovecot for nearly that long (it was in the 1990s), and this system was doing fine until when we brought the server up again following what happened on Jan 19, it had become an open mail relay and we didn't know it. So, of course, we took the system down (disabled postfix) and posted that entry just cited.
If you read up on that entry, you can see a lot about the environment and some of where we've been, however, since that was last updated we THOUGHT we had it fixed, BUT, we knew it had taken some time to be found out as an open relay so we are SUPER concerned, and have "watched it like a hawk." ...And so it was I just saw a new mail get through and instantly shut it down again. (Comments on how to promptly do that in the other thread.)
So, while we CONTINUE to work on finding and fixing what's wrong, I'm asking:
How the heck is someone supposed to test these things?
I understand that some who are not "as long in the tooth" are SURE to be unaware and so likely wonder WHY even ask, this was never a problem until the last handful of years. For most of the last two decades, there were dozens of helpful, free websites that would perform then state-of-the-art open relay testing on any server whose IP address or domain name was provided in a box on one of their web pages. Most were good, some were fantastic. I haven't needed this in a LONG time and could find NONE still operational.
Of the two dozen or so sites I used to use two still have a page up about it and one gives you ONE free test run per month (not really useful) and then charges and the other says:
"Mail relay testing
A long time ago we provided a service to check for mail servers that
were misconfigured as open relays. But we don't anymore."
As bad, the best CLI tool of which I am aware,
nmap, it thinks this site is NOT a an open relay, but, well, the spammers have proven otherwise! Further, when it takes only a few days to perhaps hours or less for them to find your system and harness it, and when you are in a production environment where users need it working, well, the stress is on. And we're not ALL super well funded sites. So this question is entirely valid.
Of course, we have to respect free web sites no longer being free, but DAMN is this hard now, and SURELY someone can share how the cracking is done so we can defend ourselves! THAT'S what this question is about!
OTOH, I'm also reasonably confident that we can, to use a sailor's metaphor, "find the hole and patch it."
OF COURSE, nobody knows when new vulnerabilities might be introduced, or old ones get discovered that were previously unknown. But still, the original question still stands (and there's more room here than in the subject/title):
How do I know with reasonably solid confidence it's not an open relay any longer, and, if not, how do I track it so I/we can fix it fast?
Notably, we hadn't been running tracking (logging) as closely as we might have been, especially with auth, but this time we are (we sure hope) capturing everything that'll help us catch it. And we're about to dig deep into the ONE crack we captured, as soon as this is posted... So, I'm sure there'll be more to say!
P.S. As I began writing I had new configuration details put in postfix and tried restarting it and TWO MORE got through just before I was done reviewing this and hitting "post!" -ack!- OBVIOUSLY "we're doing it wrong!" But that doesn't help much!