Join Log in
Score:0
Henri avatar Server

Server still sending spam despite closing relay with postfix

uz flag
Henri

I have an Ubuntu 20.04.5 LTS with multiple Wordpress website running on Nginx. I installed postfix and configured it to stop relaying emails. I have an antivirus freshclam running.

Someone or something is sending emails from my server using my gmail account. How do I even start investigating??

This is my /etc/postfix/main.cf

compatibility_level = 2

myhostname = Ubuntu-T.members.linode.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination =  $myhostname, localhost.localdomain, localhost
relayhost = [smtp.gmail.com]:587
mynetworks = !147.78.103.107, 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols =  ipv4

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtp_tls_CApath=/etc/ssl/certs
smtpd_client_restrictions = permit_mynetworks, reject
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_recipient_restrictions = reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_non_fqdn_recipient,>

# Enable SASL authentication
smtp_sasl_auth_enable = yes
# Disallow methods that allow anonymous authentication
smtp_sasl_security_options = noanonymous
# Location of sasl_passwd
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
# Enable STARTTLS encryption
smtp_tls_security_level = encrypt
# Location of CA certificates
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

# DKIM
# -----------------------
milter_protocol = 6
milter_default_action = accept
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

This is a sample of my mail.log sending spams

May 30 06:16:47 Ubuntu-T postfix/pickup[35351]: 87478220358: uid=33 from=<www-data>
May 30 06:16:47 Ubuntu-T postfix/cleanup[37404]: warning: connect to Milter service inet:localhost:8891: Connection refused
May 30 06:16:47 Ubuntu-Teeglobal postfix/cleanup[37404]: 87478220358: message-id=<[email protected]>
May 30 06:16:47 Ubuntu-Teeglobal postfix/qmgr[982]: 87478220358: from=<[email protected]>, size=1272, nrcpt=1 (queue active)
May 30 06:16:49 Ubuntu-Teeglobal postfix/smtp[37406]: 87478220358: to=<[email protected]>, relay=smtp.gmail.com[142.251.161.108]:587, delay=1.6, delays=0.03/0.02/0.47/1.1, dsn=2.0.0, status=sent (250 2.0.0 OK  1685441809 s13-20020a056638218d00b0041ab38c1a4esm629321jaj.60 - gsmtp)
24
0 + 4
in flag
Gerald Schneider
The `from=www-data` indicates that you have malware running in the webserver scope.
2
Reply
Paul avatar
cn flag
Paul
Note that you are probably not long from having your ISP account suspended.
1
Reply
Henri avatar
uz flag
Henri
@ Gerald Schneider How can I find the malwear? I can't believe that people need to rebuild their server from scratch. It's a lot of work.
0
Reply
Henri avatar
uz flag
Henri
I ran a malet scan and had multiple malware that I removed. I also further restricted access to my server. Put all softwares up to date. It has been 2 days and everything is calm. No more spam. Finger cross. However, I backed up my server just in case and scanned everything again.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.