Re: Attack on my mailsystem

[Jithesh AP]

On Wed, 17 Jun 2015 06:05:17 -0700, Viktor Dukhovni  
<postfix-us...@dukhovni.org> wrote:

On Tue, Jun 16, 2015 at 09:37:24PM -0700, Jithesh AP wrote:
>> mynetworks was fully commented, now i have added as you indicated,  
but
>> fully commenting it will also have a similar effect right?
>
> No, that makes "mynetworks_style" take effect instead, which
> may configure mynetworks to be the local subnet.

That makes sense. I also double checked if the ip shown was my ip or  
not,
and i made a mistake in my initial mail saying it is my private ip. I  
take
it back, it is not my private IP but very close to mine, so as you said  
it
appreas to be in the subnet

So is the entire subnet in question on your internal network?  Is
that the internal IP address of your router?  Perhaps your router
is using source and destination NAT (network address translation)
when forwarding external traffic to "port 25", rather than just
destination NAT and thus the external source IP addresses of all
mail appears to be that of the router?

If so, allowing all hosts on the subnet is a disaster, as you're
an open relay to all senders.

Received: from 54.183.212.207  
(ip-172-31-5-33.us-west-1.compute.internal [172.31.5.33])
        by ml.w8timez.com (Postfix) with SMTP id 24B0841557;
        Tue, 16 Jun 2015 21:22:33 -0700 (PDT)
Message-ID: <hvqgivvdndkqtrnegxgkm...@163.com>

Sure looks like your router used source NAT to mask the real origin
IP address, which was perhaps "54.183.212.207".


My server is on amazon AWS, and my private ip starts is the same except  
for last one (172.31.5.xxx). I dont know what the router does as that is  
controlled by amazon, i do have an external ip, which is 54.183.xxx.yyy.  
So mostly the guy who is running it is on amazon and with private ip of  
172.31.5.33 with external ip of 54.183.212.207


You need to do the following:

    Postfix:

        main.cf:
            mynetworks = 127.0.0.0/8, [::1]/128
            proxy_interfaces = <external IP address of router>

    Router:

        Turn off source NAT for inbound traffic when doing port forwarding!
        Leave the external IP addresses as-is!

what does proxy_interfaces do? (so i will be providing my external ip  
there).



Is this NAT being done for you by some ISP?  The PTR record for
that router IP address is a bit unusual for something a user would
configure:

    ip-172-31-5-33.us-west-1.compute.internal



--
Using Opera's mail client: http://www.opera.com/mail/