Hello Angelo and others, Op 21-10-16 om 22:24 schreef Fazzina, Angelo: > So what is SASL using in Postfix ? > Is Postfix calling SASL, which calls PAM, which calls LDAP, to check the > Password?
Postfix is calling saslauthd, which calls PAM, which calls unix passwords. > You must follow the trail of how they got the password if you say you changed > it and it does not help. I don't think they have a correct username/password combination, because the username is wrong. Maybe it's possible to log the username/password Postfix get? Maybe they are using some kind of trick to let Postfix think the mail comes from localhost. With regards, Paul van der Vlis. > -ALF > > -Angelo Fazzina > Operating Systems Programmer / Analyst > University of Connecticut, UITS, SSG-Linux/ M&C > 860-486-9075 > > -----Original Message----- > From: owner-postfix-us...@postfix.org > [mailto:owner-postfix-us...@postfix.org] On Behalf Of Paul van der Vlis > Sent: Friday, October 21, 2016 4:16 PM > To: postfix-users@postfix.org > Subject: Open relay > > Hello, > > I have a big problem, someone is using my mailserver for sending spam. I > see it in de logs. I can block the IP but then they use other IP's. > > So far I know my server is up-to-date and correct configured. And when I > do some open relay tests, everything is OK. Like this ones: > http://www.mailradar.com/openrelay/ > http://mxtoolbox.com/diagnostic.aspx > > The name of my mailserver is mail.vandervlis.nl, so far I see the > spammers are using port 587. Please feel free to do tests. > > What I see in the logs and in the headers of the spam is that they are > using authentication. But the username is not correct. On my server I > use usernames like "john", and this username lookslike an e-mail > address, so with an "@" in it. The part before the @ is a correct > username on my server, but when I change the password it does not help. > All spam is recognizeble by this authenticated username. > > In the headers I see this as the first "received" (I've changed the > authenticated sender for privacy): > ---- > Received: from [127.0.0.1] (87-92-55-206.bb.dnainternet.fi [87.92.55.206]) > (Authenticated sender: p...@puk.nl) > by mail.vandervlis.nl (Postfix) with ESMTPSA id 774B23E0285; > Fri, 21 Oct 2016 18:57:14 +0200 (CEST) > ---- > As would my server sent it to my server... > > Does somebody have a clou here? > > With regards, > Paul van der Vlis. > > > Some settings and logs: > > smtpd_relay_restrictions = > permit_mynetworks, > permit_sasl_authenticated, > check_sender_access hash:/etc/postfix/whitelist, > reject_invalid_hostname, > reject_non_fqdn_sender, > reject_non_fqdn_recipient, > reject_unknown_sender_domain, > reject_unknown_recipient_domain, > reject_unauth_pipelining, > reject_unauth_destination, > check_policy_service unix:private/shadelist, > reject_rbl_client bl.spamcop.net, > reject_rbl_client zen.spamhaus.org, > reject_rbl_client ix.dnsbl.manitu.net, > permit > > smtpd_tls_cert_file = /etc/postfix/tls/*.vandervlis.nl.pem > smtpd_use_tls = yes > smtpd_sasl_auth_enable = yes > smtpd_sasl_exceptions_networks = $mynetworks > smtpd_tls_loglevel = 1 > smtpd_tls_auth_only = yes > smtpd_sasl_security_options = noanonymous > smtpd_sasl_tls_security_options = noanonymous > broken_sasl_auth_clients = yes > smtpd_sasl_authenticated_header = yes > > Oct 21 16:54:31 sigmund postfix/smtpd[2158]: D34743E027B: > client=unknown[94.26.41.188], sasl_method=PLAIN, sasl_username=p...@puk.nl > > -- Paul van der Vlis Linux systeembeheer Groningen https://www.vandervlis.nl/
