Postfix users receive spam pretending to be sent from their accounts.
in main.cf I have put:
smtpd_sender_login_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf,
mysql:/etc/postfix/mysql_virtual_alias_maps.cf
smtpd_sender_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_sender_login_mismatch,
I also have extensive rbl and other spam checks in main.cf which work, but
this slips through it anyway (see msg source)
*If I test it from my other server *
root@othermail:~# mail -s test1 -a "From: [email protected]"
[email protected] < /dev/null
*The message gets rejected in log with*
NOQUEUE: reject: RCPT from myother.server.tld[192.168.7.229]: 553 5.7.1
<[email protected]>: Sender address rejected: not logged in;
from=<[email protected]> to=<[email protected]>
I have DKIM which works and validates. IN main.cf
milter_default_action = accept
milter_protocol = 6
smtpd_milters = local:opendkim/opendkim.sock
non_smtpd_milters = local:opendkim/opendkim.sock
But the spamers somehow trick it by using DKIM? or other means.
Somehow after milter OpenDKIM there are no sender_login_mismatch checks.
Should I install amavis? It seems so trivial to block spam which pretend to
be sent as a spoofed message from oneself but yet I can't block it. Any
suggestions? Thanks.
*Message source looks like this:*
Return-Path: <[email protected]>
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from mail.mydomain.tld (localhost [127.0.0.1])
by mail.mydomain.tld (Postfix) with ESMTP id 73A553008B0
for <[email protected]>; Fri, 5 Apr 2019 17:16:49 +0300 (EEST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=mydomain.tld;
s=201902;
t=1554473809; bh=MjZrE+ZNsa79fhqHRgjB41LtBj2nZeIT/I8ZyQz4lvI=;
h=Date:Subject:To:From:List-Help:From;
b=ajW/fpbQ9R/wu2ztE6OJecLpcUqvqENooIo6PW1V5GU0oAc/VqhvxuGPIc89t9n49
6pcXOw4knfTpp9lwoaHqUJ8lM2KpesQTSgLHzvfC74u8wi9CB6+cHpS42rT35bW5wx
LvdO7mLT9GEhrPAVeoI21yk2pCAEhBQaXLAFDsmY=
Received: from orange-leopard-671e4d6e5ce74ab6.znlc.jp
(orange-leopard-671e4d6e5ce74ab6.znlc.jp [154.34.23.45])
by mail.mydomain.tld (Postfix) with ESMTPS id 36A99300704
for <[email protected]>; Fri, 5 Apr 2019 17:16:47 +0300 (EEST)
Received: from [corporativo.static.gvt.net.br]
(170.83.215.114-static.host.megalink.net.br [170.83.215.114])
by orange-leopard-671e4d6e5ce74ab6.znlc.jp (Postfix) with ESMTPSA id
1C8A2BDEE
for <[email protected]>; Fri, 5 Apr 2019 22:12:20 +0900 (JST)
Date: Fri, 5 Apr 2019 15:12:18 +0200
Abuse-Reports-To: <[email protected]>
X-Complaints-To: [email protected]
Subject: [SPAM] user1
Message-ID: <[email protected]>
To: [email protected]
Content-Type: multipart/related;
boundary="--_com.android.email_86436944273605"
MIME-Version: 1.0
X-Mailer: Summer Cart 4.0
From: <[email protected]>
User-Agent: Roundcube Webmail/0.6
List-Help:
<http://www.kousaikan.com/lists/?p=preferences&uid=7oivc5xd99g9y6j9mcp0iztxw78pnnhu>
X-Antivirus: Dr.Web (R) for Unix mail servers drweb plugin ver.6.0.2.8
X-Antivirus-Code: 0x100000
X-Drweb-SpamState: yes
X-Drweb-SpamScore: 315
X-DrWeb-SpamReason:
gggruggvucftvghtrhhoucdtuddrgeduuddrtdeiucetufdoteggodetrfcurfhrohhfihhlvgemuceonhhonhgvqeenuceurghilhhouhhtmecupfdsteenucgoteeftdduqddtudculdduhedmnegoufhprghmsghotheuvfevqdfggedutddqvdekucdlfedttddm
X-AV-Checked: ClamAV using ClamSMTP
*Log file:*
Apr 5 17:16:45 mydomain.tld postfix/smtpd[11659]: connect from
orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45]
Apr 5 17:16:46 mydomain.tld postfix/smtpd[11659]: Anonymous TLS connection
established from orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45]:
TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
Apr 5 17:16:47 mydomain.tld postfix/smtpd[11659]: 36A99300704:
client=orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45]
Apr 5 17:16:47 mydomain.tld postfix/cleanup[11826]: 36A99300704:
message-id=<[email protected]>
Apr 5 17:16:49 mydomain.tld opendkim[539]: 36A99300704:
orange-leopard-671e4d6e5ce74ab6.znlc.jp [154.34.23.45] not internal
Apr 5 17:16:49 mydomain.tld opendkim[539]: 36A99300704: not authenticated
Apr 5 17:16:49 mydomain.tld opendkim[539]: 36A99300704: no signature data
Apr 5 17:16:49 mydomain.tld postfix/qmgr[11471]: 36A99300704:
from=<[email protected]>, size=257396, nrcpt=1 (queue active)
Apr 5 17:16:49 mydomain.tld clamsmtpd: 1009A6: accepted connection from:
127.0.0.1
Apr 5 17:16:49 mydomain.tld postfix/smtpd[11829]: connect from
localhost[127.0.0.1]
Apr 5 17:16:49 mydomain.tld postfix/smtpd[11829]: 73A553008B0:
client=localhost[127.0.0.1], orig_queue_id=36A99300704,
orig_client=orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45]
Apr 5 17:16:49 mydomain.tld postfix/smtpd[11659]: disconnect from
orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45] ehlo=2 starttls=1
mail=1 rcpt=1 data=1 quit=1 commands=7
Apr 5 17:16:49 mydomain.tld postfix/cleanup[11826]: 73A553008B0:
message-id=<[email protected]>
Apr 5 17:16:49 mydomain.tld postfix/qmgr[11471]: 73A553008B0:
from=<[email protected]>, size=257617, nrcpt=1 (queue active)
Apr 5 17:16:49 mydomain.tld postfix/smtp[11827]: 36A99300704:
to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10026, delay=2.9,
delays=2.3/0.01/0.06/0.51, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as
73A553008B0)
Apr 5 17:16:49 mydomain.tld postfix/qmgr[11471]: 36A99300704: removed
Apr 5 17:16:49 mydomain.tld clamsmtpd: 1009A6: [email protected],
[email protected], status=CLEAN
Apr 5 17:16:49 mydomain.tld postfix/smtpd[11829]: disconnect from
localhost[127.0.0.1] ehlo=1 xforward=2 mail=1 rcpt=1 data=1 quit=1
commands=7
Apr 5 17:16:50 mydomain.tld postfix/virtual[11832]: 73A553008B0:
to=<[email protected]>, relay=virtual, delay=0.58, delays=0.51/0.01/0/0.06,
dsn=2.0.0, status=sent (delivered to maildir)
Apr 5 17:16:50 mydomain.tld postfix/qmgr[11471]: 73A553008B0: removed
--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
