All,
I am trying to understand how I am being a mail relay for (what I believe)
are unauthorized users. I have the following postfix config set -
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authentication,
reject_unauth_destination
mynetworks_style = subnet
However, an account seemingly seems to be used as a relay. The user is
complaining about seeing tons of MAIL REJECT messages. The logs are
showing -
Oct 5 00:00:02 ns postfix/smtpd[65859]: BB829A32C24:
client=unknown[37.114.181.42], sasl_method=LOGIN, sasl_username=tracy
Oct 5 00:00:03 ns postfix/cleanup[65877]: BB829A32C24: message-id=<
2c64d5d9-682c-4fe8-e0d9-7c9f071f6...@mahan.org>
Oct 5 00:00:03 ns postfix/qmgr[1159]: BB829A32C24: from=<
lozroeb...@mahan.org>, size=772, nrcpt=1 (queue active)
Oct 5 00:00:04 ns postfix/smtpd[65859]: 56778A32C28:
client=unknown[37.114.181.42], sasl_method=LOGIN, sasl_username=tracy
Oct 5 00:00:04 ns postfix/smtp[65958]: BB829A32C24: to=<dar...@rot.com.au>,
relay=in.hes.trendmicro.com[54.219.191.21]:25, delay=1.9,
delays=1/0/0.54/0.33, dsn=5.7.1, status=bounced (host
in.hes.trendmicro.com[54.219.191.21]
said: 550 5.7.1 <dar...@rot.com.au>: Recipient address rejected: ERS-RBL.
(in reply to RCPT TO command))
Oct 5 00:00:04 ns postfix/cleanup[65994]: A949BA32C39: message-id=<
20191005070004.a949ba32...@ns.mahan.org>
Oct 5 00:00:04 ns postfix/bounce[65883]: BB829A32C24: sender non-delivery
notification: A949BA32C39
Oct 5 00:00:04 ns postfix/qmgr[1159]: A949BA32C39: from=<>, size=2793,
nrcpt=1 (queue active)
Oct 5 00:00:04 ns postfix/qmgr[1159]: BB829A32C24: removed
And in the mail queue I am seeing messages like the following -
-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
E21FBA2E08E* 4104 Sat Oct 5 23:01:33 kevin.cros...@mahan.org
s...@tparinger.co.uk
07DA9A2E084 2581 Sat Oct 5 22:09:16 ronaldwhi...@mahan.org
(host mx.tiscali.co.uk[62.24.139.42] refused to talk to me: 554 cm9gb1
mx.talktalk.net GzNGiJaFdim2n IP Blacklisted (TT104)
http://csi.cloudmark.com/reset-request/?ip=23.24.207.145)
tony47...@tiscali.co.uk
0633AA2E117 1942 Sat Oct 5 22:51:06 erikfo...@mahan.org
(host mxa-00002a01.gslb.pphosted.com[208.84.65.123] refused to talk to me:
554 Blocked - see https://ipcheck.proofpoint.com/?ip=23.24.207.145)
uk.custom...@westernunion.co.uk
07483A2E094 1319 Sat Oct 5 22:31:58 sedaayil...@mahan.org
(host newsmtp1.sabah.com.tr[194.36.160.8] refused to talk to me: 554
Blocked - see
https://support.proofpoint.com/dnsbl-lookup.cgi?ip=23.24.207.145)
idil.demi...@sabah.com.tr
0D34CA2E093 776 Sat Oct 5 22:15:26 daan_huis...@mahan.org
(lost connection with mx201.skynet.be[195.238.20.25] while receiving the
initial server greeting)
deh...@skynet.be
None of those usernames at mahan.org exists.
It looks like I am being used as a spam relay, but thought I had closed
that hole.
Pointers? Documentation? I have obviously mis-configured it.
My environment is FreeBSD 11.2-RELEASE-p7 amd64. Postfix 3.3.2.
Thanks,
Patrick Mahan
