Postfix is not open relay but send spam

Tue, 15 Oct 2019 00:28:57 -0700 

Hi everyone,

I have a problem with postfix.

I use OBM as a mail server (postfix + cyrus + ldap, etc...). My postfix is
not openrelay :

220 xxxxxx ESMTP Postfix (Debian/GNU) [706 ms]
EHLO keeper-us-east-1c.mxtoolbox.com
250-xxxxxx
250-PIPELINING
250-SIZE 52428800
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN [702 ms]
MAIL FROM:<supert...@mxtoolbox.com> <supert...@mxtoolbox.com>
250 2.1.0 Ok [700 ms]
RCPT TO:<t...@mxtoolboxsmtpdiag.com> <t...@mxtoolboxsmtpdiag.com>
454 4.7.1 <t...@mxtoolboxsmtpdiag.com> <t...@mxtoolboxsmtpdiag.com>: Relay
access denied [719 ms]

LookupServer 3927ms

Time to time, my server is attack and he sends spam. All spam are from a
specific address "cy...@mydomain.com" <cy...@mydomain.com>.
I tried many things but nothing works. I have to stop postfix for some
hours and attack ends until next time.

Can you provide me advice or corrections to my config to ensure this attack
can't success please ?

Here is master.cf :
smtp      inet  n       -       n       -       -       smtpd -v
  -o receive_override_options=no_address_mappings
  -o content_filter=smtp-amavis:127.0.0.1:10024
submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_client_restrictions=$mua_client_restrictions
  -o smtpd_helo_restrictions=$mua_helo_restrictions
  -o smtpd_sender_restrictions=$mua_sender_restrictions
  -o smtpd_recipient_restrictions=$mua_recipient_restrictions
  -o milter_macro_daemon_name=ORIGINATING
  -o receive_override_options=no_address_mappings
  -o content_filter=smtp-amavis:127.0.0.1:10024
smtps     inet  n       -       n       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_client_restrictions=$mua_client_restrictions
  -o smtpd_helo_restrictions=$mua_helo_restrictions
  -o smtpd_sender_restrictions=$mua_sender_restrictions
  -o smtpd_recipient_restrictions=$mua_recipient_restrictions
  -o milter_macro_daemon_name=ORIGINATING
  -o receive_override_options=no_address_mappings
  -o content_filter=smtp-amavis:127.0.0.1:10024
pickup    unix  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
smtp-amavis  unix  -    -       y       -       2       smtp
 -o smtp_data_done_timeout=1200
 -o disable_dns_lookups=yes
 -o smtp_send_xforward_command=yes
127.0.0.1:10025 inet n  -       y       -       -       smtpd
 -o content_filter=
 -o smtpd_helo_restrictions=
 -o smtpd_sender_restrictions=$mua_sender_restrictions

Here is main.cf :

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
myhostname = xxxxxxxx
myorigin = $myhostname
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
local_recipient_maps = $alias_maps
mydestination = localhost
virtual_transport = error:mailbox does not exist
virtual_mailbox_domains = hash:/etc/postfix/virtual_domains
virtual_mailbox_maps = hash:/etc/postfix/virtual_mailbox
virtual_alias_maps = hash:/etc/postfix/virtual_alias
hash:/etc/postfix/virtual_alias_1pour1
pcre:/etc/postfix/virtual_alias_catchall
transport_maps = hash:/etc/postfix/transport
recipient_delimiter = +
smtp_use_tls = yes
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/obm/certs/fullchain.pem
smtpd_tls_key_file = /etc/obm/certs/privkey.pem
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
message_size_limit = 52428800
mua_sender_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_unknown_reverse_client_hostname,
   check_sender_access hash:/etc/postfix/sender_access
smtpd_helo_required = yes
mua_helo_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_non_fqdn_helo_hostname,
    reject_unknown_helo_hostname
mua_recipient_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_sender_login_mismatch,
   reject_invalid_helo_hostname,
   reject_non_fqdn_helo_hostname,
   reject_non_fqdn_sender,
   reject_non_fqdn_recipient,
   reject_unknown_sender_domain,
   reject_unknown_recipient_domain,
   reject_rhsbl_helo dbl.spamhaus.org,
   reject_rhsbl_reverse_client dbl.spamhaus.org,
   reject_rhsbl_sender dbl.spamhaus.org,
   reject_rbl_client zen.spamhaus.org
smtpd_sender_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_unknown_reverse_client_hostname,
   check_sender_access hash:/etc/postfix/sender_access
smtpd_helo_required = yes
smtpd_helo_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_non_fqdn_helo_hostname,
    reject_unknown_helo_hostname
smtpd_recipient_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_sender_login_mismatch,
   reject_invalid_helo_hostname,
   reject_non_fqdn_helo_hostname,
   reject_non_fqdn_sender,
   reject_non_fqdn_recipient,
   reject_unknown_sender_domain,
   reject_unknown_recipient_domain,
   reject_rhsbl_helo dbl.spamhaus.org,
   reject_rhsbl_reverse_client dbl.spamhaus.org,
   reject_rhsbl_sender dbl.spamhaus.org,
   reject_rbl_client zen.spamhaus.org
smtp_sender_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_unknown_reverse_client_hostname,
   check_sender_access hash:/etc/postfix/sender_access
smtp_helo_required = yes
smtp_helo_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_non_fqdn_helo_hostname,
    reject_unknown_helo_hostname
smtp_recipient_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_sender_login_mismatch,
   reject_invalid_helo_hostname,
   reject_non_fqdn_helo_hostname,
   reject_non_fqdn_sender,
   reject_non_fqdn_recipient,
   reject_unknown_sender_domain,
   reject_unknown_recipient_domain,
   reject_rhsbl_helo dbl.spamhaus.org,
   reject_rhsbl_reverse_client dbl.spamhaus.org,
   reject_rhsbl_sender dbl.spamhaus.org,
   reject_rbl_client zen.spamhaus.org

Thanks for your help


Michaux Julien
Courriel : jul...@michaux.name

Reply via email to