Problem: someone is probing my Ubuntu 20.04 LTS based mail server.
Along with SSH attacks (now mitigated) I had a number of log messages
saying auth failures in Dovecot. When I traced packets generating these
messages, I found that the packets were being directed to 25/tcp -- Postfix.
I know I'm doing something stupid. Or not doing something stupid.
Pointers?
All mailboxes have associated entries in /etc/passwd, with certain role
accounts redirected to admin in /etc/aliases
satch@mail:~$ postconf local_recipient_maps
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
$ postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
compatibility_level = 2
default_destination_concurrency_limit = 5
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks
header_size_limit = 50000
inet_interfaces = all
inet_protocols = ipv4
mailbox_size_limit = 51200000
mime_header_checks = $header_checks
mydestination = satchell.net
myhostname = mail.satchell.net
mynetworks = 127.0.0.0/8, 10.1.1.0/24
myorigin = satchell.net
nested_header_checks =
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_connection_count_limit = 25
smtpd_data_restrictions = reject_multi_recipient_bounce permit
smtpd_etrn_restrictions = reject
smtpd_helo_required = yes
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.satchell.net/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.satchell.net/privkey.pem
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_transport = lmtp:unix:private/dovecot-lmtp
Sample log entries:
Mar 14 18:41:12 mail auth: pam_unix(dovecot:auth): authentication failure;
logname= uid=0 euid=0 tty=dovecot ruser=a...@satchell.net rhost=45.144.225.181
Mar 12 10:12:25 mail auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=scan rhost=176.111.173.48
Mar 12 10:14:11 mail auth: pam_unix(dovecot:auth): check pass; user unknown
Mar 12 10:14:11 mail auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=f...@q0z.net rhost=193.169.255.72
Mar 12 10:18:45 mail auth: pam_unix(dovecot:auth): check pass; user unknown
Mar 12 10:18:45 mail auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=marketing rhost=193.169.252.8
Mar 12 17:58:24 mail auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=spamfilter rhost=218.73.134.32 user=spamfilter
Mar 12 17:59:08 mail auth: pam_unix(dovecot:auth): check pass; user unknown
Mar 12 17:59:08 mail auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=spamfil...@satchell.net rhost=218.73.134.32
Mar 12 17:59:23 mail auth: pam_unix(dovecot:auth): check pass; user unknown
Mar 12 17:59:23 mail auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=spamfil...@satchell.net rhost=218.73.134.32
(Note: this mail server is not set up yet to process mail to domain
q0z.net yet. I'll be following the documentation for "virtual" when it
comes time to add entries for this domain.)
"spamfilter" is an account in /etc/passwd.
And the PostFix files:
root@mail:/etc/postfix# tree .
.
├── dynamicmaps.cfcat
├── dynamicmaps.cf.d
├── header_checks
├── main.cf
├── main.cf.bak
├── main.cf.proto
├── makedefs.out -> /usr/share/postfix/makedefs.out
├── master.cf
├── master.cf.proto
├── postfix-files
├── postfix-files.d
├── postfix-script
├── post-install
└── sasl
root@mail:/etc# tree . | grep aliases
├── aliases
├── aliases.db
│ │ ├── 30-cjk-aliases.conf
│ │ ├── 30-metric-aliases.conf
│ │ ├── 30-cjk-aliases.conf -> ../conf.avail/30-cjk-aliases.conf
│ │ ├── 30-metric-aliases.conf -> ../conf.avail/30-metric-aliases.conf
