Spammer succeeded in relaying through my server

Tue, 20 Dec 2022 18:40:50 -0800 

Dear postfix experts:
So, apparently I failed at configuring my server properly after moving my whole email services to docker, and some spambot eventually was able to send a "claim prize" email through my server. The reason I think it's relay is that the account, from which the email was sent with my server, doesn't really exist. It's a combination of some arbitrary word @ some domain registered in my domain's DNS records. I'm not sure whether it could be something else, but to me this sounds like the only viable explanation. I could be wrong. 

The current networking configuration is:


Internet -> HaProxy (plain tcp, just forwarding packets) -> Docker 
network bridge -> Postfix, Dovecot, OpenDKIM, SQL, etc, each in a 
container, all in one subnet



I would really appreciate taking a look at my main.cf configuration, 
following this text, and tell me whether I messed up my relay settings 
or anything else that's obvious.



I could share postconf too, but it's huge and I don't want to make this 
a huge burden unless necessary.



Do you have any recommendations to prevent this fiasco from ever 
happening again? Quite frankly, I'm considering to just disable relaying 
altogether and allow only SASL authentication (by removing 
permit_mynetworks from smtpd_recipient_restrictions), but I guess I 
should understand the problem first before using that nuclear option.



```
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

readme_directory = no

# TLS parameters
# we don't use 'encrypt' instead of may because fetchmail won't work
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_client_restrictions = permit_mynetworks

smtpd_tls_cert_file =/shared-keys/example.com/fullchain.pem
smtpd_tls_key_file  =/shared-keys/example.com/privkey.pem
smtp_tls_cert_file  =/shared-keys/example.com/fullchain.pem
smtp_tls_key_file   =/shared-keys/example.com/privkey.pem

smtpd_use_tls=yes

smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = localhost
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = localhost
mydestination = server-hostname.some-hostingservice.com, localhost

relayhost =
#mynetworks = 127.0.0.0/8
# this is OK for docker subnet (questionable?)
mynetworks_style = subnet

mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
relay_domains =
inet_protocols = ipv4


smtpd_helo_restrictions =
        reject_invalid_helo_hostname,

# a bit more spam protection
disable_vrfy_command = yes

# Authentication
smtpd_sasl_type=dovecot
smtpd_sasl_path=/shared-socks/auth_dovecot
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
broken_sasl_auth_clients = yes


proxy_read_maps = $local_recipient_maps $mydestination 
$virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps 
$virtual_mailbox_domains $relay_recipient_maps $relay_domains 
$canonical_maps $sender_canonical_maps $recipient_canonical_maps 
$relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps



smtpd_sender_login_maps = 
proxy:mysql:/etc/postfix/mysql_sender_login_maps.cf


#smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch


# Virtual mailboxes
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_mailbox_base = /var/vmail/

virtual_mailbox_domains = 
proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_maps = 
proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf

virtual_minimum_uid = 104
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
virtual_transport = lmtp:inet:docker-email-dovecot:10024

smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtp_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1

smtpd_relay_restrictions = permit_sasl_authenticated permit_mynetworks 
reject_unauth_destination


# Insist on stronger ciphers
smtpd_tls_ciphers = high

message_size_limit = 0
virtual_mailbox_limit = 0

milter_protocol = 2
milter_default_action = accept

smtpd_milters = inet:docker-email-opendkim:12301
non_smtpd_milters = inet:docker-email-opendkim:12301

smtpd_recipient_restrictions =
        check_sender_access hash:/etc/postfix/sender_access,
        permit_sasl_authenticated,
        permit_mynetworks,
        reject_unauth_destination,
        reject_invalid_hostname,
        reject_unknown_recipient_domain,
        reject_unauth_destination,
        reject_rbl_client sbl.spamhaus.org,
        reject_rbl_client b.barracudacentral.org,
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client truncate.gbudb.net,
        reject_rbl_client bl.spamcop.net,
        reject_rbl_client cbl.abuseat.org,

smtp_tls_loglevel = 1

debug_peer_list=0.0.0.0/0
debug_peer_level=6

maillog_file = /dev/stdout
```

Best regards,
Sam






















					Reply via email to