Samer Afach skrev den 2022-12-21 05:45:
Thank you, Phil. Here we go. Here's postconf -n:
I hope this helps in better identifying how the spammer was able to
use my server to send a spam email.
```
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
debug_peer_level = 6
debug_peer_list = 0.0.0.0/0
disable_vrfy_command = yes
inet_interfaces = all
inet_protocols = ipv4
mailbox_size_limit = 0
maillog_file = /dev/stdout
message_size_limit = 0
milter_default_action = accept
milter_protocol = 2
mydestination = hostname.hosting-service.com,
localhost.hosting-service.com, localhost
why not all public domains in virtual_* ?
myhostname = localhost
so you say helo localhost when sending mail ?
some reject that ehlo hostname
mynetworks_style = subnet
myorigin = localhost
non_smtpd_milters = inet:docker-email-opendkim:12301
proxy_read_maps = $local_recipient_maps $mydestination
$virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps
$virtual_mailbox_domains $relay_recipient_maps $relay_domains
$canonical_maps $sender_canonical_maps $recipient_canonical_maps
$relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
readme_directory = no
recipient_delimiter = +
relay_domains =
relayhost =
smtp_tls_cert_file = /shared-keys/example.com/fullchain.pem
smtp_tls_key_file = /shared-keys/example.com/privkey.pem
smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
make this a commentary line in main.cf so it using postconf defaults
smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
same here
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_restrictions = permit_mynetworks
smtpd_helo_restrictions = reject_invalid_helo_hostname,
smtpd_milters = inet:docker-email-opendkim:12301
smtpd_recipient_restrictions = check_sender_access
hash:/etc/postfix/sender_access, permit_sasl_authenticated,
permit_mynetworks, reject_unauth_destination, reject_invalid_hostname,
reject_unknown_recipient_domain, reject_unauth_destination,
reject_rbl_client sbl.spamhaus.org, reject_rbl_client
b.barracudacentral.org, reject_rbl_client zen.spamhaus.org,
reject_rbl_client truncate.gbudb.net, reject_rbl_client
bl.spamcop.net, reject_rbl_client cbl.abuseat.org,
multiple spamhaus, only zen is needed, and imho others is included in
zen
smtpd_relay_restrictions = permit_sasl_authenticated permit_mynetworks
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = /shared-socks/auth_dovecot
smtpd_sasl_type = dovecot
smtpd_sender_login_maps =
proxy:mysql:/etc/postfix/mysql_sender_login_maps.cf
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /shared-keys/example.com/fullchain.pem
smtpd_tls_ciphers = high
smtpd_tls_key_file = /shared-keys/example.com/privkey.pem
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
coment that in main.cf no need for change from default postfix
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
same here
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps =
proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/vmail/
virtual_mailbox_domains =
proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_limit = 0
virtual_mailbox_maps =
proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 104
virtual_transport = lmtp:inet:docker-email-dovecot:10024
virtual_uid_maps = static:5000
