Hi All,
This is my first posting here, and maybe I should have found this WAY back
in January, '23, if not LONG before. Surely background will help:
This 27 or so year old site now with Fedora / Postfix / Dovecot (with
early adoption of all three) that I built was humming along just fine
until a major disaster in January and I've not yet been able to fully
recover because the Postfix / Dovecot pair has let the damned spammers in
again and again and again and again!
OH, sure, I got it down to a trickle, but these few Russian sites always
managed to get their spam through. I've never found out how they got in,
but I'm sure they'd be back as soon as I reopen internet access on ports
587 and / or 993.
I went through so much pain at trying to reconfigure, to no success (or
incomplete success) that I've STRONGLY suspected that either Dovecot or
Postfix got cracked - at least the modern version of January '23 on Fedora
Server 37. (I haven't reopened the ports since the upgrade to 38.)
As soon as 38 became available, we upgraded. Current version(s) available
upon request - and while the whole main.cf is HUGE and somewhat
sensitive, bits of it are surely available, too.
In the disaster, we lost /var but not /etc, so I figured recovery would be easy
and for nearly everything, it was. But while both Dovecot and Postfix came
right back up with the old config files (and something of an effort to try
and use the more modern, insofar as they're different), nothing I've tried
so far has stopped the spammers from getting through, though as I say I
haven't tried since the update to 38 - should I now? (No config has
changed.)
Now, in these 5+ months I've tried so many things, I'm sure I've forgotten
most of them and I don't know that a retrospective look is worth doing.
...I kept some notes that might be useful if anyone wants to see the evidence
of the cracking, but in short, I kept a constant watch on the logs and when ANY
relay happened that shouldn't, I'd instantly know it and shut things off
entirely. However, that became untenable as I couldn't find the problem and had
to just shut it off, pissing off users, etc, but I've had to do things like
spend a month and a half traveling, and so forth and, well... Life goes on, as
the saying goes.
---
Given all the work I did on Postfix to stop relaying from unauthorized
parties, and how after a mountain of work the "open-mail-relaying" was
only coming from a couple of spammers in Russia, it's my view they somehow
cracked things, even though we changed 100% of ALL user passwords to VERY,
and I mean completely impractical to crack values (30 chars plus). And so
I want to blame Dovecot for letting through the relaying. They say no,
it's Postfix!
Maybe someone on this list knows if it's possible that Dovecot being
cracked can cause Postfix to become a spam relay but I'd like to sidestep
that for at least the moment:
A new feature that would make a HUGE difference to sites like mine: Give
me a white-list of the ONLY accounts (usernames) that can relay; NOTHING
ELSE can relay. ... THAT would do it! But no! Neither in Postfix nor
Dovecot is there such a thing! ...Such a thing CANNOT be that hard to
implement and obviously useful to many; is there a good reason NOT to do
this? Or am I wrong and it HAS been done?
Combine that with a greylist type function (similar to the postgrey
package I have installed now) where the usual IP addresses for particular
relay users were let through, and new ones delayed, THAT would be awesome,
too! And this isn't even all that hard to do - I could do it if I didn't
already have a thousand obligations in life!
And if someone tells me I'm wrong and points me at how to do these things, I'll
fall out of my damned chair! And after picking myself up, I'll find a way to
send that person some sort of gift. THIS WOULD HAVE SOLVED ALL MY PROBLEMS. And
I'm sure MANY others could use this, too!
As a small digression on some of the above: I think I don't know enough
about how Postfix's use of port 587 is properly secured - the "submission
port". OK, STARTTLS we're told, but is it Postfix or Dovecot doing the
authentication? Does Postfix EVER read a password file? I think it does
not, and so I say it has to be Dovecot, but some clearing up of that would
be nice... And, now that I think of it could this be a way to prove which
is guilty of letting the spammers in?
---
I MUST get Dovecot's use of the ports 587 / 993 working again to allow my
outside users to get email again, but HOW THE HELL DO I DO THIS and NOT
let the spammers in?!
Thanks for any and all help,
Richard
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
