My server is sending spam

[lisati]

Can I just add this to the bottom of my main.cf file or should I place it somewhere else in there ?

If you don't already have a smtpd_sender_restrictions section in your main.cf file, it can go just about anywhere.

Now I'm also getting this in my mail log, but I don't know what it means

Are you using some kind of address verification?

[AvengerX9]

Here is my current main.cf

Code:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = mail.truckstop24.no
mydomain = truckstop24.no
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = $mydomain, $myhostname
myorigin = $mydomain
mynetworks = 0.0.0.0/0 [::/0]
relayhost = smtp.nenett.no
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
smtpd_recipient_restrictions = reject_non_fqdn_recipient reject_unknown_recipient_domain permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject_non_fqdn_hostname reject_invalid_hostname check_helo_access pcre:/etc/postfix/helo_checks check_sender_mx_access cidr:/etc/postfix/bogus_mx reject_rbl_client zen.spamhaus.org reject_rbl_client cbl.abuseat.org reject_rbl_client dnsbl-1.uceprotect.net permit

smtpd_recipient_restrictions =
    reject_invalid_hostname, 
    reject_non_fqdn_sender, 
    reject_non_fqdn_recipient, 
    reject_unknown_sender_domain, 
    reject_unknown_recipient_domain, 
    reject_unauth_pipelining, 
    permit_mynetworks, 
    reject_unauth_destination, 
    reject_rbl_client bl.spamcop.net 
    permit

[lisati]

OK. You already had a "smtpd_recipient_restrictions" entry. Postfix only uses one. You can probably safely remove the bit you added from my previous post. What I'd suggest for the line you already had is to add commas "," between the individual restrictions you have listed, so that it looks something like this:

Code:

smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_hostname, reject_invalid_hostname check_helo_access pcre:/etc/postfix/helo_checks, check_sender_mx_access cidr:/etc/postfix/bogus_mx, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client dnsbl-1.uceprotect.net, permit

[AvengerX9]

Thanks, fixed that now But to prevent others from using my mailserver to spam. Is there something I can do in the IPtables ?

[cryptotheslow]

Do you have any more recent logs of this spam being sent through your server?

It's certainly not acting as an open relay right now.

You might want to consider enforcing SMTP Auth and TLS. Your conf file suggests you have TLS configured already. SMTP Auth would require all users wanting to send via your server to authenticate.

I'm not really familiar with postfix so I'll just point at a googled how to: http://postfix.state-of-mind.de/patr...tter/smtpauth/

[AvengerX9]

Thanks. I will check that out.

Here is the most recent mail.log

Nov 17 02:36:58 roger-G31T-M7 postfix/cleanup[14379]: 15FF2143E3D: message-id=<20121117013658.15FF2143E3D@mail.truckstop24.no >
Nov 17 02:36:58 roger-G31T-M7 postfix/bounce[14384]: 9AC61143D8B: sender non-delivery notification: 15FF2143E3D
Nov 17 02:36:58 roger-G31T-M7 postfix/qmgr[9049]: 15FF2143E3D: from=<>, size=2458, nrcpt=1 (queue active)
Nov 17 02:36:58 roger-G31T-M7 postfix/qmgr[9049]: 9AC61143D8B: removed
Nov 17 02:36:58 roger-G31T-M7 postfix/smtp[14383]: 15FF2143E3D: to=<test@testie.com>, relay=smtp.nenett.no[81.167.36.150]:25, delay=0.18, delays=0.06/0/0.04/0.08, dsn=5.7.1, status=bounced (host smtp.nenett.no[81.167.36.150] said: 554 5.7.1 <test@testie.com>: Recipient address rejected: Policy Rejection- This ip has been blacklisted. Contact your service provider if you have questions. (in reply to RCPT TO command))
Nov 17 02:36:58 roger-G31T-M7 postfix/qmgr[9049]: 15FF2143E3D: removed
Nov 17 02:37:01 roger-G31T-M7 postfix/smtpd[14370]: disconnect from 87-194-210-230.bethere.co.uk[87.194.210.230]
Nov 17 02:40:53 roger-G31T-M7 postfix/smtpd[14481]: error: unsupported dictionary type: pcre
Nov 17 02:40:53 roger-G31T-M7 postfix/smtpd[14481]: error: open /etc/postfix/bogus_mx: No such file or directory
Nov 17 02:40:53 roger-G31T-M7 postfix/smtpd[14481]: connect from 87-194-210-230.bethere.co.uk[87.194.210.230]
Nov 17 02:41:38 roger-G31T-M7 postfix/smtpd[14481]: A7465140831: client=87-194-210-230.bethere.co.uk[87.194.210.230]
Nov 17 02:41:52 roger-G31T-M7 postfix/cleanup[14487]: A7465140831: message-id=<>
Nov 17 02:41:52 roger-G31T-M7 postfix/qmgr[9049]: A7465140831: from=<me@truckstop24.no>, size=244, nrcpt=1 (queue active)
Nov 17 02:41:53 roger-G31T-M7 postfix/smtp[14490]: A7465140831: to=<bzgigley@sharklasers.com>, relay=smtp.nenett.no[81.167.36.150]:25, delay=30, delays=30/0/0.05/0.08, dsn=5.7.1, status=bounced (host smtp.nenett.no[81.167.36.150] said: 554 5.7.1 <bzgigley@sharklasers.com>: Recipient address rejected: Policy Rejection- This ip has been blacklisted. Contact your service provider if you have questions. (in reply to RCPT TO command))
Nov 17 02:41:53 roger-G31T-M7 postfix/cleanup[14487]: 15535143E3D: message-id=<20121117014153.15535143E3D@mail.truckstop24.no >
Nov 17 02:41:53 roger-G31T-M7 postfix/bounce[14491]: A7465140831: sender non-delivery notification: 15535143E3D
Nov 17 02:41:53 roger-G31T-M7 postfix/qmgr[9049]: 15535143E3D: from=<>, size=2470, nrcpt=1 (queue active)
Nov 17 02:41:53 roger-G31T-M7 postfix/qmgr[9049]: A7465140831: removed
Nov 17 02:41:53 roger-G31T-M7 postfix/local[14492]: 15535143E3D: to=<me@truckstop24.no>, relay=local, delay=0.12, delays=0.05/0.02/0/0.05, dsn=5.1.1, status=bounced (unknown user: "me")
Nov 17 02:41:53 roger-G31T-M7 postfix/qmgr[9049]: 15535143E3D: removed
Nov 17 02:42:00 roger-G31T-M7 postfix/smtpd[14481]: disconnect from 87-194-210-230.bethere.co.uk[87.194.210.230]
Nov 17 07:45:47 roger-G31T-M7 postfix/pickup[16996]: 7FEC4143E40: uid=0 from=<root>
Nov 17 07:45:47 roger-G31T-M7 postfix/cleanup[17609]: 7FEC4143E40: message-id=<20121117064547.7FEC4143E40@mail.truckstop24.no >
Nov 17 07:45:47 roger-G31T-M7 postfix/qmgr[9049]: 7FEC4143E40: from=<root@truckstop24.no>, size=490, nrcpt=1 (queue active)
Nov 17 07:45:47 roger-G31T-M7 postfix/local[17611]: 7FEC4143E40: to=<Roger@truckstop24.no>, orig_to=<root>, relay=local, delay=0.35, delays=0.22/0.01/0/0.12, dsn=2.0.0, status=sent (delivered to command: procmail -a "$EXTENSION")
Nov 17 07:45:47 roger-G31T-M7 postfix/qmgr[9049]: 7FEC4143E40: removed
Nov 17 08:16:11 roger-G31T-M7 postfix/postfix-script[17984]: warning: not owned by postfix: /var/lib/postfix/./verify_cache

[cryptotheslow]

That's interesting - those are the logs from the couple of tests I did to see if your server would relay (hope you don't mind! ).

The bad thing there is that your server accepted the mail and attempted to relay it - even though it doesn't know who I am. It was your ISP's mail relay that actually blocked it based on the recipient being @sharklasers.com which is a domain used for throwaway email addresses at guerrillamail.com - so no surpise that is in a blacklist somewhere.

I more used to exim than postfix, however from here http://www.postfix.org/SMTPD_ACCESS_README.html this config section looks like it should be what is required:

Code:

# Relay control (Postfix 2.10 and later): local clients and     # authenticated clients may specify any destination domain.
smtpd_relay_restrictions = permit_mynetworks,  	permit_sasl_authenticated, 	reject_unauth_destination

That will allow anyone in your $mynetworks range and anyone who authenticates to use your server to send mail to any destination.

It will also allow any mail for @truckstop24.no addresses to be accepted from anywhere.

One thing that concerns me is that you have $mynetworks set as:

Code:

mynetworks = 0.0.0.0/0 [::/0]

That looks to me to be a wildcard setting allowing any IP to send. I think you need to tighten that control up. See here:
http://www.postfix.org/postconf.5.html#mynetworks

[AvengerX9]

Thanks. I will update my main.cf file. It should look like this now

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = mail.truckstop24.no
mydomain = truckstop24.no
#alias_maps = hash:/etc/aliases
alias_maps = hash:/etc/postfix/aliases
#alias_database = hash:/etc/aliases
alias_database = hash:/etc/postfix/aliases
mydestination = $mydomain, $myhostname
myorigin = $mydomain
#mynetworks = 0.0.0.0/0 [::/0]
mynetworks = 79.161.88.51/24, 127.0.0.1/8
#relayhost = smtp.nenett.no
relayhost = smtp.gmail.com
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

# SASL SUPPORT FOR CLIENTS
# The following options set parameters needed by Postfix to enable
# Cyrus-SASL support for authentication of mail clients.
#
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
#smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_relay_domains
smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_hostname, reject_invalid_hostname, check_helo_access, pcre:/etc/postfix/helo_checks, check_sender_mx_access, cidr:/etc/postfix/bogus_mx, reject_rbl_client, zen.spamhaus.org, reject_rbl_client, cbl.abuseat.org, reject_rbl_client, dnsbl-1.uceprotect.net, permit

# Relay control (Postfix 2.10 and later): local clients and
# authenticated clients may specify any destination domain.
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

I will check out the links you gave me too

[cryptotheslow]

That looks better

One thing though.....

You have two smtpd_recipient_restrictions = entries.

You should add the check_relay_domains option to the first one and remove the second instance (in the SASL section).

Just shout if you want me to test it for open relay once you have your new settings in place

Another question - will google allow you to relay through their smtp??

[cryptotheslow]

Another question - will google allow you to relay through their smtp??

The answer is NO unless you are somehow using authenticated SMTP using STARTTLS.

This is what happens when trying straight SMTP:

Code:

crypto@ubulaptop1204:~$ telnet smtp.gmail.com 25
Trying 173.194.66.109...
Connected to gmail-smtp-msa.l.google.com.
Escape character is '^]'.
220 mx.google.com ESMTP gk9sm6755645wib.4
HELO google.com
250 mx.google.com at your service
MAIL FROM: tester@google.co.uk
530 5.7.0 Must issue a STARTTLS command first. gk9sm6755645wib.4

As it should be really - otherwise it would also be an open relay