[Postfixbuch-users] My mailserver on a virtual machine/server used as spam-relay
reiner otto
augustus_meyer at yahoo.de
Sa Feb 14 13:31:52 CET 2009
Since a week, one of my private mailservers was used as a spam-relay, and listed in several public spam-lists.
This mailserver uses dovecot, postfix, sasl-auth, and was running for months without problem.
The speciality is, that this compromised mailserver is running in a virtual machine.
I guess, that this might be one "vulnarability" used by the spammers, because ifconfig of my virtual machine shows:
-----------
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:20200422 errors:0 dropped:0 overruns:0 frame:0
TX packets:3438831 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2334475480 (2226.3 Mb) TX bytes:1480411708 (1411.8 Mb)
venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:127.0.0.1 P-t-P:127.0.0.1 Bcast:0.0.0.0 Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
RX packets:3707143 errors:0 dropped:0 overruns:0 frame:0
TX packets:4003471 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:556695194 (530.9 Mb) TX bytes:619693220 (590.9 Mb)
venet0:0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:012.345.678.891 P-t-P:012.345.678.891 Bcast:0.0.0.0 Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
--------------------------------------------
Now I solved the problem using a "quick fix", by eliminating "permit_mynetworks" from
smtpd_recipient_restrictions in main.cf of postfix.
Excerpt from my actual main.cf (no more spams):
---------
smtpd_recipient_restrictions =
reject_invalid_hostname,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
# permit_mynetworks,
permit_sasl_authenticated,
check_sender_access hash:/etc/postfix/access
reject_unauth_destination,
reject_unknown_recipient_domain,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client ix.dnsbl.manitu.net,
reject_rbl_client ob.surbl.org,
reject_non_fqdn_sender,
reject_non_fqdn_hostname,
check_policy_service inet:127.0.0.1:10023
----------------------------------------
Another vulnerability, which helped the spammers, was the fact, they used malformed destinations, having "0.0.0.0" in the MX-record.
Excerpt from my actual logs:
--------------------------------------
Feb 14 06:28:22 h123456 postfix/smtpd[1463]: warning: numeric domain name in resource data of MX record for seed.net: 0.0.0.0
Feb 14 06:28:22 h123456 postfix/smtpd[1463]: NOQUEUE: reject: RCPT from h123456.stratoserver.net[127.0.0.1]: 554 5.7.1 <dpggy1 at seed.net>: Relay access denied; from=<jennifer_joan at msn.com> to=<dpggy1 at seed.net> proto=SMTP helo=<ppp-217-77-221-14.wildpark.net>
Feb 14 06:28:23 h123456 postfix/smtpd[1463]: warning: numeric domain name in resource data of MX record for seed.net: 0.0.0.0
----------------------------------
In case, "permit_mynetworks" would still be allowed in smtpd_recipient_restrictions,
now my server would have sent spam.
So, now my question is, how to reject mail with destination "0.0.0.0" because of invalid MX record ? That should be a better solution compared to commenting permit_mynetworks.
Or any other comments ?
Regards,
Dipl. Ing. Reiner Karlsberg
-------------- nächster Teil --------------
Ein Dateianhang mit HTML-Daten wurde abgetrennt...
URL: <https://listi.jpberlin.de/pipermail/postfixbuch-users/attachments/20090214/a723cb9e/attachment.html>
Mehr Informationen über die Mailingliste Postfixbuch-users