[Postfixbuch-users] Mailkonto gehackt amavis stoppen
janikev@gmail.com
janikev at googlemail.com
Mo Dez 1 20:29:53 CET 2014
Am 01.12.2014 18:31, schrieb Peer Heinlein:
> Amavis hat keine Warteschlange.
> Amavis queued nicht.
> Amavis KANN keine Mails nachträglich an Postfix zur Auslieferung übergeben.
Ok, aber ich dachte ein tmp Vz, welches eventuell, voll laufen kann?
Oder bei Service-Stop weggesichert wird?
Ich "glaube" das deshalb so hartnäckig, weil nach der Accountsperre noch
Emails in der mailq auftauchten und ich mir partout nicht erklären kann
wieso. Kein Webmailer. Kein Script / Webserverversand. Kein backup-mx.
An sich hätten ab Accountsperre alle Emails abgeblockt werden müssen.
Also - meine Logik - kommen diese Nachzügler irgendwo aus einem cache,
Temp Verzeichnis oder so.
/var/lib/amavis/ dachte ich, - das ist auf dem Server aber immer leer
gewesen.
Oder die Lösung ist ganz einfach: amavis legt seine Mails noch irgendwo
anders ab. Nur wo?
Der Spuk hatte - Service Abschaltzeiten abgezogen - nach ungefähr 30
Minuten ein endgüliges Ende. Ein anderes Loch als der Mailaccount wäre
dann aber doch immer noch offen.
>
>> Wo können diese Mails noch liegen, wenn sie nicht im Amavis Temp
>> Verzeichnis zu finden sind?
> Logfile zeigen. Copnfig zeigen. "mailq" zeigen.
> Kommt der Client aus $mynetworks und authentifiziert sich gar nicht?
>
> Was steht denn im Logfile?
>
> Was steht denn in den Received-Zeilen von wann die Mail war und wo sie lag?
>
> Peer
Header einer (echten) Beispielmail:
wobei
mta.beispiel.de der Postfix-mailserver ist,
stolen at account.toplevel der gehijackte Mailaccount
und
recipient at example.com der Empfänger
ist.
Zitat Anfang:
*** ENVELOPE RECORDS deferred/7/7156AD8179 ***
message_size: 2692 720 1
0 2692
message_arrival_time: Mon Dec 1 14:17:40 2014
create_time: Mon Dec 1 14:17:40 2014
named_attribute: log_ident=7156AD8179
named_attribute: rewrite_context=local
sender: stolen at account.toplevel
named_attribute: encoding=7bit
named_attribute: log_client_name=localhost.localdomain
named_attribute: log_client_address=127.0.0.1
named_attribute: log_client_port=42018
named_attribute: log_message_origin=localhost.localdomain[127.0.0.1]
named_attribute: log_helo_name=localhost
named_attribute: log_protocol_name=ESMTP
named_attribute: client_name=localhost.localdomain
named_attribute: reverse_client_name=localhost.localdomain
named_attribute: client_address=127.0.0.1
named_attribute: client_port=42018
named_attribute: helo_name=localhost
named_attribute: protocol_name=ESMTP
named_attribute: client_address_type=2
warning_message_time: Mon Dec 1 15:17:40 2014
named_attribute: dsn_orig_rcpt=rfc822;recipient at example.com
original_recipient: recipient at example.com
recipient: recipient at example.com
*** MESSAGE CONTENTS deferred/7/7156AD8179 ***
Received: from localhost (localhost.localdomain [127.0.0.1])
by mta.beispiel.de (Postfix) with ESMTP id 7156AD8179
for <recipient at example.com>; Mon, 1 Dec 2014 14:17:40 +0100 (CET)
X-Virus-Scanned: mta.beispiel amavisd-new at #mta.beispiel.de
Received: from mta.beispiel.de ([127.0.0.1])
by localhost (mta.beispiel.de [127.0.0.1]) (amavisd-new, port 10026)
with ESMTP id gwJHlT7G8f3B for <recipient at example.com>;
Mon, 1 Dec 2014 14:17:40 +0100 (CET)
Received: from localhost (unknown [10.20.30.40])
by mta.beispiel.de (Postfix) with ESMTPA
for <recipient at example.com>; Mon, 1 Dec 2014 14:17:40 +0100 (CET)
Subject: Spam-subject
From: "Spam-Sender"<stolen at account.toplevel>
To: recipient at example.com
X-Mailer: Apple Mail (2.1085)
X-Copyright: Germany, Mime Mail
Content-type: multipart/mixed; boundary="xWMswooh9GD0UIhr"
Message-Id: <20141201131740.7156AD8179 at mta.beispiel.de>
Date: Mon, 1 Dec 2014 14:17:40 +0100 (CET)
Zitat Ende
Logfile zu dieser Beispielmail:
Zitat Anfang:
Dec 1 14:17:40 mta.beispiel postfix/smtpd[9717]: connect from
unknown[10.20.30.40]
Dec 1 14:17:40 mta.beispiel amavis[8853]: (08853-17) loaded policy bank
"SASLBYPASS"
Dec 1 14:17:40 mta.beispiel postfix/smtpd[9717]: NOQUEUE:
client=unknown[10.20.30.40], sasl_method=LOGIN,
sasl_username=stolen at account.toplevel
Dec 1 14:17:40 mta.beispiel amavis[8853]: (08853-18) ESMTP::10026
/var/lib/amavis/tmp/amavis-20141201T140243-08853:
<stolen at account.toplevel> -> <recipient at example.com> Received: from
mta.beispiel.de ([127.0.0.1]) by localhost (mta.beispiel [127.0.0.1])
(amavisd-new, port 10026) with ESMTP for <recipient at example.com>; Mon,
1 Dec 2014 14:17:40 +0100 (CET)
Dec 1 14:17:40 mta.beispiel amavis[8853]: (08853-18) Checking:
gwJHlT7G8f3B SASLBYPASS [10.20.30.40] <stolen at account.toplevel> ->
<recipient at example.com>
Dec 1 14:17:40 mta.beispiel amavis[8853]: (08853-18) p002 1
Content-Type: multipart/mixed
Dec 1 14:17:40 mta.beispiel amavis[8853]: (08853-18) p001 1/1
Content-Type: text/html, size: 1057 B, name:
Dec 1 14:17:40 mta.beispiel postfix/smtpd[9582]: connect from
localhost.localdomain[127.0.0.1]
Dec 1 14:17:40 mta.beispiel postfix/smtpd[9582]: 7156AD8179:
client=localhost.localdomain[127.0.0.1]
Dec 1 14:17:40 mta.beispiel postfix/cleanup[9570]: 7156AD8179:
message-id=<20141201131740.7156AD8179 at mta.beispiel.de>
Dec 1 14:17:40 mta.beispiel postfix/oqmgr[2551]: 7156AD8179:
from=<stolen at account.toplevel>, size=2692, nrcpt=1 (queue active)
Dec 1 14:17:40 mta.beispiel amavis[8853]: (08853-18) FWD via SMTP:
<stolen at account.toplevel> -> <recipient at example.com>,BODY=7BIT 250 2.0.0
Ok, id=08853-18, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as
7156AD8179
Dec 1 14:17:40 mta.beispiel amavis[8853]: (08853-18) Passed CLEAN,
SASLBYPASS LOCAL [10.20.30.40] [10.20.30.40] <stolen at account.toplevel>
-> <recipient at example.com>, mail_id: gwJHlT7G8f3B, Hits: -, size: 2068,
queued_as: 7156AD8179, 204 ms
Dec 1 14:17:40 mta.beispiel postfix/smtpd[9717]: proxy-accept:
END-OF-MESSAGE: 250 2.0.0 Ok, id=08853-18, from MTA([127.0.0.1]:10025):
250 2.0.0 Ok: queued as 7156AD8179; from=<stolen at account.toplevel>
to=<recipient at example.com> proto=ESMTP helo=<localhost>
Dec 1 14:17:40 mta.beispiel amavis[8853]: (08853-18) TIMING [total 209
ms] - SMTP greeting: 2 (1%)1, SMTP EHLO: 1 (0%)1, SMTP pre-MAIL: 0
(0%)1, SMTP pre-DATA-flush: 34 (16%)18, SMTP DATA: 84 (40%)58,
check_init: 1 (0%)58, digest_hdr: 1 (0%)58, digest_body_dkim: 0 (0%)58,
gen_mail_id: 1 (0%)59, mime_decode: 7 (3%)62, get-file-type1: 49
(23%)86, parts_decode: 0 (0%)86, AV-scan-1: 6 (3%)89, update_cache: 1
(0%)89, decide_mail_destiny: 0 (0%)89, fwd-connect: 5 (2%)92,
fwd-mail-pip: 2 (1%)93, fwd-rcpt-pip: 0 (0%)93, fwd-data-chkpnt: 0
(0%)93, write-header: 1 (0%)93, fwd-data-contents: 0 (0%)93,
fwd-end-chkpnt: 2 (1%)95, prepare-dsn: 1 (0%)95, main_log_entry: 8
(4%)98, update_snmp: 2 (1%)99, SMTP pre-response: 0 (0%)99, SMTP
response: 0 (0%)100, unlink-1-files: 0 (0%)100, rundown: 1 (0%)100
Dec 1 14:17:40 mta.beispiel postfix/smtpd[9717]: disconnect from
unknown[10.20.30.40]
Dec 1 14:17:40 mta.beispiel postfix/smtp[9761]: 7156AD8179:
to=<recipient at example.com>, relay=mail.example.com[123.456.789.123]:25,
delay=0.08, delays=0/0.01/0.03/0.03, dsn=4.0.0, status=deferred (host
mail.example.com[123.456.789.123] said: 451 ICID10 temporary local
problem - please try later (in reply to RCPT TO command))
Zitat Ende
Master.cf:
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - y - - smtpd
-o smtpd_proxy_filter=localhost:10024
-o content_filter=
submission inet n - y - - smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
pickup unix n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
amavisd-new[127.0.0.1]:10024 unix - - n - 14 smtp
-o smtp_data_done_timeout=1200s
-o disable_dns_lookups=yes
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o smtpd_proxy_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender
$recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
Ausgabe von postconf -n:
address_verify_map = btree:/var/spool/postfix/data/verify
alias_maps = hash:/etc/aliases
biff = no
bounce_queue_lifetime = 12h
bounce_template_file = /etc/postfix/bounce.de-DE.cf
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
default_destination_recipient_limit = 100
defer_transports =
delay_warning_time = 1h
disable_dns_lookups = no
disable_mime_output_conversion = no
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = ipv4
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
mail_spool_directory = /var/mail
mailbox_command =
mailbox_size_limit = 0
mailbox_transport =
mailq_path = /usr/bin/mailq
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains =
masquerade_exceptions = root
maximal_queue_lifetime = 1d
message_size_limit = 40960000
message_strip_characters = \0
mydestination = $myhostname
myhostname = mta.beispiel.de
mynetworks_style = host
newaliases_path = /usr/bin/newaliases
proxy_read_maps = $virtual_uid_maps $virtual_gid_maps
$local_recipient_maps $mydestination $virtual_alias_maps
$virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains
$relay_recipient_maps $relay_domains $canonical_maps
$sender_canonical_maps $recipient_canonical_maps $relocated_maps
$transport_maps $mynetworks $sender_bcc_maps $recipient_bcc_maps
$smtp_generic_maps $lmtp_generic
queue_directory = /var/spool/postfix
recipient_bcc_maps =
proxy:mysql:/etc/postfix/virtual_mailbox_empfaenger_bcc.mysql
relay_domains = $mydestination
relayhost =
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sendmail_path = /usr/sbin/sendmail
smtp_sasl_auth_enable = no
smtp_use_tls = no
smtpd_client_connection_rate_limit = 20
smtpd_client_message_rate_limit = 3
smtpd_client_recipient_rate_limit = 100
smtpd_client_restrictions =
smtpd_helo_required = yes
smtpd_helo_restrictions =
smtpd_recipient_restrictions =
reject_unauthenticated_sender_login_mismatch,reject_non_fqdn_sender,reject_non_fqdn_recipient,
reject_unknown_sender_domain, reject_unknown_recipient_domain,
permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination,
check_client_access hash:/etc/postfix/rbl_override reject_rbl_client
zen.spamhaus.org, check_policy_service inet:127.0.0.1:12525,
check_policy_service inet:127.0.0.1:10023, reject_unverified_recipient
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = smtpd
smtpd_sender_login_maps =
proxy:mysql:/etc/postfix/virtual_mailbox_empfaenger.mysql
smtpd_sender_restrictions =
smtpd_use_tls = no
strict_8bitmime = no
strict_rfc821_envelopes = no
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 577
virtual_alias_maps =
proxy:mysql:/etc/postfix/virtual_mailbox_empfaenger_aliases.mysql
virtual_gid_maps = proxy:mysql:/etc/postfix/virtual_gid_maps.mysql
virtual_mailbox_base = /
virtual_mailbox_domains =
proxy:mysql:/etc/postfix/virtual_mailbox_domains.mysql
virtual_mailbox_limit = 1024000000
virtual_mailbox_maps =
proxy:mysql:/etc/postfix/virtual_mailbox_empfaenger.mysql
virtual_uid_maps = proxy:mysql:/etc/postfix/virtual_users.mysql
Ausgabe Ende.
Weil man solche Fälle ja immer mal wieder haben kann, stellt sich die
Frage, wie man das verhindert. Zumindest für die Begrenzung des Volumens
habe ich nun noch ein paar zusätzliche Grenzen gezogen:
default_destination_recipient_limit = 100
smtpd_client_connection_rate_limit = 20
smtpd_client_message_rate_limit = 3
smtpd_client_recipient_rate_limit = 100
Ansonsten rauschen ja hunderte Spammails raus, bis man einen solchen
Fall bemerkt?
Mehr Informationen über die Mailingliste Postfixbuch-users