1

within my network I have a Linux Server configured with Fetchmaill to retrieve Mails via POP3 from my Mail Provider. It is connected via postfix to an old Windows Server. Clients are connected via Outlook to the Windows Server. So every mail is routed through my linux machine.
Just today I received a Phishing Mail from myname@mydomain.com. Please note that this account does not exist. Neither at my Mail Provider nor on my Windows Server. I tried to configure my Linux Server that it only accepts connections from inside my local network. Not from the outside. I need help on how to check where the following mail came from:

12:22:57 proxy postfix/smtpd[27263]: 34B562EE023E: client=localhost.localdomain[127.0.0.1]
12:22:57 proxy postfix/cleanup[27265]: 34B562EE023E: message-id=2ef14d1f60925917e184d83810@altesa.lt
12:22:57 proxy postfix/qmgr[2400]: 34B562EE023E: from=myname@mydomain.com, size=3190, nrcpt=1 (queue active)
12:22:57 proxy postfix/smtp[27267]: 34B562EE023E: to=someone@mydomain.com, relay=192.168.1.9[192.168.1.9]:25, delay=0.14, delays=0.09/0/0/0.06, dsn=2.6.0, status=sent (250 2.6.0 2ef14d1f60925917e184d83810ea2d25@altesa.lt Queued mail for delivery)
12:22:57 proxy postfix/qmgr[2400]: 34B562EE023E: removed

Whereas 192.168.1.9 is my Windows Server machine. Do you have any idea what to look for? I tried different online services to check if my server is an open relay, but they all timeout.
Thank you.

caiuspb
  • 159
  • 1
  • 6

1 Answers1

2

I'm not an expert on mail daemons, but think the person sending the mail was doing so from the actual mail server (client= should be the ip of the person connecting to the mail daemon). It could have been sent by a logged in user or a php script on the postfix server that uses the mail() function, or something along those lines.

By default postfix and most mail daemons are setup to accept mail from localhost with few to no restrictions, so that email from cron and system utilities don't need to authenticate.

Overall I think you might have an unresolved security issue on your mail server. I don't think it's a relayed message; I think the server is saying it relayed it to your windows machine (otherwise the client should have been 192.168.1.9).

You might want to get the opinion of someone with more email experience, and you might want to check your smtpd_sender_restrictions settings. I found a relevant serverfault post about preventing email from being sent as a nonexistant user (postfix - allow sending email with related alias).

Some Linux Nerd
  • 3,327
  • 3
  • 19
  • 22
  • Thank you for your answer. I think that is usual behavior since postfix receives its mails via fetchmail, so every single received mail starts with client=localhost. It does not proof that there is no virus on it but at least it doesn't make it too suspicious. What do you think? – caiuspb Sep 23 '20 at 20:27
  • That would actually explain it then, never mind! You should check the logs on the server fetchmail is retrieving mail from to see if you can dig up more information about that email. Also it wouldn't hurt to see if you can connect to your MX and spoof an email as a nonexistent person at your domain. – Some Linux Nerd Sep 23 '20 at 20:34
  • I managed to connect via Telnet to the Server but after filling in "from" and "to" I received an error message saying that it does not trust my ip address. Looks like it would have worked from a static ip or so? – caiuspb Sep 23 '20 at 20:38
  • You might also want to double check that your MX is setup to use DKIM, I'm not 100% sure how it works but it's supposed to prevent exactly that sort of thing. – Some Linux Nerd Sep 23 '20 at 20:38
  • If it doesn't like your ip address then there's probably an ip address that it'd be OK with. It can be restricted on the server, or restricted by SPF records (set for your domain via dns). Lastly, you usually can't send email that way from your ISP (without using their mail servers), or from AWS without using their email service. Its to keep your everyday internet user from setting up a mail daemon and spamming. – Some Linux Nerd Sep 23 '20 at 20:41
  • Looks like this is an issue with my mail provider, doesn't it? Or do you have any idea on how to block such kind of attacks? – caiuspb Sep 23 '20 at 20:43
  • Well, it certainly wouldn't hurt to prevent email from being sent that doesn't match a known mailbox or alias. I included a link but I think there are simpler solutions. That way someone would have to guess a valid email account to send you mail (which is usually not hard, but it does raise the bar). I would absolutely ask your mail provider to look into it in detail, as well as tell you what the real origin of the message was. See if they can find it in their logs. Also ask if they have DMARC, DKIM, and (optionally) SPF setup for your domain. – Some Linux Nerd Sep 23 '20 at 20:47
  • I think overall you need more information. – Some Linux Nerd Sep 23 '20 at 20:48