0

I have an Ubuntu 20.04.5 LTS with multiple Wordpress website running on Nginx. I installed postfix and configured it to stop relaying emails. I have an antivirus freshclam running.

Someone or something is sending emails from my server using my gmail account. How do I even start investigating??

This is my /etc/postfix/main.cf

compatibility_level = 2

myhostname = Ubuntu-T.members.linode.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination =  $myhostname, localhost.localdomain, localhost
relayhost = [smtp.gmail.com]:587
mynetworks = !147.78.103.107, 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols =  ipv4

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtp_tls_CApath=/etc/ssl/certs
smtpd_client_restrictions = permit_mynetworks, reject
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_recipient_restrictions = reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_non_fqdn_recipient,>

# Enable SASL authentication
smtp_sasl_auth_enable = yes
# Disallow methods that allow anonymous authentication
smtp_sasl_security_options = noanonymous
# Location of sasl_passwd
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
# Enable STARTTLS encryption
smtp_tls_security_level = encrypt
# Location of CA certificates
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

# DKIM
# -----------------------
milter_protocol = 6
milter_default_action = accept
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

This is a sample of my mail.log sending spams

May 30 06:16:47 Ubuntu-T postfix/pickup[35351]: 87478220358: uid=33 from=<www-data>
May 30 06:16:47 Ubuntu-T postfix/cleanup[37404]: warning: connect to Milter service inet:localhost:8891: Connection refused
May 30 06:16:47 Ubuntu-Teeglobal postfix/cleanup[37404]: 87478220358: message-id=<1tTTSXm6L4yYiorX5Evh7r7kQaS4vbiL22d3bXKeYo@david.xyz>
May 30 06:16:47 Ubuntu-Teeglobal postfix/qmgr[982]: 87478220358: from=<www-data@Ubuntu-T.members.linode.com>, size=1272, nrcpt=1 (queue active)
May 30 06:16:49 Ubuntu-Teeglobal postfix/smtp[37406]: 87478220358: to=<webredoxltd@gmail.com>, relay=smtp.gmail.com[142.251.161.108]:587, delay=1.6, delays=0.03/0.02/0.47/1.1, dsn=2.0.0, status=sent (250 2.0.0 OK  1685441809 s13-20020a056638218d00b0041ab38c1a4esm629321jaj.60 - gsmtp)
Henri
  • 101
  • 2
  • 2
    The `from=www-data` indicates that you have malware running in the webserver scope. – Gerald Schneider May 30 '23 at 11:55
  • 1
    Note that you are probably not long from having your ISP account suspended. – Paul May 30 '23 at 12:39
  • @ Gerald Schneider How can I find the malwear? I can't believe that people need to rebuild their server from scratch. It's a lot of work. – Henri May 30 '23 at 19:58
  • I ran a malet scan and had multiple malware that I removed. I also further restricted access to my server. Put all softwares up to date. It has been 2 days and everything is calm. No more spam. Finger cross. However, I backed up my server just in case and scanned everything again. – Henri Jun 01 '23 at 01:16

0 Answers0