-3

My Postfix is set up with virtual domains. This allows people to send an email to *@mydomain.com and it'll be forwarded to my gmail account. Basically the end goal is to simply allow people to email anything@mydomain.com and it will be forwarded on to me, it saves me from having seperate mailboxes.

This has worked fine for the few days it's been setup until I woke up this morning to several thousand Chinese spam emails sent from my postfix. They use alias's such as cff@mydomain.com, efff@mydomain.com, brez@mydomain.com to SEND mail externally to completely unrelated email addresses. To clarify, this is third party spam email abuse using my server.

I immediately freaked out and went to find what the problem is. There is no new users in /etc/passwd, and in /etc/shadow, only mine, the FTP, and root (with disabled SSH) are able to login. So it seems it must be a Postix config error.

I seemed to have fixed by adding

smtpd_client_restrictions = permit_mynetworks, reject
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated 

# Block clients that speak too early.
smtpd_data_restrictions = reject_unauth_pipelining

# Enforce mail volume quota via policy service callouts.
smtpd_end_of_data_restrictions = check_policy_service unix:private/policy

to my main.cf. The mail.log is still filling up with all these attempts but the mail no longer gets sent out. An example

Aug  9 09:35:12 myusername postfix/smtpd[32085]: NOQUEUE: reject: RCPT from         unknown[183.147.82.118]: 554 5.7.1 <unknown[183.147.82.118]>: Client host rejected: Access denied; from=<eff@mydomain$
Aug  9 09:35:14 myusername postfix/smtpd[32085]: lost connection after DATA from unknown[183.147.82.118]
Aug  9 09:35:14 myusername postfix/smtpd[32085]: disconnect from unknown[183.147.82.118]

The problem now is that is now blocks legitimate emails when I try and send anything to any of my domains.

554 5.7.1 <mail-ob0-f172.google.com[209.85.214.172]>: Client host rejected: Access denied

What can I do to

A) Allow any emails sent do my virtual domains (anything i.e hello@mydomain.com) to be forwarded onto my Gmail account, but not allow spammers to somehow use my server to SEND spam mail onwards.

And optionally B) Stop having all these attempts possible in the first place and cluttering up my mail.log

Here is my main.cf 

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = mydomain1.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
virtual_alias_domains = mydomain1.com, mydomain2.me
virtual_alias_maps = hash:/etc/postfix/virtual
myorigin = /etc/mailname
#mydestination = localhost.241.214.119, localhost
mydestination = $myhostname,localhost.$mydomain, localhost, $mydomain
#relayhost = mail.mydomain1.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_protocols = ipv4
milter_protocol = 2
milter_default_action = accept
smtpd_milters = inet:localhost:12301
non_smtpd_milters = inet:localhost:12301
smtp_generic_maps = hash:/etc/postfix/generic
smtpd_client_restrictions = permit_mynetworks, reject
    # Spam control: exclude local clients and authenticated clients
    # from DNSBL lookups.
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated 

    # Block clients that speak too early.
smtpd_data_restrictions = reject_unauth_pipelining

    # Enforce mail volume quota via policy service callouts.
smtpd_end_of_data_restrictions = check_policy_service unix:private/policy

and my master.cf

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       -       -       -       smtpd
#smtp      inet  n       -       -       -       1       postscreen
#smtpd     pass  -       -       -       -       -       smtpd
#dnsblog   unix  -       -       -       -       0       dnsblog
#tlsproxy  unix  -       -       -       -       0       tlsproxy
#submission inet n       -       -       -       -       smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       -       -       -       smtpd
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       -       -       -       qmqpd
pickup    unix  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
relay     unix  -       -       -       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -   n   n   -   2   pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

Any insight is appreciated!

jblz
  • 215
  • 1
  • 3
  • 11
  • It is unclear from your question what you are trying to achieve. Please clarify what exactly you want to prevent. Do you want to limit who can even contact your mail server? If so, to whom? Do you want to limit which kind of messages can be delivered to it? If so, based on which criteria? Generally speaking, running a mail server is not for the weak of heart. – Tilman Schmidt Aug 09 '15 at 14:42
  • I do apologise if it was unclear. I've updated the post. I just want to be able to have someone email anything@mydomain.com and it to be forwarded to my gmail - which did work perfectly, but somehow someone was sending thousands of spam emails, externally using my server. When I added the new smtp rules this stopped the spam, but also broke my forwarding system. – jblz Aug 09 '15 at 14:50
  • Please clarify "spam mails". Are you saying your server was abused to send mail to a third party? Are you talking about unwanted messages forwarded to your gmail account? Or are you referring to the blocked delivery attempts logged by your server? These three cases are fundamentally different from each other. – Tilman Schmidt Aug 09 '15 at 14:54
  • The first option! Thousands of emails were sent to unique email addresses using variations of aliases on my domain. i.e cff@mydomain.com sent 500 emails to unique hotmail/yahoo etc mail addresses. – jblz Aug 09 '15 at 15:00
  • Can you post the snippet of maillog entry when spammer abuse your server? Sometimes it's easier to look into maillog to identifying the source of the spam problem. – masegaloeh Aug 10 '15 at 01:29
  • In addition to the log excerpt showing how your mail server sent one of these spam mails, please post the content of your /etc/postfix/virtual file. – Tilman Schmidt Aug 10 '15 at 11:04
  • I also wonder why you'd use defer_unauth_destination instead of reject_unauth_destination. The latter should be preferred in almost all circumstances. – Tilman Schmidt Aug 10 '15 at 16:21

1 Answers1

-1

Sounds like you were basically running an open relay and after a while, some spam bot found it and started launching emails through it.

Theres a couple of Postfix settings to close your server down. One is the permitted networks option. I usually only permit local 'known' networks and then add any other network ranges to the local list that I need.

The other is to require authentication for mail relay.

It looks like you may have done both of above now and prevented the spam relay.

Another thing I do with any internet facing mail servers (and this is dependent on what security appliances you have available to you) is run a dynamically updating firewall rule that takes addresses from publicly known block lists such as the spamhaus top 100 and adds them into a block rule on your firewall.

I use pfSense with pfBlockerNG for this and it is extremely effective.

Tom

tomstephens89
  • 1,011
  • 1
  • 12
  • 24