Postfix open relay

Question

Greetings,

Google says that I'm originating too many emails from my IP. Since I NEVER uses this smtp to originate emails, I suspect my postfix is somewhat misconfigured, so that I have an open relay

google LOG entry:
Oct  8 06:29:29 domU-12-31-39-00-C1-66 postfix/smtp[15217]: 79B661A0CC: to=<hashimptil@gmail.com>, relay=alt1.gmail-smtp-in.l.google.com[209.85.219.30]:25, delay=423271, delays=423209/0.03/31/31, dsn=4.7.0, status=deferred (host alt1.gmail-smtp-in.l.google.com[209.85.219.30] said: 421-4.7.0 [174.129.96.42] Our system has detected an unusual amount of 421-4.7.0 unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 blocked. Please visit http://www.google.com/mail/help/bulk_mail.html 421 4.7.0 to review our Bulk Email Senders Guidelines. 6si2037492ewy.56 (in reply to end of DATA command))

Is it possible to configure postfix in order to not allow originating emails from it? If positive, how? Otherwise, how can I fix my postfix configuration about the open relay issue?

postconf -o output:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
header_checks = regexp:/etc/postfix/header_checks
home_mailbox = Maildir/
inet_interfaces = all
mailbox_command = 
mailbox_size_limit = 0
mydestination = fairlogic.com, legitima.com, bastos.org, sidon.com, localhost
myhostname = fairlogic.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost = 
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_recipient_restrictions = reject_unauth_destination,permit_sasl_authenticated,permit_mynetworks
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = 
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom

Answer 1

I found it!

After googling a little, I figured out the problem:

1) cat /var/log/mail.log | grep "smtp[" | tail

Oct  8 11:47:00 domU-12-31-39-00-C1-66 postfix/smtp[24599]: 4C9521A0A4: to=<surinder.k.mehta@gmail.com>, relay=alt1.gmail-smtp-in.l.google.com[74.125.79.27]:25, delay=23543, delays=23481/0.01/31/31, dsn=4.7.0, status=deferred (host alt1.gmail-smtp-in.l.google.com[74.125.79.27] said: 421-4.7.0 [174.129.96.42] Our system has detected an unusual amount of 421-4.7.0 unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 blocked. Please visit http://www.google.com/mail/help/bulk_mail.html 421 4.7.0 to review our Bulk Email Senders Guidelines. 5si273044eyh.4 (in reply to end of DATA command))

based on the message id (4C9521A0A4 in this case), I can retrieve the message body:

find /var/spool/postfix/defer* -name 4C9521A0A4
/var/spool/postfix/defer/4/4C9521A0A4
/var/spool/postfix/deferred/4/4C9521A0A4

based on its contents, I figured out that someone was spamming me - and postfix tried to reply to the sender (telling "undelivered mail returned to sender"). So that it is not an exploit neither a postix misconfiguration. Now I shall disable this postfix notification, and my problem is gone.

Answer 2

Postfix does not seem to have a specific feature like sendmail's promiscuous_relay but if you add 0.0.0.0 to mynetworks, it should allow anyone to relay.

Answer 3

Since you have "permit_mynetworks" set and "my_networks" appears set correctly, it looks like postfix is not an open relay. I would look for something else on your system sending email, like a hacked web service.

If the mail was really coming through your postfix, you'd see it in /var/log/mail.log. If it's coming through a web service, look for suspicious entries in /var/log/apache2/access.log. Otherwise you might just be rooted.

Update: You can also use http://www.spamhelp.org/shopenrelay/shopenrelaytest.php or similar to test if you're an open relay.

Answer 4

Could block outgoing requests to port 25 until you've tracked it down? eg on linux with iptables

iptables -A OUTPUT -p tcp --dport 25 -j REJECT

Answer 5

You don't need open relay (wikipedia link), you should configure mydestination and smtpd_recipient_restrictions.

You can find several config samples on howtoforge

Answer 6

If you want open relay try to leave blank smtpd_recipient_restrictions and smtpd_client_restrictions variables. You can test here if your server is an open relay.

Answer 7

If you're using NAT any box behind your IP could be infected and sending spam.