[opensuse] How to figure how my server is able to be used to send malicious emails?
All, I have VM on the internet that for the last day or so is sending out 10's of thousands of malicious emails. openSUSE 42.2 Fully updated with security patches. I know I need to update to 42.3, but at least for now it is still getting security patches. I assume the bad guys are somehow using it as a relay site, but I'm not sure. The server has a GUI on it I think, but I rarely, if ever use it. Almost all admin is via ssh. Troubleshooting advice appreciated. First all the malicious emails have "Banco" in the content of the email, so I'm cleaning up all the deferred emails that are now accumulating via: cd /var/spool/postfix/deferred grep -l Banco */* | sed -r 's/^.{2}//' | postsuper -d - I've deleted about 100,000 emails total by running the above a few times over the last day. But additional emails show up within several hours. (I'm not checking every hour or more.) The contents of /etc/postfix/relay are: # for relaying domain # domain.de OK IAC-Forensics.com OK So, I think I only relay emails for that domain, but the malicious emails are not to or from that domain. FYI: The server has been RBL Blacklisted. It's a minor issue that I assume will clear up in a day or two. In the meantime, I can ignore the problem. This server originates very little email. Thanks Greg -- Greg Freemyer Advances are made by answering questions. Discoveries are made by questioning answers. — Bernard Haisch -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 01/07/2018 03:48 PM, Greg Freemyer wrote:
In the meantime, I can ignore the problem. This server originates very little email.
You need to google up how not to be an open relay. There are a few simple but critical steps you can take that will prevent relaying mail. Your ISP may well be contacting you, so I would not ignore this problem. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sun, Jan 7, 2018 at 9:16 PM, John Andersen <jsamyth@gmail.com> wrote:
On 01/07/2018 03:48 PM, Greg Freemyer wrote:
In the meantime, I can ignore the problem. This server originates very little email.
You need to google up how not to be an open relay. There are a few simple but critical steps you can take that will prevent relaying mail.
As far as I know, I'm not an open relay. This server has been in place for 5 years. This is the first occurance I'm aware of with it being used to send out large amounts of malicious email.
Your ISP may well be contacting you, so I would not ignore this problem.
I'm only ignoring me being blacklisted. I want to figure out the malicious email issue. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 08/01/2018 à 17:38, Greg Freemyer a écrit :
I'm only ignoring me being blacklisted. I want to figure out the malicious email issue.
nobody local could touch it? or internal computer be compromised? jdd -- http://dodin.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, Jan 8, 2018 at 12:51 PM, jdd@dodin.org <jdd@dodin.org> wrote:
Le 08/01/2018 à 17:38, Greg Freemyer a écrit :
I'm only ignoring me being blacklisted. I want to figure out the malicious email issue.
nobody local could touch it? or internal computer be compromised?
jdd
It a rented VM in a data center a day's drive from my office. But I think a compromised website is looking more and more like the culprit. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2018-01-08 00:48, Greg Freemyer wrote:
All,
I have VM on the internet that for the last day or so is sending out 10's of thousands of malicious emails.
Oh my :-(
openSUSE 42.2
Fully updated with security patches. I know I need to update to 42.3, but at least for now it is still getting security patches.
I assume the bad guys are somehow using it as a relay site, but I'm not sure. The server has a GUI on it I think, but I rarely, if ever use it. Almost all admin is via ssh.
Troubleshooting advice appreciated.
First all the malicious emails have "Banco" in the content of the email, so I'm cleaning up all the deferred emails that are now accumulating via:
cd /var/spool/postfix/deferred grep -l Banco */* | sed -r 's/^.{2}//' | postsuper -d -
I've deleted about 100,000 emails total by running the above a few times over the last day.
Goodness! :-/
But additional emails show up within several hours. (I'm not checking every hour or more.)
The contents of /etc/postfix/relay are: # for relaying domain # domain.de OK IAC-Forensics.com OK
That means, I think, that you accept email from them, to relay them to the outside. Could they fake it? Maybe you need smtp auth. http://www.postfix.org/SMTPD_ACCESS_README.html I do not find an authoritative doc for that file. I'm googling for: "postfix/relay" site:www.postfix.org but I think you need setting up the "relay_ccerts" file. It says: # See /usr/share/doc/packages/postfix/samples/sample-tls.cf # for more details But I can't find that file either. I have a copy of it dated 2006! You could look at greylisting.
So, I think I only relay emails for that domain, but the malicious emails are not to or from that domain.
Hum.
FYI: The server has been RBL Blacklisted. It's a minor issue that I assume will clear up in a day or two. In the meantime, I can ignore the problem. This server originates very little email.
Well, I would start by looking at some of the mail headers for clues, and at the mail log, to try find out how they are entering, and where from, and perhaps guess what loophole they use. Then I would look in detail at the entire /etc/postfix/ config files. Feel free to email that info to me off list if you wish. I can not guarantee success, but I can try. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
On Sun, Jan 7, 2018 at 9:33 PM, Carlos E. R. <robin.listas@telefonica.net> wrote:
On 2018-01-08 00:48, Greg Freemyer wrote:
All,
I have VM on the internet that for the last day or so is sending out 10's of thousands of malicious emails.
Oh my :-(
openSUSE 42.2
Fully updated with security patches. I know I need to update to 42.3, but at least for now it is still getting security patches.
I assume the bad guys are somehow using it as a relay site, but I'm not sure. The server has a GUI on it I think, but I rarely, if ever use it. Almost all admin is via ssh.
Troubleshooting advice appreciated.
First all the malicious emails have "Banco" in the content of the email, so I'm cleaning up all the deferred emails that are now accumulating via:
cd /var/spool/postfix/deferred grep -l Banco */* | sed -r 's/^.{2}//' | postsuper -d -
I've deleted about 100,000 emails total by running the above a few times over the last day.
Goodness! :-/
No massive emails sent in the last 12 hours.
But additional emails show up within several hours. (I'm not checking every hour or more.)
The contents of /etc/postfix/relay are: # for relaying domain # domain.de OK IAC-Forensics.com OK
That means, I think, that you accept email from them, to relay them to the outside. Could they fake it? Maybe you need smtp auth.
It should show up in the headers, right. I didn't see that. I've deleted all the malicious emails, so I don't have any to look at until more appear.
http://www.postfix.org/SMTPD_ACCESS_README.html
I do not find an authoritative doc for that file. I'm googling for:
"postfix/relay" site:www.postfix.org
but I think you need setting up the "relay_ccerts" file. It says:
# See /usr/share/doc/packages/postfix/samples/sample-tls.cf # for more details
But I can't find that file either. I have a copy of it dated 2006!
You could look at greylisting.
So, I think I only relay emails for that domain, but the malicious emails are not to or from that domain.
Hum.
Exactly
FYI: The server has been RBL Blacklisted. It's a minor issue that I assume will clear up in a day or two. In the meantime, I can ignore the problem. This server originates very little email.
Well, I would start by looking at some of the mail headers for clues, and at the mail log, to try find out how they are entering, and where from, and perhaps guess what loophole they use.
Then I would look in detail at the entire /etc/postfix/ config files.
Feel free to email that info to me off list if you wish. I can not guarantee success, but I can try.
I sent you a copy of the /etc/postfix directory. More in my reply to Per. (soon to be written). Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Greg Freemyer wrote:
All,
I have VM on the internet that for the last day or so is sending out 10's of thousands of malicious emails.
openSUSE 42.2
Fully updated with security patches. I know I need to update to 42.3, but at least for now it is still getting security patches.
I assume the bad guys are somehow using it as a relay site, but I'm not sure. The server has a GUI on it I think, but I rarely, if ever use it. Almost all admin is via ssh.
Check the mail logs, Greg. /var/log/mail will tell you everything.
The contents of /etc/postfix/relay are: # for relaying domain # domain.de OK IAC-Forensics.com OK
And contents of /etc/postfix/main.cf ? Is that file used? What are your smtp recipient restrictions?
FYI: The server has been RBL Blacklisted. It's a minor issue that I assume will clear up in a day or two. In the meantime, I can ignore the problem. This server originates very little email.
As long as your server continues to send spam, it will likely remain on various blacklists. -- Per Jessen, Zürich (2.2°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, Jan 8, 2018 at 1:46 AM, Per Jessen <per@computer.org> wrote:
Greg Freemyer wrote:
All,
I have VM on the internet that for the last day or so is sending out 10's of thousands of malicious emails.
openSUSE 42.2
Fully updated with security patches. I know I need to update to 42.3, but at least for now it is still getting security patches.
I assume the bad guys are somehow using it as a relay site, but I'm not sure. The server has a GUI on it I think, but I rarely, if ever use it. Almost all admin is via ssh.
Check the mail logs, Greg. /var/log/mail will tell you everything.
Agreed, but they are huge as of the last couple days. I need some hints of what to look for. The first "large" log file is Jan 5. I'll start with that one and maybe I can see the emails coming into the system. I note in the last 12 hours my server has sent several emails from "wwwrun" to zobugtel@gmail.com. Maybe I have a penetration of my webserver? My webserver should be very vanilla and I can turn off PHP support, etc. if it is currently active.
The contents of /etc/postfix/relay are: # for relaying domain # domain.de OK IAC-Forensics.com OK
And contents of /etc/postfix/main.cf ? Is that file used? What are your smtp recipient restrictions?
I don't think I have any smtp recipient restrictions? I think my main.cf is very vanilla: queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/lib/postfix data_directory = /var/lib/postfix mail_owner = postfix mydomain = intelligentavatar.net myorigin = $mydomain unknown_local_recipient_reject_code = 550 mynetworks = <redacted>/32 home_mailbox = Maildir/ header_checks = regexp:/etc/postfix/header_checks body_checks = regexp:/etc/postfix/body_checks debug_peer_level = 1 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 sendmail_path = /usr/sbin/sendmail newaliases_path = /usr/bin/newaliases mailq_path = /usr/bin/mailq setgid_group = maildrop html_directory = /usr/share/doc/packages/postfix-doc/html manpage_directory = /usr/share/man sample_directory = /usr/share/doc/packages/postfix-doc/samples readme_directory = /usr/share/doc/packages/postfix-doc/README_FILES biff = no content_filter = delay_warning_time = 1h disable_dns_lookups = no disable_mime_output_conversion = no inet_interfaces = all inet_protocols = ipv4 masquerade_classes = envelope_sender, header_sender, header_recipient masquerade_domains = masquerade_exceptions = root mydestination = $myhostname, localhost.$mydomain myhostname = <redacted> mynetworks_style = subnet alias_maps = hash:/etc/aliases canonical_maps = hash:/etc/postfix/canonical relocated_maps = hash:/etc/postfix/relocated sender_canonical_maps = hash:/etc/postfix/sender_canonical transport_maps = hash:/etc/postfix/transport mail_spool_directory = /var/mail message_strip_characters = \0 defer_transports = mailbox_command = mailbox_transport = mailbox_size_limit = 0 message_size_limit = 0 strict_8bitmime = no strict_rfc821_envelopes = no smtpd_helo_required = no smtpd_client_restrictions = smtpd_helo_restrictions = smtpd_sender_restrictions = hash:/etc/postfix/access smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination smtp_sasl_auth_enable = no smtp_sasl_security_options = smtp_sasl_password_maps = smtpd_sasl_auth_enable = no smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhontname relay_clientcerts = smtp_use_tls = no smtp_enforce_tls = no smtp_tls_CAfile = smtp_tls_CApath = smtp_tls_cert_file = smtp_tls_key_file = smtp_tls_session_cache_database = smtpd_use_tls = no smtpd_tls_CAfile = smtpd_tls_CApath = smtpd_tls_cert_file = smtpd_tls_key_file = smtpd_tls_ask_ccert = no smtpd_tls_received_header = no virtual_alias_domains = hash:/etc/postfix/virtual virtual_alias_maps = hash:/etc/postfix/virtual virtual_mailbox_domains = intelligentavatar.net iac-forensics.com virtual_mailbox_base = /srv/maildirs virtual_mailbox_maps = hash:/etc/postfix/vmailbox virtual_minimum_uid = 1000 virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 virtual_mailbox_limit = 0 virtual_mailbox_limit_inbox = no disable_vrfy_command = yes smtpd_delay_reject = yes smtpd_banner = $myhostname ESMTP
FYI: The server has been RBL Blacklisted. It's a minor issue that I assume will clear up in a day or two. In the meantime, I can ignore the problem. This server originates very little email.
As long as your server continues to send spam, it will likely remain on various blacklists.
Agreed. I definitely want to kill the spam activity. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
I note in the last 12 hours my server has sent several emails from "wwwrun" to zobugtel@gmail.com.
Maybe I have a penetration of my webserver? My webserver should be very vanilla and I can turn off PHP support, etc. if it is currently active.
For all: the server in question is NOT a repository of confidential data. I encrypt confidential data before uploading files to it. == back to investigating Whatever zobugtel is, it seems related, but not the source of 10's of thousands of emails: # xzgrep -c zobugtel mail-* mail mail-20170117.xz:0 mail-20170201.xz:0 mail-20170215.xz:0 mail-20170227.xz:0 mail-20170310.xz:0 mail-20170320.xz:0 mail-20170329.xz:0 mail-20170410.xz:0 mail-20170420.xz:0 mail-20170429.xz:0 mail-20170516.xz:0 mail-20170529.xz:0 mail-20170609.xz:0 mail-20170619.xz:0 mail-20170624.xz:0 mail-20170703.xz:0 mail-20170715.xz:0 mail-20170803.xz:0 mail-20170817.xz:0 mail-20170821.xz:0 mail-20170822.xz:0 mail-20170831.xz:0 mail-20170911.xz:0 mail-20170922.xz:0 mail-20171002.xz:0 mail-20171018.xz:0 mail-20171102.xz:0 mail-20171120.xz:0 mail-20171204.xz:0 mail-20171215.xz:0 mail-20171230.xz:226 mail-20180105.xz:37 mail-20180106.xz:0 mail-20180107.xz:3 mail:7 Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/01/2018 19:23, Greg Freemyer wrote:
Whatever zobugtel is, it seems related, but not the source of 10's of thousands of emails: Have you tried googling zobugtel, it appears to be a hacking group. Dave P
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
And contents of /etc/postfix/main.cf ? Is that file used? What are your smtp recipient restrictions?
I don't think I have any smtp recipient restrictions?
I found copies of some of the original emails, and I was wrong. They have my domain in the header, so I need a way to block smtp connections except from authorized servers / senders. A month ago relays were being blocked: /var/log/mail-20171204.xz:2017-11-24T05:42:32.548951-05:00 cloud1 postfix/smtpd[1427]: NOQUEUE: reject: RCPT from hwsrv-201020.hostwindsdns.com[23.254.203.84]: 454 4.7.1 <1029mandaditos@gmail.com>: Relay access denied; from=<admin@intelligentavatar.net> to=<1029mandaditos@gmail.com> proto=ESMTP helo=<hwsrv-201020.hostwindsdns.com> admin@intelligentavatar.net is a legit alias on my server. I don't know what rule blocked the relay, but something did a month ago. This weekend I apparently had 100,000+ emails relayed for that same alias. I would like to continue to accept email with a to: address of "admin....", but I can safely refuse to relay email for that address. Blocking that relay will be my immediate fix. I've added: admin@intelligentavatar.net DISCARD to my /etc/postfix/access file and run postmap access. Should that do the job? Thanks Greg Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday, 2018-01-08 at 13:18 -0500, Greg Freemyer wrote:
And contents of /etc/postfix/main.cf ? Is that file used? What are your smtp recipient restrictions?
I don't think I have any smtp recipient restrictions?
I found copies of some of the original emails, and I was wrong.
They have my domain in the header, so I need a way to block smtp connections except from authorized servers / senders.
A month ago relays were being blocked:
/var/log/mail-20171204.xz:2017-11-24T05:42:32.548951-05:00 cloud1 postfix/smtpd[1427]: NOQUEUE: reject: RCPT from hwsrv-201020.hostwindsdns.com[23.254.203.84]: 454 4.7.1 <1029mandaditos@gmail.com>: Relay access denied; from=<admin@intelligentavatar.net> to=<1029mandaditos@gmail.com> proto=ESMTP helo=<hwsrv-201020.hostwindsdns.com>
admin@intelligentavatar.net is a legit alias on my server. I don't know what rule blocked the relay, but something did a month ago.
Incorrect IP.
This weekend I apparently had 100,000+ emails relayed for that same alias.
I would like to continue to accept email with a to: address of "admin....", but I can safely refuse to relay email for that address.
Blocking that relay will be my immediate fix. I've added:
admin@intelligentavatar.net DISCARD
to my /etc/postfix/access file and run postmap access.
Should that do the job?
The comments in your main.cf explain how it goes - I will add your configured values: # The relay_domains parameter restricts what destinations this system will # relay mail to. See the smtpd_recipient_restrictions description in # postconf(5) for detailed information. # # By default, Postfix relays mail # - from "trusted" clients (IP address matches $mynetworks) to any destination, You have specified my networks as an IP/32, not a name, so that is closed. But local client would pass. A process at the webserver, for instance. # - from "untrusted" clients to destinations that match $relay_domains or # subdomains thereof, except addresses with sender-specified routing. # The default relay_domains value is $mydestination. And you have it at default value. mydestination = $myhostname, localhost.$mydomain myhostname = cloud1.intelligentavatar.net mydomain = intelligentavatar.net # In addition to the above, the Postfix SMTP server by default accepts mail # that Postfix is final destination for: # - destinations that match $inet_interfaces or $proxy_interfaces, inet_interfaces = all proxy_interfaces = # - destinations that match $mydestination mydestination = $myhostname, localhost.$mydomain # - destinations that match $virtual_alias_domains, virtual_alias_domains = hash:/etc/postfix/virtual # - destinations that match $virtual_mailbox_domains. virtual_mailbox_domains = intelligentavatar.net iac-forensics.com # These destinations do not need to be listed in $relay_domains. relay_domains = $mydestination and the contents of "/etc/postfix/relay" are ignored. Safer, but not what wanted, I guess. # # Specify a list of hosts or domains, /file/name patterns or type:name # lookup tables, separated by commas and/or whitespace. Continue # long lines by starting the next line with whitespace. A file name # is replaced by its contents; a type:name table is matched when a # (parent) domain appears as lookup key. # # NOTE: Postfix will not automatically forward mail for domains that # list this system as their primary or backup MX host. cer@Telcontar:~> host -t MX intelligentavatar.net intelligentavatar.net mail is handled by 10 cloud1.intelligentavatar.net. cer@Telcontar:~> host -t MX iac-forensics.com iac-forensics.com mail is handled by 10 cloud1.intelligentavatar.net. cer@Telcontar:~> host -t MX cloud1.intelligentavatar.net. cloud1.intelligentavatar.net has no MX record cer@Telcontar:~> # See the # permit_mx_backup restriction description in postconf(5). permit_mx_backup_networks = The possible culprit seems to be that web server, yes. The above seems correct. Side note: you might want to consider aplying some changes from master.cf.rpmnew. It is two years newer. Other files you have default values. Nothing of interest that I see there. - -- Cheers, Carlos E. R. (from openSUSE 42.2 x86_64 "Malachite" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlpT5/UACgkQtTMYHG2NR9WQ8wCfcv/DDjO2iCFZxwVnqGFdWvpZ FBEAniu339eMafxPfmFJs8DKfXALGL00 =WbT9 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Thanks for the analysis Carlos. Greg <Intentional top post -- nothing new from me below> On Mon, Jan 8, 2018 at 4:51 PM, Carlos E. R. <robin.listas@telefonica.net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Monday, 2018-01-08 at 13:18 -0500, Greg Freemyer wrote:
And contents of /etc/postfix/main.cf ? Is that file used? What are your smtp recipient restrictions?
I don't think I have any smtp recipient restrictions?
I found copies of some of the original emails, and I was wrong.
They have my domain in the header, so I need a way to block smtp connections except from authorized servers / senders.
A month ago relays were being blocked:
/var/log/mail-20171204.xz:2017-11-24T05:42:32.548951-05:00 cloud1 postfix/smtpd[1427]: NOQUEUE: reject: RCPT from hwsrv-201020.hostwindsdns.com[23.254.203.84]: 454 4.7.1 <1029mandaditos@gmail.com>: Relay access denied; from=<admin@intelligentavatar.net> to=<1029mandaditos@gmail.com> proto=ESMTP helo=<hwsrv-201020.hostwindsdns.com>
admin@intelligentavatar.net is a legit alias on my server. I don't know what rule blocked the relay, but something did a month ago.
Incorrect IP.
This weekend I apparently had 100,000+ emails relayed for that same alias.
I would like to continue to accept email with a to: address of "admin....", but I can safely refuse to relay email for that address.
Blocking that relay will be my immediate fix. I've added:
admin@intelligentavatar.net DISCARD
to my /etc/postfix/access file and run postmap access.
Should that do the job?
The comments in your main.cf explain how it goes - I will add your configured values:
# The relay_domains parameter restricts what destinations this system will # relay mail to. See the smtpd_recipient_restrictions description in # postconf(5) for detailed information. # # By default, Postfix relays mail # - from "trusted" clients (IP address matches $mynetworks) to any destination,
You have specified my networks as an IP/32, not a name, so that is closed. But local client would pass. A process at the webserver, for instance.
# - from "untrusted" clients to destinations that match $relay_domains or # subdomains thereof, except addresses with sender-specified routing. # The default relay_domains value is $mydestination.
And you have it at default value.
mydestination = $myhostname, localhost.$mydomain myhostname = cloud1.intelligentavatar.net mydomain = intelligentavatar.net
# In addition to the above, the Postfix SMTP server by default accepts mail # that Postfix is final destination for: # - destinations that match $inet_interfaces or $proxy_interfaces,
inet_interfaces = all proxy_interfaces =
# - destinations that match $mydestination
mydestination = $myhostname, localhost.$mydomain
# - destinations that match $virtual_alias_domains,
virtual_alias_domains = hash:/etc/postfix/virtual
# - destinations that match $virtual_mailbox_domains.
virtual_mailbox_domains = intelligentavatar.net iac-forensics.com
# These destinations do not need to be listed in $relay_domains.
relay_domains = $mydestination
and the contents of "/etc/postfix/relay" are ignored. Safer, but not what wanted, I guess.
# # Specify a list of hosts or domains, /file/name patterns or type:name # lookup tables, separated by commas and/or whitespace. Continue # long lines by starting the next line with whitespace. A file name # is replaced by its contents; a type:name table is matched when a # (parent) domain appears as lookup key. # # NOTE: Postfix will not automatically forward mail for domains that # list this system as their primary or backup MX host.
cer@Telcontar:~> host -t MX intelligentavatar.net intelligentavatar.net mail is handled by 10 cloud1.intelligentavatar.net. cer@Telcontar:~> host -t MX iac-forensics.com iac-forensics.com mail is handled by 10 cloud1.intelligentavatar.net. cer@Telcontar:~> host -t MX cloud1.intelligentavatar.net. cloud1.intelligentavatar.net has no MX record cer@Telcontar:~>
# See the # permit_mx_backup restriction description in postconf(5).
permit_mx_backup_networks =
The possible culprit seems to be that web server, yes. The above seems correct.
Side note: you might want to consider aplying some changes from master.cf.rpmnew. It is two years newer.
Other files you have default values. Nothing of interest that I see there.
- -- Cheers, Carlos E. R. (from openSUSE 42.2 x86_64 "Malachite" at Telcontar)
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2
iEYEARECAAYFAlpT5/UACgkQtTMYHG2NR9WQ8wCfcv/DDjO2iCFZxwVnqGFdWvpZ FBEAniu339eMafxPfmFJs8DKfXALGL00 =WbT9 -----END PGP SIGNATURE-----
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
08.01.2018 20:06, Greg Freemyer пишет: ...
smtpd_client_restrictions = smtpd_helo_restrictions = smtpd_sender_restrictions = hash:/etc/postfix/access smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination
Normally this should prevent delivery to destinations for which this postfix instance is not final.
smtp_sasl_auth_enable = no smtp_sasl_security_options = smtp_sasl_password_maps = smtpd_sasl_auth_enable = no smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhontname relay_clientcerts =
smtp_use_tls = no smtp_enforce_tls = no smtp_tls_CAfile = smtp_tls_CApath = smtp_tls_cert_file = smtp_tls_key_file = smtp_tls_session_cache_database =
smtpd_use_tls = no smtpd_tls_CAfile = smtpd_tls_CApath = smtpd_tls_cert_file = smtpd_tls_key_file = smtpd_tls_ask_ccert = no smtpd_tls_received_header = no virtual_alias_domains = hash:/etc/postfix/virtual virtual_alias_maps = hash:/etc/postfix/virtual
Are you sure these have not been tampered with?
virtual_mailbox_domains = intelligentavatar.net iac-forensics.com virtual_mailbox_base = /srv/maildirs virtual_mailbox_maps = hash:/etc/postfix/vmailbox
Or this? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, Jan 8, 2018 at 1:21 PM, Andrei Borzenkov <arvidjaar@gmail.com> wrote:
08.01.2018 20:06, Greg Freemyer пишет: ...
smtpd_client_restrictions = smtpd_helo_restrictions = smtpd_sender_restrictions = hash:/etc/postfix/access smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination
Normally this should prevent delivery to destinations for which this postfix instance is not final.
My "access" file was effectively empty (comments only). I have just added: admin@intelligentavatar.net DISCARD which I hope will silently discard email relay attempts for that from address. Maybe I should use REJECT instead?
Are you sure these have not been tampered with?
virtual_mailbox_domains = intelligentavatar.net iac-forensics.com virtual_mailbox_base = /srv/maildirs virtual_mailbox_maps = hash:/etc/postfix/vmailbox
Or this?
I don't know if something was tampered with, but a month ago email relaying for admin@intelligentavatar.net was rejected and this weekend it was allowed. That is a legit alias on my server so I don't know why it was rejected in the past, and I don't know why relay started working at some point in the last month. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
08.01.2018 22:01, Greg Freemyer пишет:
On Mon, Jan 8, 2018 at 1:21 PM, Andrei Borzenkov <arvidjaar@gmail.com> wrote:
08.01.2018 20:06, Greg Freemyer пишет: ...
smtpd_client_restrictions = smtpd_helo_restrictions = smtpd_sender_restrictions = hash:/etc/postfix/access smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination
Normally this should prevent delivery to destinations for which this postfix instance is not final.
My "access" file was effectively empty (comments only).
I referred to smtpd_recipient_restrictions
I have just added:
admin@intelligentavatar.net DISCARD
which I hope will silently discard email relay attempts for that from address.
Maybe I should use REJECT instead?
Are you sure these have not been tampered with?
virtual_mailbox_domains = intelligentavatar.net iac-forensics.com virtual_mailbox_base = /srv/maildirs virtual_mailbox_maps = hash:/etc/postfix/vmailbox
Or this?
I don't know if something was tampered with, but a month ago email relaying for admin@intelligentavatar.net was rejected and this weekend it was allowed.
Postfix primary check is for network range, not MAIL FROM (which can obviously be forged quite easily). What IP this client connects from? Is it local subnet? May be something in your hosting provider network topology changed?
That is a legit alias on my server so I don't know why it was rejected in the past, and I don't know why relay started working at some point in the last month.
Greg
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Greg Freemyer wrote:
On Mon, Jan 8, 2018 at 1:46 AM, Per Jessen <per@computer.org> wrote:
Greg Freemyer wrote:
All,
I have VM on the internet that for the last day or so is sending out 10's of thousands of malicious emails.
openSUSE 42.2
Fully updated with security patches. I know I need to update to 42.3, but at least for now it is still getting security patches.
I assume the bad guys are somehow using it as a relay site, but I'm not sure. The server has a GUI on it I think, but I rarely, if ever use it. Almost all admin is via ssh.
Check the mail logs, Greg. /var/log/mail will tell you everything.
Agreed, but they are huge as of the last couple days. I need some hints of what to look for.
Look for e.g. "smtpd.*connect" to see servers connecting to deliver mails. If you see lots of unknown ones, you have identified the source.
I note in the last 12 hours my server has sent several emails from "wwwrun" to zobugtel@gmail.com.
wwwrun is almost certainly your apache server, any chance some application has been compromised?
Maybe I have a penetration of my webserver? My webserver should be very vanilla and I can turn off PHP support, etc. if it is currently active.
If you're not using it, I would suggest just stopping it.
The contents of /etc/postfix/relay are: # for relaying domain # domain.de OK IAC-Forensics.com OK
And contents of /etc/postfix/main.cf ? Is that file used? What are your smtp recipient restrictions?
I don't think I have any smtp recipient restrictions?
You ought to have at least 'reject_unauth_destination'.
I think my main.cf is very vanilla:
Depending on what you need it for, I would suggest getting rid of a lot of the vanilla stuff. It often just gets in the way and only obscures the picture.
smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination
That looks good - assuming you also have relay_domains = hash:/etc/postfix/relay, and you've postmap'ed /etc/postfix/relay, I don't think your postfix is open. (I'll be happy to test that for you, if you want). Hope this helps, Per -- Per Jessen, Zürich (4.5°C) http://www.cloudsuisse.com/ - your owncloud, hosted in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, Jan 8, 2018 at 2:01 PM, Per Jessen <per@computer.org> wrote:
Greg Freemyer wrote:
On Mon, Jan 8, 2018 at 1:46 AM, Per Jessen <per@computer.org> wrote:
Greg Freemyer wrote:
All,
I have VM on the internet that for the last day or so is sending out 10's of thousands of malicious emails.
openSUSE 42.2
Fully updated with security patches. I know I need to update to 42.3, but at least for now it is still getting security patches.
I assume the bad guys are somehow using it as a relay site, but I'm not sure. The server has a GUI on it I think, but I rarely, if ever use it. Almost all admin is via ssh.
Check the mail logs, Greg. /var/log/mail will tell you everything.
Agreed, but they are huge as of the last couple days. I need some hints of what to look for.
Look for e.g. "smtpd.*connect" to see servers connecting to deliver mails. If you see lots of unknown ones, you have identified the source.
As noted in other emails, I think I found the method of relay used. Any I made an effort to block it.
I note in the last 12 hours my server has sent several emails from "wwwrun" to zobugtel@gmail.com.
wwwrun is almost certainly your apache server, any chance some application has been compromised?
Whatever it is, it seems unrelated, so I will attack that problem separately. I mostly have just a few static pages on this server.
Maybe I have a penetration of my webserver? My webserver should be very vanilla and I can turn off PHP support, etc. if it is currently active.
If you're not using it, I would suggest just stopping it.
Agreed
The contents of /etc/postfix/relay are: # for relaying domain # domain.de OK IAC-Forensics.com OK
And contents of /etc/postfix/main.cf ? Is that file used? What are your smtp recipient restrictions?
I don't think I have any smtp recipient restrictions?
You ought to have at least 'reject_unauth_destination'.
I do
I think my main.cf is very vanilla:
Depending on what you need it for, I would suggest getting rid of a lot of the vanilla stuff. It often just gets in the way and only obscures the picture.
smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination
That looks good - assuming you also have
relay_domains = hash:/etc/postfix/relay,
Hmm.. I have: #relay_domains = $mydestination, hash:/etc/postfix/relay Note it is commented out! Is it the default?
and you've postmap'ed /etc/postfix/relay, I don't think your postfix is open. (I'll be happy to test that for you, if you want).
I had an online website test it. It's not fully open, but the bad guys still found a way. Looks like 500,000+ emails went through the server in the last 72 hours.
Hope this helps, Per
Thanks Much Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Greg Freemyer wrote:
I think my main.cf is very vanilla:
Depending on what you need it for, I would suggest getting rid of a lot of the vanilla stuff. It often just gets in the way and only obscures the picture.
smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination
That looks good - assuming you also have
relay_domains = hash:/etc/postfix/relay,
Hmm.. I have: #relay_domains = $mydestination, hash:/etc/postfix/relay
Note it is commented out!
Is it the default?
Nope. I suggest you comment it back in. Then maybe check for ssh logins not originating from your IP. Someone commented that line out. -- Per Jessen, Zürich (4.9°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
08.01.2018 22:20, Per Jessen пишет:
Greg Freemyer wrote:
I think my main.cf is very vanilla:
Depending on what you need it for, I would suggest getting rid of a lot of the vanilla stuff. It often just gets in the way and only obscures the picture.
smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination
That looks good - assuming you also have
relay_domains = hash:/etc/postfix/relay,
Hmm.. I have: #relay_domains = $mydestination, hash:/etc/postfix/relay
Note it is commented out!
Is it the default?
Nope. I suggest you comment it back in.
Well, no explicit relay_domains should not be worse if it is relevant for this problem at all. For older postfix it defaults to $mydestination, so it just restricts it even more.
Then maybe check for ssh logins not originating from your IP. Someone commented that line out.
Which is why I suggested checking for virtual domains whether these got some unexpected content. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Andrei Borzenkov wrote:
08.01.2018 22:20, Per Jessen пишет:
Greg Freemyer wrote:
I think my main.cf is very vanilla:
Depending on what you need it for, I would suggest getting rid of a lot of the vanilla stuff. It often just gets in the way and only obscures the picture.
smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination
That looks good - assuming you also have
relay_domains = hash:/etc/postfix/relay,
Hmm.. I have: #relay_domains = $mydestination, hash:/etc/postfix/relay
Note it is commented out!
Is it the default?
Nope. I suggest you comment it back in.
Well, no explicit relay_domains should not be worse if it is relevant for this problem at all. For older postfix it defaults to $mydestination, so it just restricts it even more.
True, I forgot about that. -- Per Jessen, Zürich (5.1°C) http://www.cloudsuisse.com/ - your owncloud, hosted in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, Jan 8, 2018 at 2:20 PM, Per Jessen <per@computer.org> wrote:
Greg Freemyer wrote:
I think my main.cf is very vanilla:
Depending on what you need it for, I would suggest getting rid of a lot of the vanilla stuff. It often just gets in the way and only obscures the picture.
smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination
That looks good - assuming you also have
relay_domains = hash:/etc/postfix/relay,
Hmm.. I have: #relay_domains = $mydestination, hash:/etc/postfix/relay
Note it is commented out!
Is it the default?
Nope. I suggest you comment it back in. Then maybe check for ssh logins not originating from your IP. Someone commented that line out.
However it got commented out, it was already done 4 years ago. I checked a backup. I'm putting it back in now, but it didn't change in the last 30 days. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, Jan 8, 2018 at 2:01 PM, Per Jessen <per@computer.org> wrote:
Greg Freemyer wrote:
On Mon, Jan 8, 2018 at 1:46 AM, Per Jessen <per@computer.org> wrote:
Greg Freemyer wrote:
All,
I have VM on the internet that for the last day or so is sending out 10's of thousands of malicious emails.
openSUSE 42.2
Fully updated with security patches. I know I need to update to 42.3, but at least for now it is still getting security patches.
I assume the bad guys are somehow using it as a relay site, but I'm not sure. The server has a GUI on it I think, but I rarely, if ever use it. Almost all admin is via ssh.
Check the mail logs, Greg. /var/log/mail will tell you everything.
Agreed, but they are huge as of the last couple days. I need some hints of what to look for.
Look for e.g. "smtpd.*connect" to see servers connecting to deliver mails. If you see lots of unknown ones, you have identified the source.
As noted in other emails, I think I found the method of relay used. Any I made an effort to block it.
I note in the last 12 hours my server has sent several emails from "wwwrun" to zobugtel@gmail.com.
wwwrun is almost certainly your apache server, any chance some application has been compromised?
Whatever it is, it seems unrelated, so I will attack that problem separately. I mostly have just a few static pages on this server. a Where do you get it's unrelated. I've seen dozens of occasions where outdated Joomla/Wordpress/Drupal etc. sites got hacked, a simple php mailer got installed and off the spammers went. Leaving traces in the CMS's logs, not in
Op maandag 8 januari 2018 20:09:34 CET schreef Greg Freemyer: the OS's mail logs. IMNSHO it's the first place to look when suddenly receiving emails from wwwrun. Do you have a webserver running ? If so, does it serve some kind of CMS ?
Maybe I have a penetration of my webserver? My webserver should be very vanilla and I can turn off PHP support, etc. if it is currently active.
If you're not using it, I would suggest just stopping it.
Agreed
The contents of /etc/postfix/relay are: # for relaying domain # domain.de OK IAC-Forensics.com OK
And contents of /etc/postfix/main.cf ? Is that file used? What are your smtp recipient restrictions?
I don't think I have any smtp recipient restrictions?
You ought to have at least 'reject_unauth_destination'.
I do
I think my main.cf is very vanilla: Depending on what you need it for, I would suggest getting rid of a lot of the vanilla stuff. It often just gets in the way and only obscures the picture.
smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination
That looks good - assuming you also have
relay_domains = hash:/etc/postfix/relay,
Hmm.. I have: #relay_domains = $mydestination, hash:/etc/postfix/relay
Note it is commented out!
Is it the default?
and you've postmap'ed /etc/postfix/relay, I don't think your postfix is open. (I'll be happy to test that for you, if you want).
I had an online website test it. It's not fully open, but the bad guys still found a way.
Looks like 500,000+ emails went through the server in the last 72 hours.
Hope this helps, Per
Thanks Much Greg
-- Gertjan Lettink, a.k.a. Knurpht openSUSE Board Member openSUSE Forums Team -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/01/18 19:22, Knurpht - Gertjan Lettink wrote:
Where do you get it's unrelated. I've seen dozens of occasions where outdated Joomla/Wordpress/Drupal etc. sites got hacked, a simple php mailer got installed and off the spammers went. Leaving traces in the CMS's logs, not in the OS's mail logs. IMNSHO it's the first place to look when suddenly receiving emails from wwwrun.
When I got hacked years ago, my (then clueful) ISP sent me a helpful "how to secure your mail-server". Only snag is it was for linux, and I wasn't running any server software on my Windows PC. It's so easy for an intruder to install a little trojan, that grabs your mail credentials, and runs in the background spewing emails. So they all come from your system, and it might throttle itself so you don't notice any performance impact ... (my trojan swamped my dial-up, iirc, so I was trying to track down what was wrong for a while, and I ended up doing a full "format c:, re-install"). Cheers, Wol -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, Jan 8, 2018 at 3:33 PM, Wol's lists <antlists@youngman.org.uk> wrote:
On 08/01/18 19:22, Knurpht - Gertjan Lettink wrote:
Where do you get it's unrelated. I've seen dozens of occasions where outdated Joomla/Wordpress/Drupal etc. sites got hacked, a simple php mailer got installed and off the spammers went. Leaving traces in the CMS's logs, not in the OS's mail logs. IMNSHO it's the first place to look when suddenly receiving emails from wwwrun.
When I got hacked years ago, my (then clueful) ISP sent me a helpful "how to secure your mail-server". Only snag is it was for linux, and I wasn't running any server software on my Windows PC.
It's so easy for an intruder to install a little trojan, that grabs your mail credentials, and runs in the background spewing emails. So they all come from your system, and it might throttle itself so you don't notice any performance impact ... (my trojan swamped my dial-up, iirc, so I was trying to track down what was wrong for a while, and I ended up doing a full "format c:, re-install").
Thanks, I hope to avoid the format C: equivalent! Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, Jan 8, 2018 at 2:22 PM, Knurpht - Gertjan Lettink <knurpht@opensuse.org> wrote:
Op maandag 8 januari 2018 20:09:34 CET schreef Greg Freemyer:
On Mon, Jan 8, 2018 at 2:01 PM, Per Jessen <per@computer.org> wrote:
Greg Freemyer wrote:
On Mon, Jan 8, 2018 at 1:46 AM, Per Jessen <per@computer.org> wrote:
Greg Freemyer wrote:
All,
I have VM on the internet that for the last day or so is sending out 10's of thousands of malicious emails.
openSUSE 42.2
Fully updated with security patches. I know I need to update to 42.3, but at least for now it is still getting security patches.
I assume the bad guys are somehow using it as a relay site, but I'm not sure. The server has a GUI on it I think, but I rarely, if ever use it. Almost all admin is via ssh.
Check the mail logs, Greg. /var/log/mail will tell you everything.
Agreed, but they are huge as of the last couple days. I need some hints of what to look for.
Look for e.g. "smtpd.*connect" to see servers connecting to deliver mails. If you see lots of unknown ones, you have identified the source.
As noted in other emails, I think I found the method of relay used. Any I made an effort to block it.
I note in the last 12 hours my server has sent several emails from "wwwrun" to zobugtel@gmail.com.
wwwrun is almost certainly your apache server, any chance some application has been compromised?
Whatever it is, it seems unrelated, so I will attack that problem separately. I mostly have just a few static pages on this server. a Where do you get it's unrelated.
Apparently a false hope on my part. I'm now seeing emails with a from address of av153.intelligentavatar.net. That was a test website I created a couple years ago. Only a malicious user that can see my apache setup would know that exists.
I've seen dozens of occasions where outdated Joomla/Wordpress/Drupal etc. sites got hacked, a simple php mailer got installed and off the spammers went.
That seems like what is happening. I setup Wordpress as a test a couple years ago. There are php files in there with datestamps of Dec 28,2017 or newer. I haven't looked at that stuff since 2016 it seems. The WP stuff is not in use, so I think I can just wipe it out. Done. Let's see what happens now. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 01/08/2018 01:06 PM, Greg Freemyer wrote:
That seems like what is happening. I setup Wordpress as a test a couple years ago.
There are php files in there with datestamps of Dec 28,2017 or newer. I haven't looked at that stuff since 2016 it seems.
The WP stuff is not in use, so I think I can just wipe it out.
Done. Let's see what happens now.
Hi Greg, Of course you realize that you can never trust that system again until it's rebuilt from scratch? I'd be tempted to run one of the rootkit detection programs too. Maybe rkhunter? Also, have you scanned for unusual open ports? Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, Jan 8, 2018 at 4:41 PM, Lew Wolfgang <wolfgang@sweet-haven.com> wrote:
On 01/08/2018 01:06 PM, Greg Freemyer wrote:
That seems like what is happening. I setup Wordpress as a test a couple years ago.
There are php files in there with datestamps of Dec 28,2017 or newer. I haven't looked at that stuff since 2016 it seems.
The WP stuff is not in use, so I think I can just wipe it out.
Done. Let's see what happens now.
Hi Greg,
Of course you realize that you can never trust that system again until it's rebuilt from scratch? I'd be tempted to run one of the rootkit detection programs too. Maybe rkhunter? Also, have you scanned for unusual open ports?
Regards, Lew
Agreed on needing to do a rebuild from scratch. Until an hour ago, I thought a bad guy just figured out how to use it as a relay. Now I know about the php files, it changes things. A lot. The good news is this is a fully isolated PC and I treat is as unsecure anyway. No confidential data kept on it unless it is encrypted, etc. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday, 2018-01-08 at 14:09 -0500, Greg Freemyer wrote:
On Mon, Jan 8, 2018 at 2:01 PM, Per Jessen <per@computer.org> wrote:
Greg Freemyer wrote:
On Mon, Jan 8, 2018 at 1:46 AM, Per Jessen <per@computer.org> wrote:
Greg Freemyer wrote:
...
That looks good - assuming you also have
relay_domains = hash:/etc/postfix/relay,
Hmm.. I have: #relay_domains = $mydestination, hash:/etc/postfix/relay
Note it is commented out!
Is it the default?
You can find the actual configuration with the command "postconf". And with "-n" you get the configuration that is different from the default, and with "-d" you get what would be the default. It is more useful to look at the output of this command than looking at the files, I forgot. Thus we can see that the default for the above is: relay_domains = $mydestination so the result, the default, is more restrictive that the commented out line would have. Ie, the contents of /etc/postfix/relay are ignored, and the site there would not be "OK". So even if an intruder modified that line, it would not be the issue. - -- Cheers, Carlos E. R. (from openSUSE 42.2 x86_64 "Malachite" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlpT3rAACgkQtTMYHG2NR9VA8QCfc0QnduRfLXZdmVWXkpqueDYH Lh0AoJHs6Fu9+UdXuX+/cBsW7Fr1KkVv =DwYW -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday, 2018-01-08 at 12:06 -0500, Greg Freemyer wrote:
I think my main.cf is very vanilla:
Better post the output of the command "postconf", and "postconf -n" - the later tells what is changed. - -- Cheers, Carlos E. R. (from openSUSE 42.2 x86_64 "Malachite" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlpT39UACgkQtTMYHG2NR9VGZgCdEI/6aLJvRsJ3Z9P+ipumMs59 LjoAn131Glc6tjbA5fDSmGtoGIEKDaO4 =XTxO -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, Jan 8, 2018 at 4:17 PM, Carlos E. R. <robin.listas@telefonica.net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Monday, 2018-01-08 at 12:06 -0500, Greg Freemyer wrote:
I think my main.cf is very vanilla:
Better post the output of the command "postconf", and "postconf -n" - the later tells what is changed.
I no longer think postfix or relaying was the problem. Instead it was a penetration of an old Wordpress test site I had. But: # /usr/sbin/postconf -n /usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: myhontname alias_maps = hash:/etc/aliases biff = no body_checks = regexp:/etc/postfix/body_checks canonical_maps = hash:/etc/postfix/canonical command_directory = /usr/sbin config_directory = /etc/postfix content_filter = daemon_directory = /usr/lib/postfix data_directory = /var/lib/postfix debug_peer_level = 1 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 defer_transports = delay_warning_time = 1h disable_dns_lookups = no disable_mime_output_conversion = no disable_vrfy_command = yes header_checks = regexp:/etc/postfix/header_checks home_mailbox = Maildir/ html_directory = /usr/share/doc/packages/postfix-doc/html inet_interfaces = all inet_protocols = ipv4 mail_owner = postfix mail_spool_directory = /var/mail mailbox_command = mailbox_size_limit = 0 mailbox_transport = mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man masquerade_classes = envelope_sender, header_sender, header_recipient masquerade_domains = masquerade_exceptions = root message_size_limit = 0 message_strip_characters = \0 mydestination = $myhostname, localhost.$mydomain mydomain = intelligentavatar.net myhostname = cloud1.intelligentavatar.net mynetworks = <redacted>/32 mynetworks_style = subnet myorigin = $mydomain newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/packages/postfix-doc/README_FILES relay_clientcerts = relay_domains = $mydestination, hash:/etc/postfix/relay relocated_maps = hash:/etc/postfix/relocated sample_directory = /usr/share/doc/packages/postfix-doc/samples sender_canonical_maps = hash:/etc/postfix/sender_canonical sendmail_path = /usr/sbin/sendmail setgid_group = maildrop smtp_enforce_tls = no smtp_sasl_auth_enable = no smtp_sasl_password_maps = smtp_sasl_security_options = smtp_tls_CAfile = smtp_tls_CApath = smtp_tls_cert_file = smtp_tls_key_file = smtp_tls_session_cache_database = smtp_use_tls = no smtpd_banner = $myhostname ESMTP smtpd_client_restrictions = smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination smtpd_sasl_auth_enable = no smtpd_sasl_local_domain = $myhontname smtpd_sasl_security_options = noanonymous smtpd_sender_restrictions = hash:/etc/postfix/access smtpd_tls_CAfile = smtpd_tls_CApath = smtpd_tls_ask_ccert = no smtpd_tls_cert_file = smtpd_tls_key_file = smtpd_tls_received_header = no smtpd_use_tls = no strict_8bitmime = no strict_rfc821_envelopes = no transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 virtual_alias_domains = hash:/etc/postfix/virtual virtual_alias_maps = hash:/etc/postfix/virtual virtual_gid_maps = static:5000 virtual_mailbox_base = /srv/maildirs virtual_mailbox_domains = intelligentavatar.net iac-forensics.com virtual_mailbox_limit = 0 virtual_mailbox_limit_inbox = no virtual_mailbox_maps = hash:/etc/postfix/vmailbox virtual_minimum_uid = 1000 virtual_uid_maps = static:5000 Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 08/01/2018 à 22:52, Greg Freemyer a écrit :
I no longer think postfix or relaying was the problem. Instead it was a penetration of an old Wordpress test site I had.
I managed a wordpress install some years ago, but abandoned it, because it was a nightmare to make secure!! so bad, it's a pretty blog :-( jdd -- http://dodin.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
jdd@dodin.org wrote:
Le 08/01/2018 à 22:52, Greg Freemyer a écrit :
I no longer think postfix or relaying was the problem. Instead it was a penetration of an old Wordpress test site I had.
I managed a wordpress install some years ago, but abandoned it, because it was a nightmare to make secure!!
It's not that bad - <location /xmlrpc.php> Order deny,allow deny from all Allow from none </Location> and add protection to wp-login.php. Slow it down or add a captcha or even disable for external access. Also make sure the software is up-to-date. -- Per Jessen, Zürich (10.1°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 01/08/2018 03:52 PM, Greg Freemyer wrote:
I no longer think postfix or relaying was the problem. Instead it was a penetration of an old Wordpress test site I had.
BINGO! That would be my strong suspicion. If you let your web apps get just slightly out of date (wordpress, mediawiki, etc..) you roll out the welcome mat to the spammers. (the updates to those webapps are generally in response to discovered vulnerabilities) I had a mediawiki site compromised in 2013 and had about 300 bogus accounts created in a day. The flood of spam followed. I rolled in a backup of the mysql tables for mediawiki and hit the update button. Have not had any problems since. Good luck with the rebuild.... -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday, 2018-01-08 at 16:52 -0500, Greg Freemyer wrote:
On Mon, Jan 8, 2018 at 4:17 PM, Carlos E. R. <> wrote:
On Monday, 2018-01-08 at 12:06 -0500, Greg Freemyer wrote:
I think my main.cf is very vanilla:
Better post the output of the command "postconf", and "postconf -n" - the later tells what is changed.
I no longer think postfix or relaying was the problem. Instead it was a penetration of an old Wordpress test site I had.
Right. However, I wonder if requiring some auth even for local clients would have helped :-? - -- Cheers, Carlos E. R. (from openSUSE 42.2 x86_64 "Malachite" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlpUm74ACgkQtTMYHG2NR9WehgCgijmPOcJy37AmZaYlFjAreQyn 1m0Anj8YAnI02Fk0pOK+uGUD4SBCXDAp =7WYE -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, Jan 9, 2018 at 1:38 PM, Carlos E. R. <robin.listas@telefonica.net> wrote:
However, I wonder if requiring some auth even for local clients would have helped :-?
It would probably make it more difficult than relying on network range only (depending on the exact nature of gaining access to system in question). -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
On Monday, 2018-01-08 at 16:52 -0500, Greg Freemyer wrote:
On Mon, Jan 8, 2018 at 4:17 PM, Carlos E. R. <> wrote:
On Monday, 2018-01-08 at 12:06 -0500, Greg Freemyer wrote:
I think my main.cf is very vanilla:
Better post the output of the command "postconf", and "postconf -n" - the later tells what is changed.
I no longer think postfix or relaying was the problem. Instead it was a penetration of an old Wordpress test site I had.
Right.
However, I wonder if requiring some auth even for local clients would have helped :-?
Local clients most often just the sendmail wrapper, so not much authentication there. -- Per Jessen, Zürich (10.1°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday, 2018-01-09 at 14:27 +0100, Per Jessen wrote:
Carlos E. R. wrote:
However, I wonder if requiring some auth even for local clients would have helped :-?
Local clients most often just the sendmail wrapper, so not much authentication there.
Right... And being "localhost" there are no checkings on smtp either, but that one can be changed. I wonder then if what uses sendmail can be confined. Apparmour, perhaps? - -- Cheers, Carlos E. R. (from openSUSE 42.2 x86_64 "Malachite" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlpUyoAACgkQtTMYHG2NR9XdAQCdEUK94pQQ/gPG3A03O+8ugzEt JiMAoI9ymLJrtnAii/9zCZHDe7zyRMWw =1Vdx -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
On Tuesday, 2018-01-09 at 14:27 +0100, Per Jessen wrote:
Carlos E. R. wrote:
However, I wonder if requiring some auth even for local clients would have helped :-?
Local clients most often just the sendmail wrapper, so not much authentication there.
Right...
And being "localhost" there are no checkings on smtp either, but that one can be changed.
I wonder then if what uses sendmail can be confined. Apparmour, perhaps?
On a machine that only occasionally sends email, I think I would implement some rate-limiting in postfix - one email per minute, for instance. -- Per Jessen, Zürich (6.4°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, Jan 9, 2018 at 11:51 AM, Per Jessen <per@computer.org> wrote:
Carlos E. R. wrote:
On Tuesday, 2018-01-09 at 14:27 +0100, Per Jessen wrote:
Carlos E. R. wrote:
However, I wonder if requiring some auth even for local clients would have helped :-?
Local clients most often just the sendmail wrapper, so not much authentication there.
Right...
And being "localhost" there are no checkings on smtp either, but that one can be changed.
I wonder then if what uses sendmail can be confined. Apparmour, perhaps?
On a machine that only occasionally sends email, I think I would implement some rate-limiting in postfix - one email per minute, for instance.
Is that a config option? I could do that on this server. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Greg Freemyer wrote:
On Tue, Jan 9, 2018 at 11:51 AM, Per Jessen <per@computer.org> wrote:
Carlos E. R. wrote:
On Tuesday, 2018-01-09 at 14:27 +0100, Per Jessen wrote:
Carlos E. R. wrote:
However, I wonder if requiring some auth even for local clients would have helped :-? Local clients most often just the sendmail wrapper, so not much authentication there. Right...
And being "localhost" there are no checkings on smtp either, but that one can be changed.
I wonder then if what uses sendmail can be confined. Apparmour, perhaps? On a machine that only occasionally sends email, I think I would implement some rate-limiting in postfix - one email per minute, for instance.
Is that a config option? I could do that on this server.
Check out the destination_concurrency_limit settings - that will limit the rate per destination (yahoo, google, aol etc), that might be a starting point. To limit all outbound traffic, you need a policy daemon. That's a little more involved, but entirely doable, see e.g. "policyd". /Per -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday, 2018-01-09 at 23:20 -0500, Greg Freemyer wrote:
On Tue, Jan 9, 2018 at 11:51 AM, Per Jessen <per@computer.org> wrote:
Carlos E. R. wrote:
...
On a machine that only occasionally sends email, I think I would implement some rate-limiting in postfix - one email per minute, for instance.
Is that a config option?
I could do that on this server.
Googling on "rate-limiting in postfix" finds many hits :-) <https://serverfault.com/questions/110919/postfix-throttling-for-outgoing-messages> <https://www.vooservers.com/technical-blog/rate-limit-outbound-mail-in-postfix/> <https://wiki.deimos.fr/Postfix:_limit_outgoing_mail_throttling> - -- Cheers, Carlos E. R. (from openSUSE 42.2 x86_64 "Malachite" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlpV9vsACgkQtTMYHG2NR9Wp1gCeO5e+3yC2bEBg9coNg2Byzjih GsAAn3uZfLJuVf97zxD1c0h0kbgVoIqI =ZR1v -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (11)
-
Andrei Borzenkov -
Carlos E. R. -
Dave Plater -
David C. Rankin -
Greg Freemyer -
jdd@dodin.org -
John Andersen -
Knurpht - Gertjan Lettink -
Lew Wolfgang -
Per Jessen -
Wol's lists