Hallo
Ich hatte gestern feststellen müssen, dass mein Mailsystem auf
meinem Root-Server trotz Authentifizierungszwang (SASL mit TLS) als
Relay für einen Spammer herhalten musste. Selbst das Ändern des
Passwortes hat nichts bewirkt. Erst als ich heute ein komplettes
Netzwerksegment (Abuse-Mail an den Inhaber ist raus) über die
Firewall gesperrt habe, ist erstmal Ruhe eingekehrt. Im Logfile
tauchen allerdings auch andere IPs auf (sind erstmal nicht
gesperrt). Wie kann es sein, das Postfix als Relay arbeitet, wenn
nur authentifizierte User und der Rechner selbst mailen dürfen?
Ich nutze SuSE 9.0, Postfix, Antivir-Mailgate und SpamAssassin 3.0.
h8239:~ # postconf -n
alias_database = hash:/etc/aliases,
hash:/var/lib/mailman/data/aliases
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp:127.0.0.1:10024
daemon_directory = /usr/lib/postfix
delay_warning_time = 5
disable_dns_lookups = no
mail_version = Postfix (singollo.de)
mailbox_transport = lmtp:unix:public/lmtp
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_exceptions = root
message_size_limit = 26214400
mydestination = $myhostname, $mydomain
mydomain = singollo.de
myhostname = h8239.singollo.de
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
notify_classes = resource, software, delay
readme_directory = /usr/share/doc/packages/postfix/README_FILES
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /usr/share/doc/packages/postfix/samples
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/postfix/certs/singollo.pem
smtp_tls_cert_file = /etc/postfix/certs/singollo.pem
smtp_tls_cipherlist = HIGH:@STRENGTH
smtp_tls_key_file = /etc/postfix/certs/singollo.pem
smtp_tls_loglevel = 2
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_timeout = 3600s
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name NO_SPAM_ALLOWED_HERE
smtpd_client_restrictions = permit_sasl_authenticated,
permit_mynetworks, reject_maps_rbl
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_sasl_authenticated,
permit_mynetworks, reject_non_fqdn_hostname
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks, check_relay_domains
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /etc/postfix/certs/singollo.pem
smtpd_tls_cert_file = /etc/postfix/certs/singollo.pem
smtpd_tls_key_file = /etc/postfix/certs/singollo.pem
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 450
virtual_alias_domains = serverkompetenz.net
virtual_alias_maps = hash:/etc/postfix/virtual
Zwei Mails, die fälschlicherweise relayed wurden:
h8239:~ # grep "5C0707E807A" /var/log/mail
Sep 26 09:52:23 h8239 postfix/cleanup[31261]: 5C0707E807A:
message-id=<20040926075223.5C0707E807A@h8239.singollo.de>
Sep 26 09:52:23 h8239 postfix/qmgr[5596]: 5C0707E807A: from=<>,
size=3593, nrcpt=1 (queue active)
Sep 26 09:52:24 h8239 postfix/smtp[30436]: 5C0707E807A:
to=