1

Topic: Mail Server SMTP Port used to Relay SPAMs

==== Required information ====
- iRedMail version: 0.7.4
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Linux/BSD distribution name and version: CentOS 5.7
- Related log if you're reporting an issue:
====
Somebody complained me that our mail server is being used to send mails to other domains.
I found it correct.
I did the following telnet test. (Domain name aliased to xyz.com)
---------------------------------------------------------------------------------
telnet mail.xyz.com 25

220 mail.xyz.com ESMTP Postfix
ehlo mail.xyz.com
250-mail.xyz.com
250-PIPELINING
250-SIZE 31457280
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
Mail From: anybody@bogus.com
250 2.1.0 Ok
Rcpt To: subhasis.stpl@gmail.com
554 5.7.1 <subhasis.stpl@gmail.com>: Relay access denied 
Rcpt To: test@xyz.com
250 2.1.5 Ok                                             
DATA
354 End data with <CR><LF>.<CR><LF>
From: anybody@bogus.com
To: test@xyz.com
Subject: Test SMTP Telnet Relay

If this mail finds the destination...
We need to find a way to stop it.
This is unwanted
.
250 2.0.0 Ok: queued as 91F631E70056
quit
221 2.0.0 Bye



The Mail sent through Telneting SMTP port was delivered to the destination. Full header is given below. It was not marked as SPAM

<===================>
Return-Path: <anybody@bogus.com>
Delivered-To: test@xyz.com
Received: from localhost (localhost.localdomain [127.0.0.1])
    by mail.xyz.com (Postfix) with ESMTP id BE5591E70066
    for <test@xyz.com>; Tue, 19 Feb 2013 01:22:09 +0530 (IST)
X-Virus-Scanned: amavisd-new at mail.xyz.com
X-Spam-Flag: NO
X-Spam-Score: 3.677
X-Spam-Level: ***
X-Spam-Status: No, score=3.677 tagged_above=2 required=6.2
    tests=[BAYES_00=-1.9, RCVD_IN_BRBL_LASTEXT=1.449, RCVD_IN_PBL=3.335,
    RDNS_NONE=0.793] autolearn=no
Received: from mail.xyz.com ([127.0.0.1])
    by localhost (mail.xyz.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id 2dOV5SBbrtg7 for <test@xyz.com>;
    Tue, 19 Feb 2013 01:22:07 +0530 (IST)
X-Original-Helo: mail.xyz.com (iRedMail: http://www.iredmail.org/)
X-Original-Helo: mail.xyz.com (iRedMail: http://www.iredmail.org/)
Received: from mail.xyz.com (unknown [116.203.163.126])
    by mail.xyz.com (Postfix) with ESMTP id 91F631E70056
    for <test@xyz.com>; Tue, 19 Feb 2013 01:19:10 +0530 (IST)
From: anybody@bogus.com
To: test@xyz.com
Subject: Test SMTP Telnet Relay
Message-Id: <20130218194956.91F631E70056@mail.xyz.com>
Date: Tue, 19 Feb 2013 01:19:10 +0530 (IST)

If this mail finds the destination...
We need to find a way to stop it.
This is unwanted


This is alarming as anybody can misuse this loophole.
<=====================>

My Mail Server postconf –n output is given below.

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_min_user = no
biff = no
bounce_queue_lifetime = 1d
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
delay_warning_time = 0h
disable_vrfy_command = yes
enable_original_recipient = no
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailbox_command = /usr/libexec/dovecot/deliver
mailbox_size_limit = 51200000
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
maximal_backoff_time = 4000s
maximal_queue_lifetime = 1d
message_size_limit = 31457280
minimal_backoff_time = 300s
mydestination = $myhostname, localhost, localhost.localdomain, localhost.$myhostname
mydomain = xyz.com
myhostname = mail.xyz.com
mynetworks = 127.0.0.0/8 192.168.88.0/24
mynetworks_style = subnet
myorigin = mail.xyz.com
newaliases_path = /usr/bin/newaliases.postfix
proxy_interfaces = xxx.xxx.xxx.xxx
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions
queue_directory = /var/spool/postfix
queue_run_delay = 300s
readme_directory = /usr/share/doc/postfix-2.5.9/README_FILES
recipient_bcc_maps = proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf, proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf
recipient_delimiter = +
relay_domains = $mydestination, proxy:mysql:/etc/postfix/mysql/relay_domains.cf
sample_directory = /usr/share/doc/postfix-2.5.9/samples
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf, proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_data_init_timeout = 240s
smtp_data_xfer_timeout = 600s
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_enforce_tls = no
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,permit_sasl_authenticated, check_helo_access pcre:/etc/postfix/helo_access.pcre
smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:7777, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_policy_service inet:127.0.0.1:10031
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain =
smtpd_sasl_path = ./dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf
smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated
smtpd_tls_CAfile = /etc/pki/tls/certs/iRedMail_CA.pem
smtpd_tls_cert_file = /etc/pki/tls/certs/iRedMail_CA.pem
smtpd_tls_key_file = /etc/pki/tls/private/iRedMail.key
smtpd_tls_loglevel = 0
smtpd_tls_security_level = may
tls_random_source = dev:/dev/urandom
transport_maps = proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf, proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf
unknown_local_recipient_reject_code = 550
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf, proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf, proxy:mysql:/etc/postfix/mysql/catchall_maps.cf, proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf
virtual_gid_maps = static:500
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
virtual_minimum_uid = 500
virtual_transport = dovecot
virtual_uid_maps = static:500

<==================================================================>

Any help in stopping this SPAMMING will be highly appreciated.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 (edited by raserei 2013-02-19 13:43:25)

Re: Mail Server SMTP Port used to Relay SPAMs

check your relay_domains setting in main.cf

not sure where in centos it's stored but it's gotta be something similar to /etc/postfix/main.cf

also you can try changing mynetworks_style from subnet to host in the same file.

edit:

actually after some more thought you might want to try changing the mynetworks line to: mynetworks = 127.0.0.0/8

i'm guessing you tested the relay from the 192.x.x.x network listed on that line?

3

Re: Mail Server SMTP Port used to Relay SPAMs

You have this line in Postfix (main.cf):

smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated

Please try appending "reject" at the end like below:

smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated, reject

Then restarting Postfix service and try again.

4 (edited by subhasis.stpl 2013-02-21 00:34:25)

Re: Mail Server SMTP Port used to Relay SPAMs

Problem is not solved.
This "reject" clause forces to send mails for internal mail users only.
Mail sent from Gmail or others are bounced back.

Delivery Report
====================================
Delivery to the following recipient failed permanently:

     subhasis.bhattacharyya@xyz.com

Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the server for the recipient domain xyz.com by mailxyz.com. [xxx.xxx.xxx.xxx].

The error that the other server returned was:
554 5.7.1 <subhasis.stpl+caf_=subhasis.bhattacharyya=xyz.com@gmail.com>: Sender address rejected: Access denied

5

Re: Mail Server SMTP Port used to Relay SPAMs

No idea yet, sorry. It looks like a normal SMTP request sent from another MTA.
i suggest you post to Postfix mailing list instead to get a quick solution.

6

Re: Mail Server SMTP Port used to Relay SPAMs

Hi @subhasis.stpl,

I got it solved with below steps:

*) Check your Postfix settings: smtpd_sender_restrictions and smtpd_recipient_restrictions. It should looks like below:

smtpd_sender_restrictions =
    permit_mynetworks,
    reject_sender_login_mismatch,
    permit_sasl_authenticated,
    reject_unauth_destination

smtpd_recipient_restrictions =
    reject_unknown_sender_domain,
    reject_unknown_recipient_domain,
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    reject_unlisted_recipient,
    check_policy_service inet:127.0.0.1:7777,
    check_policy_service inet:127.0.0.1:10031,
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination

*) Now move those two restriction rules marked in red in smtpd_recipient_restrictions to smtpd_sender_restrictions. The final restriction rules look like below:

smtpd_sender_restrictions =
    reject_unknown_sender_domain,
    reject_non_fqdn_sender,
    permit_mynetworks,
    reject_sender_login_mismatch,
    permit_sasl_authenticated,
    reject_unauth_destination

smtpd_recipient_restrictions =
    reject_unknown_recipient_domain,
    reject_non_fqdn_recipient,
    reject_unlisted_recipient,
    check_policy_service inet:127.0.0.1:7777,
    check_policy_service inet:127.0.0.1:10031,
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination

*) Restart Postfix and test again.

Here's my test:

$ telnet 172.16.244.139 25
...
220 suse123.iredmail.org ESMTP Postfix
ehlo b.cn
250-suse123.iredmail.org
250-PIPELINING
250-SIZE 15728640
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

mail from: a@b.cn
250 2.1.0 Ok

rcpt to: abc@a.cn        # <- abc@a.cn is an existing account
451 4.7.1 <abc@a.cn>: Recipient address rejected: Greylisting in effect, please come back later

7

Re: Mail Server SMTP Port used to Relay SPAMs

Well, looks like it doesn't solve this issue, restriction rules in either smtpd_sender_restrictions or smtpd_recipient_restrictions has the same effect.

8

Re: Mail Server SMTP Port used to Relay SPAMs

Hi subhasis.stpl,

Just realize, when you performed this test, did you have your IP address (or IP range) listed in Policyd/Cluebringer whitelist?