Aug 5, 2024: iRedMail-1.7.1 has been released.

**cre8r** · 2016-03-23 06:06:49

cre8r
Member
Offline

Registered: 2014-03-25
Posts: 47

Topic: Spam from alias

- iRedMail version (check /etc/iredmail-release): 0.9.0
- Linux/BSD distribution name and version: Ubuntu 12.04.5 LTS
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx):Apache
- Manage mail accounts with iRedAdmin-Pro? Yes
- Related log if you're reporting an issue:

Hi All,

Somehow users are able to send spam from alias addresses through our server from external addresses.
You can see below ALIAS@DOMAIN.COM can send direct to OTHERUSER@DOMAIN.COM..

Any ideas on how to stop this?
We still would like our own users to be able to use alias as FROM field as they are forced to use auth on smtp.

Mar 23 01:41:32 mx postfix/smtpd[760]: connect from unknown[59.90.224.220]
Mar 23 01:41:33 mx cbpolicyd[2080]: module=Quotas, mode=create, host=59.90.224.220, helo=[59.90.224.220], from=ALIAS@DOMAIN.COM, to=ALIAS@DOMAIN.COM, reason=quota_create, policy=2, quota=5, limit=4, track=Sender:ALIAS@DOMAIN.COM, counter=MessageCount, quota=1/401 (0.2%)
Mar 23 01:41:33 mx postfix/smtpd[760]: 3A7FA360051: client=unknown[59.90.224.220]
Mar 23 01:41:35 mx postfix/smtpd[760]: disconnect from unknown[59.90.224.220]
Mar 23 01:41:35 mx amavis[23829]: (23829-14) Passed CLEAN, MYUSERS LOCAL [59.90.224.220] [59.90.224.220] <ALIAS@DOMAIN.COM> -> <OTHERUSER@DOMAIN.COM>, Message-ID: <Apple-Mail-F3F2A03D-AAB6-5B0B-2D35-1F590DCEA53D@DOMAIN.COM>, mail_id: Rp4SgkgAwmg7, Hits: 5.334, size: 5331, queued_as: 88611360057, 512 ms
Mar 23 01:41:35 mx postfix/pipe[27474]: 88611360057: to=<OTHERUSER@DOMAIN.COM>, relay=dovecot, delay=0.03, delays=0.01/0/0/0.02, dsn=2.0.0, status=sent (delivered via dovecot service)
Mar 23 01:41:35 mx postfix/qmgr[3769]: 88611360057: removed

Thanks for your help.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

**ZhangHuangbin** · 2016-03-23 11:37:10

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 31,088

Re: Spam from alias

I'm confused now.

With default iRedMail Postfix settings, postfix should reject email which sent from an non-existing sender address (sender domain hosted on your server) with message like this:

550 5.1.0 <not-exist@a.cn>: Sender address rejected: User unknown in virtual mailbox table

I received several reports like yours, all are running Ubuntu. Not sure why it doesn't work. I will try to dig into this issue later.

As a temporary solution, you can upgrade iRedAPD to the latest iRedAPD-1.8.0, and enable plugin 'reject_sender_login_mismatch' in its config file /opt/iredapd/settings.py. like this:

plugins = [... 'reject_sender_login_mismatch']

Then restart iRedAPD service.

**cre8r** · 2016-03-24 04:15:15

cre8r
Member
Offline

Registered: 2014-03-25
Posts: 47

Re: Spam from alias

Thanks Zhang.

It only happens for aliases which is very odd.
Unfortunately sender_login_mismatch will stop our users being able to send as different from addresses, we are considering to make this change however would like to avoid it.

Thanks again, let me know if you find anything and I will keep hunting also.

**ZhangHuangbin** · 2016-03-24 11:08:33

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 31,088

Re: Spam from alias

About the "alias" account, is it a separated mail alias account, or just an alias address of mail user?
We may have solution to solve this, but i need to make it clear first.

**j.cichocki** · 2016-03-30 04:33:54

j.cichocki
Member
Offline

Registered: 2014-07-04
Posts: 6

Re: Spam from alias

Have you solutions of this topic? I have the same problem on debian.

Anybody can send mails to my users by any alias address

Test

Resolving hostname...
Connecting...
SMTP -> FROM SERVER:
220 mail.xx.com ESMTP Postfix (Debian/GNU)
SMTP -> FROM SERVER: 
250-mail.xx.com
250-PIPELINING
250-SIZE 104857600
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM: ALIAS@AA.com
SMTP -> FROM SERVER:
250 2.1.0 Ok
RCPT TO: USER@BB.com
SMTP -> FROM SERVER:
250 2.1.5 Ok
Sending Mail Message Body...
SMTP -> FROM SERVER:
354 End data with .
SMTP -> FROM SERVER:
250 2.0.0 Ok: queued as 9BA991800335
Message completed successfully.

Postconf -n

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_min_user = no
allow_percent_hack = no
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 4h
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
default_destination_recipient_limit = 20000
default_recipient_limit = 20000
delay_warning_time = 0h
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
enable_original_recipient = no
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = ipv4
mailbox_command = /usr/lib/dovecot/deliver
mailbox_size_limit = 0
maximal_backoff_time = 4000s
maximal_queue_lifetime = 4h
message_size_limit = 104857600
minimal_backoff_time = 300s
mydestination = $myhostname, localhost, localhost.localdomain, localhost.$myhostname
mydomain = --DELETED--
myhostname = --DELETED--
mynetworks = 127.0.0.0/8
mynetworks_style = host
myorigin = --DELETED--
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions
queue_run_delay = 300s
readme_directory = no
recipient_bcc_maps = proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf, proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf
recipient_delimiter = +
relay_domains = $mydestination, proxy:mysql:/etc/postfix/mysql/relay_domains.cf
relayhost =
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf, proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf
smtp-amavis_destination_recipient_limit = 1
smtp_data_init_timeout = 240s
smtp_data_xfer_timeout = 600s
smtp_tls_CAfile = $smtpd_tls_CAfile
smtp_tls_loglevel = 0
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_helo_access pcre:/etc/postfix/helo_access.pcre
smtpd_recipient_limit = 1200
smtpd_recipient_overshoot_limit = 1200
smtpd_recipient_restrictions = reject_unauth_pipelining, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:7777, check_policy_service inet:127.0.0.1:10031, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf
smtpd_sender_restrictions = permit_mynetworks, reject_unauthenticated_sender_login_mismatch, permit_sasl_authenticated
smtpd_tls_CAfile = /etc/ssl/certs/iRedMail_CA.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/iRedMail_CA.pem
smtpd_tls_key_file = /etc/ssl/private/iRedMail.key
smtpd_tls_loglevel = 0
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
swap_bangpath = no
tls_random_source = dev:/dev/urandom
transport_maps = proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf, proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf, proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf, proxy:mysql:/etc/postfix/mysql/catchall_maps.cf, proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf
virtual_gid_maps = static:2000
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
virtual_minimum_uid = 2000
virtual_transport = dovecot
virtual_uid_maps = static:2000

**cre8r** · 2016-03-30 04:57:18

cre8r
Member
Offline

Registered: 2014-03-25
Posts: 47

Re: Spam from alias

Sorry for the delay I have been on leave.
The Alias is a separate account , and I've noticed these mails only seem to get through to Members of this Alias.

**ZhangHuangbin** · 2016-03-30 09:31:16

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 31,088

Re: Spam from alias

Try this:

*) Upgrade iRedAPD to the latest iRedAPD-1.8.0.
*) Enable iRedAPD plugin 'reject_sender_login_mismatch' in iRedAPD.
*) Restart iredapd service.

plugin 'reject_sender_login_mismatch' will reject sender login mismatch, also check who is allowed to send email as alias address.

FYI: Manage iRedAPD:
http://www.iredmail.org/docs/manage.iredapd.html

**cre8r** · 2016-03-30 09:58:02

cre8r
Member
Offline

Registered: 2014-03-25
Posts: 47

Re: Spam from alias

Thanks Zhang,

This unfortunately will not work for us unless we change our policy, which we are trying to avoid as it will generate a lot of support calls and frustrated users.

Currently we allow users to authenticate using their USER@DOMAIN.COM account from iredadmin, but send using a different FROM address.

Do you have any solutions for this?

**ZhangHuangbin** · 2016-03-30 14:20:35

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 31,088

Re: Spam from alias

cre8r wrote:

Currently we allow users to authenticate using their USER@DOMAIN.COM account from iredadmin, but send using a different FROM address.

*) Is there any relationship between the auth username and the FROM address?
*) Many users send email as different addresses? or just few?

**cre8r** · 2016-03-31 03:59:44

cre8r
Member
Offline

Registered: 2014-03-25
Posts: 47

Re: Spam from alias

*) Is there any relationship between the auth username and the FROM address?
Unfortunately most of these have no relationship.

*) Many users send email as different addresses? or just few?
We do have many, hundreds of accounts use this.

**ZhangHuangbin** · 2016-03-31 23:53:44

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 31,088

Re: Spam from alias

A temporary solution: enable DNSBL service to help reduce this kind of spam.
http://www.iredmail.org/docs/enable.dnsbl.html

**j.cichocki** · 2016-04-13 21:29:19

j.cichocki
Member
Offline

Registered: 2014-07-04
Posts: 6

Re: Spam from alias

Enabled DNSBL doesn't fix this problem at all. Have you another tip for us?

**ZhangHuangbin** · 2016-04-13 22:30:29

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 31,088

Re: Spam from alias

Hi @j.cichocki,

Does it work if you add one more sql lookup in Postfix setting "smtpd_sender_login_maps"? like this:

*) Original setting:

smtpd_sender_login_maps =
     proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf

*) New:

smtpd_sender_login_maps =
    proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf
    proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf

**s2500110** · 2016-06-27 15:17:33

s2500110
Member
Offline

Registered: 2012-03-19
Posts: 8

Re: Spam from alias

Hi, guys:
I have the same problem,
Do you resolve the issue?
thx!

**ZhangHuangbin** · 2016-06-27 22:37:23

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 31,088

Re: Spam from alias

s2500110 wrote:

Hi, guys:
I have the same problem,
Do you resolve the issue?
thx!

Please create a new forum topic and clearly explain your issue, do not hijack other's thread.

Aug 5, 2024: iRedMail-1.7.1 has been released.

[ Closed ] Spam from alias

Posts: 15

1 Topic by cre8r 2016-03-23 06:06:49

Topic: Spam from alias

2 Reply by ZhangHuangbin 2016-03-23 11:37:10

Re: Spam from alias

3 Reply by cre8r 2016-03-24 04:15:15

Re: Spam from alias

4 Reply by ZhangHuangbin 2016-03-24 11:08:33

Re: Spam from alias

5 Reply by j.cichocki 2016-03-30 04:33:54 (edited by j.cichocki 2016-03-30 04:37:54)

Re: Spam from alias

6 Reply by cre8r 2016-03-30 04:57:18

Re: Spam from alias

7 Reply by ZhangHuangbin 2016-03-30 09:31:16

Re: Spam from alias

8 Reply by cre8r 2016-03-30 09:58:02

Re: Spam from alias

9 Reply by ZhangHuangbin 2016-03-30 14:20:35

Re: Spam from alias

10 Reply by cre8r 2016-03-31 03:59:44

Re: Spam from alias

11 Reply by ZhangHuangbin 2016-03-31 23:53:44

Re: Spam from alias

12 Reply by j.cichocki 2016-04-13 21:29:19

Re: Spam from alias

13 Reply by ZhangHuangbin 2016-04-13 22:30:29

Re: Spam from alias

14 Reply by s2500110 2016-06-27 15:17:33

Re: Spam from alias

15 Reply by ZhangHuangbin 2016-06-27 22:37:23

Re: Spam from alias

Posts: 15