Discussion:
Stoping unauthorized users from sending emails
(too old to reply)
b***@gmail.com
2018-03-06 22:07:00 UTC
Permalink
I got hit by a spammer. I though I was locked up tight. My postfix should only accept connections from within my network or if SASL authenticated. But I found a ton of these in my log:

Mar 6 04:43:18 MailVM postfix/smtpd[7620]: connect from unknown[131.221.49.124]
Mar 6 04:43:19 MailVM postfix/smtpd[7620]: setting up TLS connection from unknown[131.221.49.124]
Mar 6 04:43:20 MailVM postfix/smtpd[7620]: Anonymous TLS connection established from unknown[131.221.49.124]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Mar 6 04:43:22 MailVM postfix/smtpd[7620]: 676B920366: client=unknown[131.221.49.124], sasl_method=PLAIN, sasl_username=***@YYYYYYY.com
Mar 6 04:43:23 MailVM postfix/cleanup[7624]: 676B920366: message-id=<***@YYYYYYY.com>
Mar 6 04:43:23 MailVM postfix/qmgr[1611]: 676B920366: from=<***@YYYYYYYYY.com>, size=1840, nrcpt=1 (queue active)
Mar 6 04:43:24 MailVM postfix/smtpd[7620]: disconnect from unknown[131.221.49.124]
Mar 6 04:43:28 MailVM postfix/smtp[7625]: certificate verification failed for relay.dnsexit.com[64.182.102.186]:26: self-signed certificate
Mar 6 04:43:29 MailVM postfix/smtp[7625]: 676B920366: to=<***@mail.ru>, relay=relay.dnsexit.com[64.182.102.186]:26, delay=7.1, delays=1.7/0/5.3/0.14, dsn=2.0.0, status=sent (250 2.0.0 w26AhFJ4024640 Message accepted for delivery)
Mar 6 04:43:29 MailVM postfix/qmgr[1611]: 676B920366: removed
Ma

XXXX = is an old email account which is no longer in the system and YYYYY.com is my domain.

From my main.cf:

# SASL
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = no
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =

So there shouldn't be any anonymous at all...

smtpd_use_tls=yes
smtpd_tls_auth_only=yes
smtpd_TLS_ciphers = high
smtpd_TLS_mandatory_ciphers = high
smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 4
smtpd_tls_recieved_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

# restrictions
#smtpd_helo_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permit
smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname, permit
#smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit
smtpd_client_restrictions = permit_mynetworks, reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl, reject_rbl_client dnsbl.njabl.org
#smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, permit
smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service inet:127.0.0.1:10023, permit
#smtpd_data_restrictions = reject_unauth_pipelining

Any idea why I am getting anonymous relays. All emails inbount to me go through a spam filter so I need to allow local network and I don't mind making ALL that hit this server require authentication.

Bob
Jonathan N. Little
2018-03-07 17:14:26 UTC
Permalink
Post by b***@gmail.com
Mar 6 04:43:18 MailVM postfix/smtpd[7620]: connect from unknown[131.221.49.124]
Mar 6 04:43:19 MailVM postfix/smtpd[7620]: setting up TLS connection from unknown[131.221.49.124]
Mar 6 04:43:20 MailVM postfix/smtpd[7620]: Anonymous TLS connection established from unknown[131.221.49.124]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Mar 6 04:43:24 MailVM postfix/smtpd[7620]: disconnect from unknown[131.221.49.124]
Mar 6 04:43:28 MailVM postfix/smtp[7625]: certificate verification failed for relay.dnsexit.com[64.182.102.186]:26: self-signed certificate
Mar 6 04:43:29 MailVM postfix/qmgr[1611]: 676B920366: removed
Ma
XXXX = is an old email account which is no longer in the system and YYYYY.com is my domain.
# SASL
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = no
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
So there shouldn't be any anonymous at all...
smtpd_use_tls=yes
smtpd_tls_auth_only=yes
smtpd_TLS_ciphers = high
smtpd_TLS_mandatory_ciphers = high
smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 4
smtpd_tls_recieved_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
# restrictions
#smtpd_helo_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permit
smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname, permit
#smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit
smtpd_client_restrictions = permit_mynetworks, reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl, reject_rbl_client dnsbl.njabl.org
#smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, permit
smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service inet:127.0.0.1:10023, permit
#smtpd_data_restrictions = reject_unauth_pipelining
Any idea why I am getting anonymous relays. All emails inbount to me go through a spam filter so I need to allow local network and I don't mind making ALL that hit this server require authentication.
No expert here, but noticed at least in what you posted that you have
smtpd_recipient_restrictions defined bit no smtpd_relay_restrictions.
Read here <http://www.postfix.org/SMTPD_ACCESS_README.html#danger> might
point to your problem.
--
Take care,

Jonathan
-------------------
LITTLE WORKS STUDIO
http://www.LittleWorksStudio.com
m***@gmail.com
2018-04-24 15:03:36 UTC
Permalink
Post by b***@gmail.com
Mar 6 04:43:18 MailVM postfix/smtpd[7620]: connect from unknown[131.221.49.124]
Mar 6 04:43:19 MailVM postfix/smtpd[7620]: setting up TLS connection from unknown[131.221.49.124]
Mar 6 04:43:20 MailVM postfix/smtpd[7620]: Anonymous TLS connection established from unknown[131.221.49.124]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Mar 6 04:43:24 MailVM postfix/smtpd[7620]: disconnect from unknown[131.221.49.124]
Mar 6 04:43:28 MailVM postfix/smtp[7625]: certificate verification failed for relay.dnsexit.com[64.182.102.186]:26: self-signed certificate
Mar 6 04:43:29 MailVM postfix/qmgr[1611]: 676B920366: removed
Ma
XXXX = is an old email account which is no longer in the system and YYYYY.com is my domain.
# SASL
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = no
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
So there shouldn't be any anonymous at all...
smtpd_use_tls=yes
smtpd_tls_auth_only=yes
smtpd_TLS_ciphers = high
smtpd_TLS_mandatory_ciphers = high
smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 4
smtpd_tls_recieved_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
# restrictions
#smtpd_helo_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permit
smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname, permit
#smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit
smtpd_client_restrictions = permit_mynetworks, reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl, reject_rbl_client dnsbl.njabl.org
#smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, permit
smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service inet:127.0.0.1:10023, permit
#smtpd_data_restrictions = reject_unauth_pipelining
Any idea why I am getting anonymous relays. All emails inbount to me go through a spam filter so I need to allow local network and I don't mind making ALL that hit this server require authentication.
Bob
i didn't notice it but can you add in something like:

mynetworks = 127.0.0.0/8
relay_domains =

in your main.cf file.

change the IP address to reflect your own trusted network.

Loading...