Am I an Open Mail relay? Cent OS with Postfix, Dovecot,

Question

After some time I build up an E-Mail Server again. I looked up different tutorial to do it right. I did it right or at least I can send and receive E-Mails.

The most important thing for me is that the server is safe. Safe as I don't receive spam, viruses etc. but far more important I don't want to bother other people or systems. I implemented a lot of directives and stuff to harden the system. But I'm still not sure whether it really is or if I somewhere have a mis-configuration.

I have entries in the log which make me twitchy, maybe I'm just not able to read it right.

I'm totally confused. I would like to think, that all mail mentioned above where sent to /dev/null. First the system says it doesn't know the sender (Some explanation [email protected] is a known and valid address on my server [email protected] is not) :

Jan 23 11:36:22 mail postfix/smtpd[15689]: 78587E1E18: client=unknown[59.98.143.142], sasl_method=PLAIN, [email protected]  
Jan 23 11:36:45 mail postfix/cleanup[15705]: 78587E1E18: message-id=<[email protected]>  
Jan 23 11:36:45 mail postfix/qmgr[15510]: 78587E1E18: from=<[email protected]>, size=2357, nrcpt=20 (queue active)  
Jan 23 11:36:45 mail postfix/smtpd[15711]: connect from localhost[127.0.0.1]  
Jan 23 11:36:45 mail postfix/smtpd[15711]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 550 5.1.1 <[email protected]>: Recipient address rejected: User unknown in virtual mailbox table; from=<> to=<[email protected]> proto=ESMTP helo=<localhost>  
Jan 23 11:36:45 mail amavis[14998]: (14998-09) Negative SMTP resp. to DATA: 554 5.5.1 Error: no valid recipients  
Jan 23 11:36:45 mail postfix/smtpd[15711]: disconnect from localhost[127.0.0.1]

My interpretation of this first passage is that someone uses a well known account of the system in the first place to connect to the system. Second it tries to send E-Mail using a different name, that is not known to the server.

Second Amavis want to bounce it:

Jan 23 11:36:45 mail amavis[14998]: (14998-09) Negative SMTP resp. to DATA: 554 5.5.1 Error: no valid recipients
Jan 23 11:36:45 mail postfix/smtpd[15711]: disconnect from localhost[127.0.0.1]
Jan 23 11:36:45 mail amavis[14998]: (14998-09) (!)V41u_uXR4ZV9(6_lwbkN2e1dX) SEND from <> -> <[email protected]>, [email protected] BODY=7BIT 550 5.1.1 from MTA(smtp:[127.0.0.1]:10025): 550 5.1.1 <[email protected]>: Recipient address rejected: User unknown in virtual mailbox table
Jan 23 11:36:45 mail amavis[14998]: (14998-09) (!)NOTICE: UNABLE TO SEND DSN to <[email protected]>: 550 5.1.1 from MTA(smtp:[127.0.0.1]:10025): 550 5.1.1 <[email protected]>: Recipient address rejected: User unknown in virtual mailbox table
Jan 23 11:36:45 mail amavis[14998]: (14998-09) unexpected status/result, please verify: To be bounced, but DSN was neither sent nor suppressed?, <[email protected]>
an 23 11:36:45 19 more entries of that type

But last the log says:

Jan 23 11:36:45 mail amavis[14998]: (14998-09) Blocked BAD-HEADER-0 {UnknownOpenRelay,Quarantined}, [59.98.143.142]:29864 [59.98.143.142] <[email protected]> -> <[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>, Queue-ID: 78587E1E18, Message-ID: <[email protected]>, mail_id: 6_lwbkN2e1dX, Hits: -, size: 2355, 222 ms
Jan 23 11:36:45 mail postfix/smtp[15708]: 78587E1E18: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=24, delays=24/0/0.01/0.22, dsn=2.5.0, status=sent (250 2.5.0 Ok, id=14998-09, BOUNCE)
Jan 23 11:36:45 mail postfix/smtp[15708]: [...]
Jan 23 11:36:45 mail postfix/qmgr[15510]: 78587E1E18: removed
Jan 23 11:36:47 mail postfix/smtpd[15689]: 67360E1E18: client=unknown[59.98.143.142], sasl_method=PLAIN, [email protected]
Jan 23 11:36:48 mail postfix/smtpd[15689]: 67360E1E18: reject: RCPT from unknown[59.98.143.142]: 504 5.5.2 <tleonsis@washingtoncaps>: Recipient address rejected: need fully-qualified address; from=<[email protected]> to=<tleonsis@washingtoncaps> proto=ESMTP helo=<example.com>

Jan 23 11:38:02 mail postfix/smtpd[15689]: 67360E1E18: reject: RCPT from unknown[59.98.143.142]: 450 4.1.2 : Recipient address rejected: Domain not found; from= to= proto=ESMTP helo= Jan 23 11:38:03 mail postfix/smtpd[15689]: lost connection after RCPT from unknown[59.98.143.142] Jan 23 11:38:03 mail postfix/smtpd[15689]: disconnect from unknown[59.98.143.142]

Sorry, I'm not allowed to post the log or the configuration as the system here sees it as spam ...

What do you think? Do I send Spam Mails or is my server safe?

My Guess is that I send mails as I got some backscatter mail. How can I suppress this kind of behavior?

Answer 1

This has probably nothing to do with an open relay (which you can check with this tool), but rather you are getting backscatter mail.

When a spammer or worm sends mail with forged sender addresses, innocent sites are flooded with undeliverable mail notifications. This is called backscatter mail. With Postfix, you know that you're a backscatter victim when your logfile goes on and on like this:

Dec  4 04:30:09 hostname postfix/smtpd[58549]: NOQUEUE: reject:
RCPT from xxxxxxx[x.x.x.x]: 550 5.1.1 <[email protected]>:
Recipient address rejected: User unknown; from=<>
to=<[email protected]> proto=ESMTP helo=<zzzzzz>

What you see are lots of "user unknown" errors with "from=<>". These are error reports from MAILER-DAEMONs elsewhere on the Internet, about email that was sent with a false sender address in your domain.

Usually, e-mails have 2 "senders" defined in headers: One is the header sender (MAIL FROM), and the other is the envelope sender (Return-Path), being this latter the address where bounced mails will be sent.

So say someone sent a mail claiming it's you (by specifying the envelope sender to your domain) and tried to send an e-mail to a non-existing address. The bounce mail will get to the address specified in the envelope sender, which is you.

This is quite frequent, as anyone may send a mail claiming they are someone they're not (forging the sender headers), it's the MTU's job to determine if this is true or not and to block or permit the mail.

There's a good source of information about Backscatter mail on Postfix.

Answer 2

It took some time, but I found a solution to my problem. Someone from outside used an existing account to log in (SASL Authentication) and then send mails with an invalid sender address [email protected].

To prohibit this behaviour I added some lines in my main.cf.

#file / database in which valid emails, users and domains can be found
smtpd_sender_login_maps = mysql:/etc/postfix/mysql-email2email.cf, mysql:/etc/postfix/mysql-virtual-users.cf

# reject_authenticated_sender_login_mismatch, reject_sender_login_mismatch,        reject_unauthenticated_sender_login_mismatch use the data from smtpd_sender_login_maps. If not defined you will see lot of errors and be unable to send mails.

smtpd_sender_restrictions =
    reject_non_fqdn_sender,
    reject_authenticated_sender_login_mismatch,
    reject_sender_login_mismatch,
    reject_unauthenticated_sender_login_mismatch,
    reject_unknown_sender_domain,
    reject_unlisted_sender,
    reject_unverified_sender,
    permit_sasl_authenticated,
    permit_mynetworks

If a user wants so send an E-Mail with an defined alias address he first has to define it in the database.