This server has been live for many years, however, recently it is under attack by spam.
I have not been able to plug the hole they are using. It seems that the spam is using the sasl_username=clamav.
My postfix configuration is :
main.cf:
smtpd_banner = $myhostname ESMTP $mail_name
biff = no
append_dot_mydomain = no
readme_directory = no
compatibility_level = 2
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.xxx.yyy.zzz/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.xxx.yyy.zzz/privkey.pem
smtpd_tls_security_level = may
smtpd_tls_received_header = yes
smtpd_tls_auth_only = no
smtpd_tls_protocols = TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtpd_tls_ciphers = high
smtpd_tls_mandatory_protocols = TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
tls_preempt_cipherlist = yes
smtp_sasl_auth_enable = no
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_protocols = TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_ciphers = high
smtp_tls_mandatory_protocols = TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtp_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
mydomain = xxx
myhostname = mail.xxx.yyy.zzz
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $mydomain, $myhostname, localhost.localdomain, localhost
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
mynetworks_style = subnet
message_size_limit = 30720000
virtual_mailbox_limit = 0
inet_interfaces = all
inet_protocols = all
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf,mysql:/etc/postfix/mysql-virtual-email2email.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp
smtpd_reject_unlisted_recipient = yes
smptd_reject_unlisted_sender = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain = xxx.yyy.zzz
smtpd_sasl_tls_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sender_login_maps = mysql:/etc/postfix/mysql-virtual-email2email.cf
smtpd_restriction_classes = mua_sender_restrictions, mua_client_restrictions, mua_helo_restrictions
mua_client_restrictions = permit_sasl_authenticated, reject
mua_sender_restrictions = permit_sasl_authenticated, reject
mua_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname, permit
smtpd_sender_restrictions =
reject_unauth_destination,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unverified_sender,
reject_unknown_reverse_client_hostname,
reject_unknown_client_hostname,
check_sender_access hash:/etc/postfix/restrict_senders,
check_sender_access hash:/etc/postfix/sender_checks,
permit_sasl_authenticated,
permit_mynetworks
smtpd_recipient_restrictions =
reject_unauth_pipelining,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unauth_destination,
check_sender_access hash:/etc/postfix/sender_checks,
check_client_access hash:/etc/postfix/rbl_override,
reject_invalid_hostname,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unlisted_recipient,
reject_unverified_recipient,
check_policy_service unix:private/policyd-spf,
permit_sasl_authenticated,
permit_mynetworks,
permit
smtpd_relay_restrictions =
reject_unlisted_sender,
reject_unauth_destination,
check_sender_access hash:/etc/postfix/sender_checks
permit_sasl_authenticated,
permit_mynetworks
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = no
smtpd_helo_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
reject_unknown_helo_hostname,
check_helo_access hash:/etc/postfix/helo_access,
permit
mime_header_checks = regexp:/etc/postfix/mime_header_checks
milter_default_action = accept
smtpd_milters = unix:opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters
queue_directory = /var/spool/postfix
meta_directory = /etc/postfix
setgid_group = postdrop
command_directory = /usr/sbin
sample_directory = /etc/postfix
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
sendmail_path = /usr/sbin/sendmail
mail_owner = postfix
daemon_directory = /usr/lib/postfix/sbin
manpage_directory = /usr/share/man
html_directory = /usr/share/doc/postfix/html
data_directory = /var/lib/postfix
shlib_directory = /usr/lib/postfix
disable_vrfy_command = yes
policyd-spf_time_limit = 3600
smtp_destination_recipient_limit = 10
default_destination_recipient_limit = 10
smtp_tls_note_starttls_offer = yes
smtpd_tls_session_cache_timeout = 3600s
---
master.cf
------
smtp inet n - y - - smtpd
submission inet n - y - - smtpd
-o content_filter=spamassassin
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_wrappermode=no
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_auth_only=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject_unauth_destination
-o smtpd_reject_unlisted_recipient=no
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject_unauth_destination
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_sender_restrictions=$mua_sender_restrictions
-o milter_macro_daemon_name=ORIGINATING
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
-o syslog_name=postfix/$service_name
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
postlog unix-dgram n - n - 1 postlogd
maildrop unix - n n - - pipe
flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
spamassassin unix - n n - - pipe
flags=R
user=spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}
127.0.0.1:10025 inet n - y - - smtpd
smtp-amavis unix - - n - 2 smtp
-o syslog_name=postfix/amavis
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
-o smtp_tls_security_level=none
autoresponder unix - n n - - pipe
flags=Fq user=autoresponse argv=/usr/local/sbin/autoresponse -s ${sender} -r ${recipient} -S ${sasl_username} -C ${client_address}
policyd-spf unix - n n - - spawn
user=nobody argv=/usr/bin/policyd-spf
---
nmap -T4 -A -p 25 xxx.yyy.zzz
Starting Nmap 7.80 ( https://nmap.org ) at 2023-01-31 11:26
Nmap scan report for xxx.yyy.zzz (xxx.yyy.zzz)
Host is up (0.00012s latency).
PORT STATE SERVICE VERSION
25/tcp open smtp Postfix smtpd
|_smtp-commands: mail.xxx.yyy.zzz, PIPELINING, SIZE 30720000, ETRN, STARTTLS, AUTH PLAIN LOGIN, AUTH=PLAIN LOGIN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING,
| ssl-cert: Subject: commonName=xxx.yyy.zzz
| Subject Alternative Name: DNS:mail.xxx.yyy.zzz, DNS:xxx.yyy.zzz
| Not valid before: 2022-12-14T22:36:23
|_Not valid after: 2023-03-14T22:36:22
|_ssl-date: TLS randomness does not represent time
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6.32
OS details: Linux 2.6.32
Network Distance: 0 hops
Service Info: Host: mail.xxx.yyy.zzz
I have disabled the helo restrictions as too many servers including government servers failed the test!
Any help would be appreciated.
clamav
sasl account or harden its password. Seesaslpasswd2
for details. In fact, harden all passwords, as you seem to have accepted weak ones.eho test
, do you see something similar to250-Auth
? If so, then they are logging into your system. Again, harden all passwords. If you are trying to restricting it to local nets, then why open it up withinet_interfaces = all
?