Envoie de spam en sortie

neowdj · April 11, 2014, 11:27am

bonjour à tous

je viens de m’apercevoir que mon serveur postfix à été utilisé à des fin de spam


Apr 11 12:43:33 bm3 postfix/qmgr[21847]: 8437124A4ECA: from=<email.connu@mondomaine.com>, size=522, nrcpt=1 (queue active)
Apr 11 12:43:33 bm3 postfix/smtpd[13661]: 2EB342AA5BA8: client=unknown[117.3.56.230], sasl_method=LOGIN, sasl_username=email.connu@mondomaine.com
Apr 11 12:43:33 bm3 postfix/smtp[27778]: C66B423A587E: to=<kwsnice@gmail.com>, relay=gmail-smtp-in.l.google.com[173.194.78.26]:25, delay=169175, delays=169144/0.09/0.08/31, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[173.194.78.26] said: 550-5.7.1 [37.59.31.120      12] Our system has detected that this message is 550-5.7.1 likely unsolicited mail. To reduce the amount of spam sent to Gmail, 550-5.7.1 this message has been blocked. Please visit 550-5.7.1 http://support.google.com/mail/bin/answer.py?hl=en&answer=188131 for 550 5.7.1 more information. h10si834210wiz.1 - gsmtp (in reply to end of DATA command))
Apr 11 12:43:33 bm3 postfix/cleanup[32078]: 78C334104891: message-id=<20140411104333.78C334104891@mail.mondomaine.com>
Apr 11 12:43:33 bm3 postfix/bounce[31095]: C66B423A587E: sender non-delivery notification: 78C334104891
Apr 11 12:43:33 bm3 postfix/qmgr[21847]: A9E6D40BA5E6: from=<fujomy@mondomaine.com>, size=492, nrcpt=5 (queue active)

quand je fait un postcat

[root@bm3 ~]# postcat -vq 7E6063FF6D0E
postcat: dict_eval: const  mail
postcat: dict_eval: const  ipv4
postcat: dict_eval: const  
postcat: dict_eval: const  
postcat: dict_eval: const  
postcat: name_mask: ipv4
postcat: dict_eval: const  mail.mondomaine.com
postcat: dict_eval: const  mondomaine.com
postcat: dict_eval: const  Postfix
postcat: dict_eval: expand ${multi_instance_name:postfix}${multi_instance_name?$multi_instance_name} -> postfix
postcat: dict_eval: const  postfix
postcat: dict_eval: const  postdrop
postcat: dict_eval: expand localhost, $myhostname -> localhost, mail.mondomaine.com
postcat: dict_eval: expand $myhostname -> mail.mondomaine.com
postcat: dict_eval: const  
postcat: dict_eval: const  /usr/libexec/postfix
postcat: dict_eval: const  /var/lib/postfix
postcat: dict_eval: const  /usr/sbin
postcat: dict_eval: const  /var/spool/postfix
postcat: dict_eval: const  pid
postcat: dict_eval: const  all
postcat: dict_eval: const  
postcat: dict_eval: const  double-bounce
postcat: dict_eval: const  nobody
postcat: dict_eval: const  hash:/etc/aliases
postcat: dict_eval: const  20100319
postcat: dict_eval: const  2.6.6
postcat: dict_eval: const  hash
postcat: dict_eval: const  deferred, defer
postcat: dict_eval: const  +
postcat: dict_eval: expand $mydestination -> localhost, mail.mondomaine.com
postcat: dict_eval: expand $relay_domains -> localhost, mail.mondomaine.com
postcat: dict_eval: const  TZ MAIL_CONFIG LANG
postcat: dict_eval: const  MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C
postcat: dict_eval: const  subnet
postcat: dict_eval: const  
postcat: dict_eval: const  +=
postcat: dict_eval: const  -=+
postcat: dict_eval: const  debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps
postcat: dict_eval: const  
postcat: dict_eval: const  bounce
postcat: dict_eval: const  cleanup
postcat: dict_eval: const  defer
postcat: dict_eval: const  pickup
postcat: dict_eval: const  qmgr
postcat: dict_eval: const  rewrite
postcat: dict_eval: const  showq
postcat: dict_eval: const  error
postcat: dict_eval: const  flush
postcat: dict_eval: const  verify
postcat: dict_eval: const  trace
postcat: dict_eval: const  proxymap
postcat: dict_eval: const  proxywrite
postcat: dict_eval: const  
postcat: dict_eval: const  
postcat: dict_eval: const  0
postcat: dict_eval: const  100s
postcat: dict_eval: const  100s
postcat: dict_eval: const  100s
postcat: dict_eval: const  100s
postcat: dict_eval: const  3600s
postcat: dict_eval: const  3600s
postcat: dict_eval: const  5s
postcat: dict_eval: const  5s
postcat: dict_eval: const  1000s
postcat: dict_eval: const  1000s
postcat: dict_eval: const  10s
postcat: dict_eval: const  10s
postcat: dict_eval: const  1s
postcat: dict_eval: const  1s
postcat: dict_eval: const  1s
postcat: dict_eval: const  1s
postcat: dict_eval: const  500s
postcat: dict_eval: const  500s
postcat: dict_eval: const  18000s
postcat: dict_eval: const  18000s
postcat: dict_eval: const  1s
postcat: dict_eval: const  1s
postcat: dict_eval: const  127.0.0.0/8, 172.16.2.0/24
postcat: inet_addr_local: configured 3 IPv4 addresses
*** ENVELOPE RECORDS incoming/7E6063FF6D0E ***
message_size:             468            1092               5               0             468
message_arrival_time: Wed Apr  9 19:54:51 2014
create_time: Wed Apr  9 19:54:53 2014
content_filter: amavisfeed:[127.0.0.1]:10024
named_attribute: rewrite_context=remote
named_attribute: sasl_method=LOGIN
named_attribute: sasl_username=email.existant@mondomaine.com
sender: fyrozy@famillewallon.com
pointer_record:             0
named_attribute: log_client_name=unknown
named_attribute: log_client_address=190.12.54.198
named_attribute: log_client_port=15239
named_attribute: log_message_origin=unknown[190.12.54.198]
named_attribute: log_helo_name=fbwzemn
named_attribute: log_protocol_name=ESMTP
named_attribute: client_name=unknown
named_attribute: reverse_client_name=mail.delico.ec
named_attribute: client_address=190.12.54.198
named_attribute: client_port=15239
named_attribute: helo_name=fbwzemn
named_attribute: protocol_name=ESMTP
named_attribute: client_address_type=2
named_attribute: dsn_orig_rcpt=rfc822;lisaaowens@aol.com
original_recipient: lisaaowens@aol.com
recipient: lisaaowens@aol.com
named_attribute: dsn_orig_rcpt=rfc822;gurogi@incorporateservice.com
original_recipient: gurogi@incorporateservice.com
recipient: gurogi@incorporateservice.com
named_attribute: dsn_orig_rcpt=rfc822;demndog@msn.com
original_recipient: demndog@msn.com
recipient: demndog@msn.com
named_attribute: dsn_orig_rcpt=rfc822;fishermetro@aol.com
original_recipient: fishermetro@aol.com
recipient: fishermetro@aol.com
named_attribute: dsn_orig_rcpt=rfc822;aherring@austin.rr.com
original_recipient: aherring@austin.rr.com
recipient: aherring@austin.rr.com
pointer_record:               0
*** MESSAGE CONTENTS incoming/7E6063FF6D0E ***
regular_text: Received: from fbwzemn (unknown [190.12.54.198])
regular_text: 	(Authenticated sender: email.existant@mondomaine.com)
regular_text: 	by mail.famillewallon.com (Postfix) with ESMTPA id 7E6063FF6D0E;
regular_text: 	Wed,  9 Apr 2014 19:54:51 +0200 (CEST)
pointer_record:            1564
regular_text: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mondomaine.com;
regular_text: 	s=default; t=1397066098;
regular_text: 	bh=*****************************;
regular_text: 	h=To:Subject:From:Date;
regular_text: 	b=*****************************
regular_text: 	 ***************************
regular_text: 	 ***************************
regular_text: To: <lisaaowens@aol.com>
pointer_record:            1336
regular_text: Subject: HolyViagra
regular_text: From: email.INCONNU.chez.moi@mondomaine.com
regular_text: Date: Wed, 9 Apr 2014 19:42:51 -0700
regular_text: Mime-Version: 1.0
regular_text: Content-Type: text/plain; charset=us-ascii
pointer_record:               0
regular_text: 
regular_text: http://xicuhoqinuk.tk?pofo
regular_text: 
regular_text: 
regular_text: 
pointer_record:               0
*** HEADER EXTRACTED incoming/7E6063FF6D0E ***
*** MESSAGE FILE END incoming/7E6063FF6D0E ***

et j’en ai à l’appel.

pourtant je ne suis pas en openrelay
je sais pas si c’est moi ou BM.

voici ma conf postfix

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = amavisfeed:[127.0.0.1]:10024
local_recipient_maps = $alias_maps
mailbox_size_limit = 0
message_size_limit = 0
milter_default_action = accept
milter_protocol = 2
mydestination = localhost, $myhostname
myhostname = mail.mondomaine.com
mynetworks = 127.0.0.0/8, 172.16.2.0/24
myorigin = $myhostname
non_smtpd_milters = $smtpd_milters
recipient_delimiter = +
relayhost = 
smtpd_banner = $myhostname ESMTP $mail_name (BlueMind)
smtpd_helo_restrictions = permit_mynetworks,     reject_invalid_hostname,     permit
smtpd_milters = inet:127.0.0.1:8891
smtpd_recipient_restrictions = permit_mynetworks,   permit_sasl_authenticated,   reject_invalid_hostname,   reject_unauth_destination,   check_policy_service unix:postgrey/socket,   reject_non_fqdn_hostname,   reject_non_fqdn_recipient,   reject_unknown_sender_domain,   reject_unknown_recipient_domain,   reject_rbl_client all.spam-rbl.fr,   reject_rbl_client sbl.spamhaus.org,   reject_rbl_client cbl.abuseat.org,   reject_rbl_client dul.dnsbl.sorbs.net,   permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /var/lib/bm-ca/cacert.pem
smtpd_tls_cert_file = /etc/ssl/certs/bm_cert.pem
smtpd_tls_key_file = /etc/ssl/certs/bm_cert.pem
smtpd_tls_security_level = may
transport_maps = hash:/etc/postfix/transport, hash:/etc/postfix/master_relay_transport
virtual_alias_maps = hash:/etc/postfix/virtual_alias
virtual_mailbox_domains = hash:/etc/postfix/virtual_domains
virtual_mailbox_maps = hash:/etc/postfix/virtual_mailbox
virtual_transport = error:mailbox does not exist

Si vous avez une idée

PS : je vien d’installer fail2ban (j’avais oublié de le mettre) et changer les mots de passe

PascalS · April 23, 2014, 8:10am

Bonjour,

de mémoire, je ne suis pas devant mon serveur perso,
j’ai désactivé le control ‘permit_mynetworks’ dans la déclaration du ‘smtpd_recipient_restrictions’.

Je te fournirai mon conf ce soir.

Pascal

PascalS · April 23, 2014, 5:08pm

Salut,

voici comme promis la partie de conf qui nous concerne :

SMTP authentication

smtpd_sasl_auth_enable=yes
broken_sasl_auth_clients=yes
smtpd_sasl_security_options=noanonymous
#smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_sasl_authenticated_header=yes

Wait until the RCPT TO command before evaluating restrictions

smtpd_delay_reject = yes

Basics Restrictions

smtpd_helo_required = yes
strict_rfc821_envelopes = yes

Requirements for the connecting server

smtpd_client_restrictions =
permit_sasl_authenticated,
sleep 1,
reject_unauth_pipelining

Requirements for the HELO statement

smtpd_helo_restrictions =
permit_sasl_authenticated,
#reject_non_fqdn_hostname,
reject_invalid_hostname

smtpd_relay_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination

Requirements for the sender address

smtpd_sender_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
check_policy_service inet:127.0.0.1:10023,
reject_unlisted_sender,
reject_non_fqdn_sender,
reject_unknown_sender_domain

Requirement for the recipient address

smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unlisted_recipient,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unauth_destination,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client zen.spamhaus.org

Le TCP 10023 correspond à Postgrey

Pascal

neowdj · May 17, 2014, 12:49pm

je pensais que c’était résolu mais non

[code][root@bm3 etc]# postcat /var/spool/postfix/deferred/A/A36DE232552A
*** ENVELOPE RECORDS /var/spool/postfix/deferred/A/A36DE232552A ***
message_size: 4893 689 1 0 4893
message_arrival_time: Wed May 14 12:32:14 2014
create_time: Wed May 14 12:32:14 2014
named_attribute: rewrite_context=remote
sender: admin@.com
named_attribute: encoding=7bit
named_attribute: log_client_name=localhost.localdomain
named_attribute: log_client_address=127.0.0.1
named_attribute: log_client_port=43409
named_attribute: log_message_origin=localhost.localdomain[127.0.0.1]
named_attribute: log_helo_name=localhost
named_attribute: log_protocol_name=ESMTP
named_attribute: client_name=localhost.localdomain
named_attribute: reverse_client_name=localhost.localdomain
named_attribute: client_address=127.0.0.1
named_attribute: client_port=43409
named_attribute: helo_name=localhost
named_attribute: protocol_name=ESMTP
named_attribute: client_address_type=2
named_attribute: dsn_orig_rcpt=rfc822;kadirs@mailcity.com
original_recipient: kadirs@mailcity.com
recipient: kadirs@mailcity.com
*** MESSAGE CONTENTS /var/spool/postfix/deferred/A/A36DE232552A ***
Received: from localhost (localhost.localdomain [127.0.0.1])
by mail..com (Postfix) with ESMTP id A36DE232552A
for kadirs@mailcity.com; Wed, 14 May 2014 12:32:14 +0200 (CEST)
X-Virus-Scanned: amavisd-new at .com
Received: from mail..com ([127.0.0.1])
by localhost (mail..com [127.0.0.1]) (amavisd-new, port 10024)
with LMTP id wDo6zi87XOvu for kadirs@mailcity.com;
Wed, 14 May 2014 12:32:13 +0200 (CEST)
Received: from 129.red.75.37.46.procono.es (unknown [46.37.75.129])
(Authenticated sender: admin@.com)
by mail..com (Postfix) with ESMTPA id 1E75E232552D
for kadirs@mailcity.com; Wed, 14 May 2014 12:32:04 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=famillewallon.com;
s=default; t=1400063527;
bh=o7SkmehPIOiVkJVo+aWOSm+boRthQRmjKnrZ2dTAq2c=;
h=From:Reply-To:To:Subject:Date;
b=RE1GPgArhF+JlH81E1htqlF9wM/ejXLnCVY/CYL/mcm0vNH9fL35bElNVWC5DHT0S
yuencGTVH7peY0RnRSZXtqhIWZK7w0taVYphvBrYTLpVYlzlg7icRKRU0q9slbQaGT
zTEtm2y5P/9+06XIoUJR8o7Qdvz4s2R4QgdoG/Hw=
MIME-Version: 1.0
From: “Abogado Ernesto Leon Isidoro(Esq)” <admin@.com>
Reply-To: ernesto_isidoro@gmx.us
To: kadirs@mailcity.com
Subject: Hello,did you receive my mail???
Content-Type: text/html; charset=“windows-1252http-equivContent-Type”
Content-Transfer-Encoding: quoted-printable
X-Mailer: SendBlaster.1.5.5
Date: Wed, 14 May 2014 12:32:02 +0200
Message-ID: 4780212735456130421518@Dafit-PC
X-Antivirus: avast! (VPS 140514-0, 14/05/2014), Outbound message
X-Antivirus-Status: Clean

...] *** HEADER EXTRACTED /var/spool/postfix/deferred/A/A36DE232552A *** named_attribute: encoding=7bit *** MESSAGE FILE END /var/spool/postfix/deferred/A/A36DE232552A *** [/code]

le souci c’est que admin@**************.com (******* = mon domaine) je ne l’ai pas créer dans BM

neowdj · May 17, 2014, 12:55pm

je viens de modifier mon fichier postfix en croisant les doigts

neowdj · May 17, 2014, 8:07pm

Que pensez vous de ma config

[root@bm3 ~]# cat /etc/postfix/main.cf 
smtpd_banner = $myhostname ESMTP $mail_name (BlueMind)
biff = no

append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

myhostname = mail.************.com
myorigin = $myhostname
content_filter=amavisfeed:[127.0.0.1]:10024
#relayhost = 172.16.2.16

# Liste des bases d'alias consultées par l'agent de livraison 'local'
alias_maps = hash:/etc/aliases
# Listes des base d'alias mise à jour par 'newaliases'
alias_database = hash:/etc/aliases
local_recipient_maps = $alias_maps

mydestination = localhost, $myhostname
mynetworks = 127.0.0.0/8, 172.16.2.0/24
message_size_limit = 0
mailbox_size_limit = 0

virtual_transport = error:mailbox does not exist
virtual_mailbox_domains = hash:/etc/postfix/virtual_domains
virtual_mailbox_maps = hash:/etc/postfix/virtual_mailbox
virtual_alias_maps = hash:/etc/postfix/virtual_alias
transport_maps = hash:/etc/postfix/transport, hash:/etc/postfix/master_relay_transport

recipient_delimiter = +

# SMTP/TLS
smtpd_tls_security_level=may
smtpd_tls_cert_file=/etc/ssl/certs/bm_cert.pem
smtpd_tls_key_file=/etc/ssl/certs/bm_cert.pem
smtpd_tls_CAfile=/var/lib/bm-ca/cacert.pem

smtpd_milters           = inet:127.0.0.1:8891
non_smtpd_milters       = $smtpd_milters
milter_default_action   = accept
milter_protocol         = 2

# SMTP authentication
smtpd_sasl_auth_enable=yes
broken_sasl_auth_clients=yes
smtpd_sasl_security_options=noanonymous
smtpd_sasl_authenticated_header=yes

# Wait until the RCPT TO command before evaluating restrictions
smtpd_delay_reject = yes

smtpd_client_restrictions =
    permit_sasl_authenticated,
    sleep 1,
    reject_unauth_pipelining

smtpd_helo_restrictions = 
     permit_sasl_authenticated,
     #permit_mynetworks,
     reject_non_fqdn_hostname,
     reject_invalid_hostname,


smtpd_relay_restrictions =
   permit_sasl_authenticated,
   permit_mynetworks,
   reject_unauth_destination

# Requirements for the sender address
smtpd_sender_restrictions =
    permit_sasl_authenticated,
    permit_mynetworks,
    check_policy_service unix:postgrey/socket,
    reject_unlisted_sender,
    reject_non_fqdn_sender,
    reject_unknown_sender_domain

smtpd_recipient_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_invalid_hostname,
   reject_unauth_destination,
   check_policy_service unix:postgrey/socket,
   reject_non_fqdn_hostname,
   reject_non_fqdn_sender,
   reject_non_fqdn_recipient,
   reject_unknown_sender_domain,
   reject_unknown_recipient_domain,
   reject_rbl_client all.spam-rbl.fr,
   reject_rbl_client sbl.spamhaus.org,
   reject_rbl_client cbl.abuseat.org,
   reject_rbl_client dul.dnsbl.sorbs.net

le service saslauthd est stoppé c’est normal ?

nico.dumont · May 17, 2014, 8:51pm

Bonjour,

Le user admin est créer par défaut et avoir les log les message on était envoyé avec un user authentifié.
Je ne suis pas expert dans le domaine mais visiblement on a piraté ton mot de passe admin (qui est par défaut “admin” donc facile a craquer si tu ne la pas changé même avec fail2ban)
C’était probablement la même chose dans les premiers log fourni.

Personnellement je n’ai pas modifié la config de bm et je n’ai aucun problème. Pour le filtrage spam/anti-virus j’ai mis en place un proxy smtp pour ne pas interférer dans les processus de BM

neowdj · May 17, 2014, 9:23pm

finalement j’ai désactivé le compte admin pour la messagerie

par contre un truc bizzare

May 17 22:58:40 bm3 postgrey[1744]: action=greylist, reason=new, client_name=152-6-93-81-mx-rb2.navaho.fr, client_address=81.93.6.152, sender=fuxahu@33-6-93-81-net-rb2.navaho.fr, recipient=fuxahu@mondomaine.com
...]
May 17 22:58:40 bm3 postfix/smtpd[8529]: NOQUEUE: reject: RCPT from 152-6-93-81-mx-rb2.navaho.fr[81.93.6.152]: 554 5.7.1 Service unavailable; Client host [81.93.6.152] blocked using cbl.abuseat.org; Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=81.93.6.152; from=<fuxahu@33-6-93-81-net-rb2.navaho.fr> to=<fuxahu@mondomaine.com> proto=ESMTP helo=<33-6-93-81-net-rb2.navaho.fr>

fuxahu@mondomaine.com n’existe pas dans la base de BM et ce n’est pas le seul compte qui est listé dans maillog

nico.dumont · May 17, 2014, 9:56pm

Ben les spammeurs son pas toujours très intelligent, il envoie pas toujours des mail a des adresse qui existe …
Peut être mettre le check rbl avant postgrey histoire de bloquer directement le mail

neowdj · May 18, 2014, 8:31am

j’ai l’impression que ça va mieux

http://img.nserveur.net/images/capturzqz.png

Manu · May 21, 2014, 3:13pm

Hello,

Je profite du topic pour une question concernant le monitoring.
Comment arrives tu à parser les répertoires contenus dans /var/spool/postfix ? Chez moi le script ressort en permanence avec des valeurs à 0.

Merci de ta réponse.

johnnyb · May 23, 2014, 6:39pm

Hello,

J’en profite pour en rajouter une couche

http://forum.blue-mind.net/viewtopic.php?id=756

La conf antispam de Postfix de BM doit être durcie, dans certains contextes on prend une charge hallucinante de spams

neowdj · May 29, 2014, 9:02am

@Manu avec munin pas besoin de config supplémentaire tout est automatique en tout cas sur CentOS par contre j’arriva à grapher cyrus

http://mon.nserveur.net/famillewallon.local/bm3.famillewallon.local/index.html

Manu · May 30, 2014, 6:57am

Arf ok. J’essaye de grapher pour ma part avec Icinga + PNP4Nagios et je n’arrive pas à récupérer de valeurs, tout est à 0.

Sur le topic du plugin il est indiqué soit d’exécuter en root soit de donner les droits sur /var/spool/postfix mais rien à faire.

Je continue du creuser, merci pour ta réponse.