Are you able to telnet into port 143 and 993?
If not – then you’re still seeing some sort of NAT, firewall, or routing issue.
You’d need to make sure your firewall on your server isn’t preventing access to those ports, and verify that your router is forwarding those ports to your server.
-Eric
Yes, telnet results are same as several weeks ago with connection.
Port 143.
Trying 192.168.1.163...
Connected to 192.168.1.163.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready.Port 993.
Trying 192.168.1.163...
Connected to 192.168.1.163.
Escape character is '^]'.iptables -L -n shows all ports are open
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:20
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:21
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20000
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:993
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:143
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:587
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination /etc/postfix/master.cf file has details below:
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes
#submission inet n - n - - smtpd
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING
#628 inet n - n - - qmqpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - n - - smtp
-o smtp_fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
#maildrop unix - n n - - pipe
# flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# The Cyrus deliver program has changed incompatibly, multiple times.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
#uucp unix - n n - - pipe
# flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# ====================================================================
#
# Other external delivery methods.
#
#ifmail unix - n n - - pipe
# flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
#
#bsmtp unix - n n - - pipe
# flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
#
#scalemail-backend unix - n n - 2 pipe
# flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
# ${nexthop} ${user} ${extension}
#
#mailman unix - n n - - pipe
# flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
# ${nexthop} ${user}
submission inet n - n - - smtpd -o smtpd_sasl_auth_enable=yesThe maillog gives 12000 lines of similar looking errors like this sample:
(also, I don’t know who those email addresses are as I don’t know any of them? Seem to have been automatically generated).
Dec 17 16:14:21 localhost postfix/error[18758]: B4BE01373B: to=<teetsfxwy@hotmail.com>, relay=none, delay=326867, delays=326846/21/0/0.02, dsn=4.4.3, status=deferred (delivery temporarily suspended: Host or domain name not found. Name service error for name=hotmail.com type=MX: Host not found, try again)
Dec 17 16:14:21 localhost postfix/error[18755]: B25EC134B1: to=<ugaldetpsad@hotmail.com>, relay=none, delay=327770, delays=327750/21/0/0, dsn=4.4.3, status=deferred (delivery temporarily suspended: Host or domain name not found. Name service error for name=hotmail.com type=MX: Host not found, try again)
Dec 17 16:14:21 localhost postfix/error[18758]: B47E813751: to=<bennoleco@hotmail.com>, relay=none, delay=325065, delays=325045/21/0/0, dsn=4.4.3, status=deferred (delivery temporarily suspended: Host or domain name not found. Name service error for name=hotmail.com type=MX: Host not found, try again)
Dec 17 16:14:21 localhost postfix/error[18756]: B1A09136E6: to=<apoilkospa@hotmail.com>, relay=none, delay=426070, delays=426050/21/0/0.02, dsn=4.4.3, status=deferred (delivery temporarily suspended: Host or domain name not found. Name service error for name=hotmail.com type=MX: Host not found, try again)
Dec 17 16:14:21 localhost postfix/error[18760]: B532C13717: to=<nanaswndf@hotmail.com>, relay=none, delay=424222, delays=424201/21/0/0.02, dsn=4.4.3, status=deferred (delivery temporarily suspended: Host or domain name not found. Name service error for name=hotmail.com type=MX: Host not found, try again)
Dec 17 16:14:21 localhost postfix/error[18758]: B8BEC13740: to=<deweydnjfc@hotmail.com>, relay=none, delay=325967, delays=325946/21/0/0, dsn=4.4.3, status=deferred (delivery temporarily suspended: Host or domain name not found. Name service error for name=hotmail.com type=MX: Host not found, try again)
Dec 17 16:14:21 localhost postfix/error[18755]: BE46F1375A: to=<lisletvo@hotmail.com>, relay=none, delay=325064, delays=325043/21/0/0.01, dsn=4.4.3, status=deferred (delivery temporarily suspended: Host or domain name not found. Name service error for name=hotmail.com type=MX: Host not found, try again)
Dec 17 16:14:21 localhost postfix/error[18755]: 89E3B1370A: to=<naparta3975@gmail.com>, relay=none, delay=425769, delays=425748/21/0/0, dsn=4.4.3, status=deferred (delivery temporarily suspended: Host or domain name not found. Name service error for name=gmail.com type=MX: Host not found, try again)
Dec 17 16:14:21 localhost postfix/error[18756]: B328213724: to=<searbyly@hotmail.com>, relay=none, delay=424219, delays=424198/21/0/0.02, dsn=4.4.3, status=deferred (delivery temporarily suspended: Host or domain name not found. Name service error for name=hotmail.com type=MX: Host not found, try again)
Dec 17 16:14:21 localhost postfix/error[18760]: B4BBE136F4: to=<carrolnmejh@hotmail.com>, relay=none, delay=426069, delays=426048/21/0/0.01, dsn=4.4.3, status=deferred (delivery temporarily suspended: Host or domain name not found. Name service error for name=hotmail.com type=MX: Host not found, try again)
Dec 17 16:20:11 localhost dovecot: imap-login: Login: user=<myEmail@domain.com>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=18983, secured
Dec 17 16:20:12 localhost dovecot: imap(myEmail@domain.com): Connection closed bytes=1083/42562
Dec 17 16:20:16 localhost dovecot: imap-login: Login: user=<myEmail@domain.com>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=19001, secured
Dec 17 16:20:16 localhost dovecot: imap-login: Login: user=<myEmail@domain.com>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=19003, secured
Dec 17 16:20:17 localhost dovecot: imap(myEmail@domain.com): Connection closed bytes=1083/42562
Dec 17 16:20:17 localhost dovecot: imap(myEmail@domain.com): Connection closed bytes=408/3282
You did your telnet test in your LAN apparently. To be meaningful for a connectivity test, you need to do them over the internet. What’s the external IP in question?
The error messages in your log indicate two things: you still have DNS issues, and a spammer/hacker possibly already got a hold of your server and is trying to use it to send out spam. I don’t see why else your system would be trying to send 12000 mails to random Hotmail addresses.
You should immediately disconnect it from the internet until you get this issue fixed. This is no joke anymore! Your experimental server is beginning to constitute a danger for the internet.
Please read my posts closely. I did not say “12000 hackers”. I said SOME hacker potentially found a security issue and is abusing your server to send out spam.
Your log clearly indicates - since you said you don’t know these addresses and there’s 12000 of those lines - that your server is trying to send thousands of email to random Hotmail addresses. No server or software is doing that just like that! So my post was very serious!
You’re most likely going to be blocked by DNSBL lists, and your ISP is going to receive complaints about your server if you don’t resolve this issue. So disconnecting your server from the net until this is resolved is not only viable, but necessary! As long as you keep it connected with the possible security hole present, even more hackers are going to find their way into it. In addition to it contributing to the threat that hacked servers on the net constitute.
As for “constructive suggestions”: My apologies. Normally I’d gladly help you out, but with the myriads of problems you’ve been having since you started setting up this server, in this and other forum threads, my main suggestion would be doing a clean reinstall. Since you’re not able to get paid support, anything else would probably be too time consuming to try and debug from my end.
Thank you for the reply.
12000 lines of code I mentioned aren’t 12000 emails/hackers, so please don’t jump to conclusions too hastily.
The setup of Virtualmin is not a joke, so please post serious posts to assist in addressing the setup of Virtualmin.
If you have any constructive suggestions re possible hackers, please post some info on that, as turning off Virtualmin is not a viable solution.
Tested WAN and error:
telnet WAN_IP 143
Connecting To WAN_IP…Could not open connection to the host, on port 143: Connect failed
telnet WAN_IP 993
Connecting To WAN_IP…Could not open connection to the host, on port 993: Connect failed
Router has ports 23, 143 and 993 forwarded to the server’s LAN IP.
Port 23? I suppose you mean port 25?
If you can’t connect to those ports from the outside, and you are 100% sure you forwarded them correctly in your router, they are blocked along the way. It’s possible your ISP is blocking them; potentially (and especially port 25) they are blocking them due to the possible hacker issue. So before you do further debugging, you might want to contact them and ask them if any blocks are in place or complaints have been received.
I’ve seen ISPs that block some specific ports that are prone to abuse by hackers by default for their users. So if you want to operate a server on your home connection, you might want to ask them if such generic blocks are in place and if they can be lifted. Of course, before you do that, you need to make sure that your server is clean.
It’s unlikely that you’re experiencing a Virtualmin security issue.
The issue you’re seeing normally happens either when a web app installed in one of your domains is compromised, or when the passwords to one of your accounts is guessed.
You would need to review the headers of the emails in your mail queue in order to determine where they are coming from.
-Eric
Hi, I did mean port 23, to ensure Telnet packets can be sent and received.
Port 25 is also another port that’s forwarded.
So, does anyone know how to fix this Virtualmin security flaw if my server is having hackers send random emails from my email?
Would paid support fix it or is it impossible?
Working on clean up now and testing port again to get emails working.
Thank you, I updated all email passwords and will monitor this.
I checked the maillogs which seems to determine which email account the hacker is using, so I should be able to notice any difference shortly.
Having thought about this, it could also be occurring from the website’s forum, which has Captcha security, however spam accounts still seem to be generated.
I have checked the ISP who has the ports open and the router has the ports forwarded, so all I can think of is setting a static IP address.
I have a static WAN IP setup, however if there are any suggestion how to configure, this would be helpful.
What would you need telnet for? It’s unencrypted and sends everything in clear text including passwords, you should definitely use SSH instead.
Okay, after much ado, the ISP says cable won’t be given a static IP.
I have setup a DDNS, however some German sites have still blacklisted the email server.
Still can’t get the email working on email clients, but the email does work on the local server?
Any suggestions on how to setup the static IP? or get the DDNS working?
If your ISP does not give you a static IP, there’s nothing you can do. If your dynamic IPs are on blacklists, there’s also nothing you can do.
You simply can NOT (reliably) use your home-hosted machine as an outgoing email server, you should accept that fact. All you can use it for is incoming email, provided the MX records are set properly, since that direction is not affected by blacklists.
Make sure you get a DynDNS service with a very low TTL (time to live) for its dynamic host entries. Otherwise, when your IP changes, mail to your server can get delivered to the wrong machine while the dynamic host is updated. That means, if the user who gets your old IP after you happens to also be running a mail server, he’ll receive the mail that’s meant to go to you. Also take note that there are DNS servers/relays that don’t accept very short TTLs and still cache entries for a while, so receiving email using that method on your home-hosted machine can be unreliable.
For outgoing mail, your best bet is using a smarthost, which means getting an email account on some external service and instruct your local Postfix to send all outgoing email via that service, and authenticate itself with your credentials.
That has some implications of course. For one, the service you choose must allow you using it for a local server as opposed for “private use”. And, you are potentially personally responsible for the email your users send, since it all goes through your email account.
All fixed.
All fixed, doesn’t work through email client, only webmail, but good enough for now until the ISP allow a static IP.