But I disabled every single server and they kept coming
Well, that should make checking the Apache logs even easier.
It may not be the answer, by the way. Itâs just something Iâd look at for lack of any better ideas coming to mind.
Richard
Is this the offending account? They are logging in. I believe this would be a system user in /etc/password?
Lots of hits on deleting them via command line. Random one.
www.cyberciti.biz/faq/delete-a-user-account-on-ubuntu-linux/
Yeah thatâs the account.
I did not find it in /etc/passwd file. Virtualmin mustâve removed it when I deleted the account. And how would it become a system user in the first place? It was a mail account.
BTW, dovecot logins started failing after deleting the account
Apr 15 21:00:40 primary dovecot: imap-login: Disconnected (auth failed, 1 attempts in 7 secs): user=<sales@tooneywheels.in>, method=PLAIN, rip=178.88.160.58, lip=139.162.61.248, session=<nDx+o2H5KN6yWKA6>
these ones kept coming
Apr 15 16:43:40 primary postfix/smtpd[2439029]: DD7C782225: client=ec2-35-87-94-65.us-west-2.compute.amazonaws.com[35.87.94.65], sasl_method=LOGIN, sasl_username=sales@tooneywheels.in
Thatâs just how they are created. I donât know if user creation is logged but that would be worth a check.
I think Postfix needs to create an extra for Roundcube to work. Have you checked under the Postfix alias/virtual domain tabs to make sure it is also gone from there?
Or restart Postfix on the off chance it is cached somehow.
There are only system users.
Mail aliases and Virtual domains do not have that address.
Itâs been quiet through the night. The storm has passed it seems. Unfortunately I didnât learn anything from it. My server is only as secure as it was before.
Is there no log created when phpâs mail function is called? I believe its crucial to know when a script requests postfix to send a mail. It should be there.
Depends on how it was called. If via a web request, the web request will be in the access or error log.
If called from the command line (i.e. by a local user, not via some remote exploit), then it is entirely up to the script that calls the function to decide whether to log something (and where).
Every mail sent through Postfix will be logged to the mail log. But, a local user does not have to send through Postfix. If every mail is accounted for in the Postfix log, and if you see an authentication happening and the mail sent as a user, that is your log! I donât know what else you want to know. You have the user, you have the time, you have their source IP. (I donât know if thatâs what you have, but skimming through the thread, you seem to have identified the user and see them authenticating.)
I think the problem is that youâre misunderstanding what âflushing the queueâ does.
When you flush the postfix queue, Postfix immediately attempts to send every message in the queue. It does not throw the mail away! And, since they are not being delivered, they are not being removed from the queue when you perform the flushâŠthey just get resent the next time you issue a flush command or restart Postfix.
If you want to throw away the queue, you have to delete queued messages explicitly, is non-trivial I think (throwing away mail is a drastic step). You probably want to selectively delete all messages from this one user. I donât have simple answer for how to do that; itâs not something I normally do. Googling returns this seemingly reasonable answer: https://serverfault.com/questions/1047113/how-to-clear-reset-a-postfix-queue
Note that deleting a user does not delete their messages from the queue. Every time you flush, youâre sending them all out again, either until theyâre delivered or you stop doing that (they might eventually become permanent failures or something, I donât knowâŠbut ,deleting the user means Postfix has nowhere to send notifications of permanent failures, so you might get some more messy queued up mail, but theyâd be local, much less of a problem than sending spam over and over to major providers).
Well I was using the âClear Queueâ option in Webmin not âFlush Queueâ. I cleared the queue, the queue showed no messages then. After a few minutes messages would show up.
I donât know how it kept happening hours after the account itself was deleted.
I also canât find a resource that can explain postfix logs. Can someone explain this to me?
Apr 15 14:25:08 primary postfix/smtpd[2407914]: connect from ec2-35-89-81-116.us-west-2.compute.amazonaws.com[35.89.81.116]
Apr 15 14:25:09 primary postfix/smtpd[2407914]: 726CE8216C: client=ec2-35-89-81-116.us-west-2.compute.amazonaws.com[35.89.81.116], sasl_method=LOGIN, sasl_username=sales@tooneywheels.in
Apr 15 14:25:10 primary postfix/smtpd[2407914]: disconnect from ec2-35-89-81-116.us-west-2.compute.amazonaws.com[35.89.81.116] ehlo=1 auth=1 mail=1 rcpt=3 data=1 quit=1 commands=8
This is a SASL login from 35.89.81.116 for user sales@tooneywheels.in.
A SASL login would be to send mail via SMTP (retrieving mail via IMAP or POP3 does not authenticate with SASL).
You said you deleted this user. Are you sure about that? This appears to be a successful login. (And, is this a current log, from after you deleted the user?)
I donât know what to tell you to do, if youâre certain this user is gone. There is no scenario where a user that doesnât exist can login via SASL. (If this were an open relay, it wouldnât need to login.)
Have you checked both /etc/passwd and /etc/shadow for this username? (Itâs also possible there could be a user sales-tooneywheels.in or similarâŠusernames with @ in them are problematic for some non-Virtualmin software, so we generally create a second user with some other separator when youâre using usernames with @ in them, and SASL is configured to do some magic with domain names.
This may be completely offâŠ
if that is happening look at the email headers in postfix⊠find out the account and disable itâŠ
then if they are all from sales@tooneywheels.io check the password is not âsalesâ LOL âŠ
There are files called /etc/passwd- and /etc/shadow- (dash at the end) and they have two lines, both sales@tooneywheels.in and sales-tooneywheels.in. Is this relevant?
etc/passwd and /etc/shadow does not have either
Thats a backup file
what about just sales by itself
Nope. Nothing else with âsalesâ in it
I had the same problem when I started with VirtualMin. Had to lock down senders and recipients as well as change from standard mail ports.
Add this to /etc/postfix/main.cf - Servers>Postfix Mail Server>Edit Config Files
/etc/postfix/main.cf
Sender restrictions:
smtpd_sender_restrictions =
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
permit
/etc/postfix/main.cf
HELO restrictions:
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
permit
# /etc/postfix/main.cf
Recipient restrictions:
smtpd_recipient_restrictions =
reject_unauth_pipelining,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
reject_unauth_destination,
check_sender_access
hash:/etc/postfix/sender_access,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
check_policy_service unix:postgrey/socket,
permit
I think you should read and understand the implications of any configuration you find suggested online. The Postfix docs cover all of these options. I will say I do not use a configuration like this. I mostly use a default Virtualmin configuration.
I believe youâre looking in all the wrong places for solutions. You have a user sending spam, or you have a web app that has been exploited and it is sending spam. Why are you fiddling around with minor changes to your Postfix configuration?
1 Like
Well I did use smtpd_sender_restrictions = reject_unlisted_sender. It didnât have any immediate affect. I was thinking maybe postfix is accepting the request from sales@too⊠since even though the email doesnât exist, the domain is valid and hosted on the server.
If I can send emails an id info@example.com and I donât even have that id on the server (example.com is part of the server), I feel like Virtualminâs default config is too loose. What do you think?
But they need to authenticate to send, what the email address they use doesnât really matter.