Local users do not (by default) need to authenticate to send. From: address is arbitrary.
It is possible to configure Postfix to reject email from unauthenticated local users, but a local user does not need to use Postfix to send mail. You can send mail with anything; telnet, a shell script, a PHP script, Python, Perl, Ruby, etc. You can block all users other than Postfix from using port 25, too.
But I would much rather address the problem: You have an exploited user or web app! This is very alarming. The spam is merely a side effect.
@Joe I said it before, I disabled all the servers but the emails kept going. And you said it yourself, that the logs suggest that they are logging in to send emails.
On a sidenote, when you send mail through PHP (Iām not familiar with other options), the mail function ultimately calls on postfix and you can see those in the logs. PHP itself doesnāt send mails afaik.
@Gomez_Adams I have no wordpress sites on my server.
assuming postfix is installed, but in this case it is. but if you have a compromised server there are other ways to circumvent postfix. I would suggest a full review of what software is installed
You said you also deleted this user, though, right? So, what youāre describing (that user authenticating and sending mail) canāt be whatās happening. I donāt understand what youāre seeing, but thereās no way to authenticate as a non-existent user. I mean, if you had an open relay (or an exploited local user), there would be no auth. The only explanations I can come up with are that youāre looking at the wrong log entries (i.e in the past) or the user actually still exists in some form.
Itās possible to configure saslauthd to authenticate to a variety of sources (by default in a Virtualmin system, it auths to PAM, which is local users with passwords in /etc/shadow). Only root would have been able to alter that behavior, but it would be one possible explanation how you could have ādeletedā a user but that user would still be able to login to send mail.
Thereās some fundamental disconnect in how the data is being interpreted, but I canāt figure out what.
And, I just want to clarify (for the benefit of @readyserver) that Virtualmin is not a mail server. The MTA in a Virtualmin system is Postfix in an almost stock configuration, with a few minor configuration tweaks to improve security/convenience in a shared hosting system and to enable TLS (those tweaks are Open Source and can be viewed/audited by anyone). Authentication for mail is also not handled by Virtualmin; it is done via saslauthd (our one configuration change here is also public). Both are among the most popular services for their respective tasks. If Virtualmin has an exploit in its mail system, then the majority of mail servers in the world have a similar such exploit, because Virtualmin is using the same mail server as nearly everyone else. We donāt even use a custom build of it. We use the packages provided by your OS.
Edit: In the vast majority of cases the problem is an exploited local user or web app. Local users do not need to authenticate (in the default configuration) to send mail via Postfix, and even if they did have to authenticate, if port 25 is open, they do not need Postfix to be able to send mail.
You can send mail in PHP without Postfix (or any other mail server, except the one on the receiving end), I assure you.
It can be done with any scripting language. It can be done with telnet, netcat, bash, zsh, Perl, Ruby, Python, expect, etc. Most people prefer to send via Postfix, and you generally should send via Postfix because then you get DKIM signature, requeueing, and other niceties that youād have to implement in a more painful way in any other method.
CSF has what appear to be some useful features for dealing with outgoing spam, such as SMTP_BLOCK, among others. I say āappear to beā because Iāve never actually used them because I havenāt had the need to.
I wonder if they might be useful for diagnostic purposes? If the mail is circumventing Postfix (which is my suspicion), then perhaps the CSF logs would more-readily reveal the source.
As @Joe said, there are about 1.7 bazillion ways to send mail outside of Postfix. The compromised file could be anywhere, and pretending to be anything.
With that you could block port 25 traffic for all but the Postfix user, which would force all mail to go through Postfix. I am ambivalent about that being a good thing, since there are legitimate cases where youād want to be able to send directly, but maybe the default should be to block and only add exceptions for cases where it is needed. But, if a user has been exploited they can also send out through postfix without authentication. I keep repeating it, but if you have an exploited user the exploited user is the problem! The spam is just a side effect. An exploited user can do all manner of damage to your server and brand! The spam is smoke, the fire is the exploited user or web app!
Since you seem to be the only person with knowledge of this flaw, care to share? What in the Virtualmin code is allowing this? There are many packages on a server. How are you pinpointing this to the Virtualmin code???
My root user is fairly secure I believe. I have a firewall that only allows my IP to communicate on SSH ports. The login is only possible with keys, password login is disabled.
@Joe I am only smart enough to barely understand what you are saying. If this happens again, Iāll immediately hire a professional. I was definitely not looking at past entries, its possible /etc/shadow/ might not have cleared up the account immediately after it was deleted. Iāll keep this in mind next time.
whenever you see a user/email sending out tons of spam :
change email password
check clients with access for viruses and re-change email password after that.
check spammer login ip, is it familiar or not? if not, immediately ban it in firewall. if it is familiar, check what apps you have there, and malware check those. re-change email password.
remove queued spam emails to stop sending out more. thereās a script to easily remove all queued email based on sender/recipient, instead of the slow deletion process from within virtualmin/webmin/usermin.
restart dovecot + postfix
in general :
use ratelimiting in all email accounts. eg. you donāt want users sending out thousands of spam per hour. limit that to a reasonable amount of outgoing email per user. so you donāt get reputation damaged in the long runā¦
You donāt seem to understand how rootkits get planted and used. An exploit bypasses all that. Rootkits have nothing to do with how secure you have made root logins.
If the problem has now stopped, donāt worry about it at this point though.
rootkits are what happen after a root exploit. They hide the exploit and whatever activities the attacker is doing from the system owner. They are not the exploit itself (though they may be bundled into the same payload, depending on how the exploit was delivered). A rootkit may not be findable with a rootkit search tool. In fact, most wonāt, unless they are run from read-only boot media. i.e. you boot from a live CD or USB stick and you mount the suspect disk read-only from there and run your scans on it.
Root access allows the attacker to almost completely hide themselves and their actions, including logs. If OP had been rooted, I think the spammer would hide the logs about their spamming. They could do so, anyway. Root can delete or modify logs.
Iām not saying OP is not rooted, nor am I saying itās a bad idea to run a rootkit search, like rkhunter, when you suspect any exploited users on the system. Just that if you donāt find anything with a rootkit search tool, it does not mean you have not been rooted. Absence of evidence is not evidence of absence, in this case.
The day I install virtualmin again on my server, maybe Iāll answer that question. I donāt have the time or money to spend hours and hours analyzing codes and more codes, to try to find vulnerabilities. Your cynical and idiotic question is not going to make my day any sadder, you can rest assured about that.
And yet you remain to make accusations you cannot back up. You never asked for help with the issue. You never provided any evidence you had a problem. Why? I thought you made it clear you were going to move on to commercial software you had faith in? You think some one else is going to prove your point and vindicate you? Is THAT worth your effort? Seriously?
As with most forums. If you can help, please, do so. If not please donāt try and muddy up the issue.
unfortunately there are many reasons for breakins/mail exploits/ hacks
has happened to me over the years (not in the last few years though!)
Virtualmin has been great for me managing the setup through admin, rather than having to edit files. I defintely recommned using Virtualmin, it will make you rlife a lot easier.
the reason for breakins are bad code. incorrectly setup systems and not enough configuration on the mail server.
unfortunately it has taken me some years to understand what needs looked at to track down any issues.
as previous posters says, youāre better askign questions to get advice.
I had a light bulb moment a few years ago, and now I track all https requests
Iām not saying that this cause the issue, but just to make aware that hackers try any way to get in.
for example you see these attempts, block them immediately (I ban their IP address on one attempt):
