Suspicious process from postfix?

Hello. received an email about a suspicious process from postfix. What should I do?

Subject lfd on myhostname: Suspicious process running under user postfix

Time: Wed May 15 20:49:08 2024 +0300
PID: 15819 (Parent PID:1855)
Account: postfix
Uptime: 83 seconds

Executable:
/usr/lib/postfix/sbin/smtpd

Command Line (often faked in exploits):
smtpd -n smtp -t inet -u -c -o stress= -s 2 -o smtpd_sasl_auth_enable=yes -o smtpd_tls_security_level=may
Network connections by the process (if any):
tcp: my-server-ip:25 → 69.70.146.98:65219

You received an email from what/where/whom?

From root@hostname
To root@hostname
Date 05/15/2024 08:49 PM
Subject lfd on hostname: Suspicious process running under user postfix

What do you think is suspicious about it?

Sorry, I don’t know English well, isn’t this suspicious? (Suspicious process running under user postfix)

It’s only suspicious if you don’t have Postfix installed and configured in that way.

What should I do to fix it?

I don’t know. What do you think needs to be fixed?

Do you have Postfix installed? If you installed Virtualmin, you have Postfix installed, and this is a normal process to have running. It does not look suspicious to me. Which is why I asked why you believe it looks suspicious. You have information I don’t have, like what software you have installed on your system.

If you don’t have Virtualmin installed, then I have no guesses about your system. LFD is not our software and it is not software I have ever used.

You should open the ConfigServer & Security Firewall configuration page and carefully read through the options’ descriptions. There’s also a link to the documentation on the module’s main page.

smtpd -n smtp -t inet -u -c -o stress= -s 2 -o smtpd_sasl_auth_enable=yes -o smtpd_tls_security_level=may

Though this command indeed lools incorrect.

Check the process details:

ps -p 15819 -o pid,ppid,cmd,etime

… or inspect network connection:

ss -anp | grep 69.70.146.98  # or use netstat -anp

You can always terminate the suspicious:

kill 15819

It does? What makes you think so?

This is silly. If the system has been compromised to the point where an attacker can run commands as the Postfix user, the system cannot be trusted and should be reinstalled. Killing the process is a laughable underreaction to the situation, if that is the situation (but I see no reason to believe that’s the situation…it looks like a normal Postfix process on a Virtualmin system).

I have a vps server with ubuntu 22.04 and I passed virtualmin with automatic procedures. Postfix was installed by virtualmin in the installation. I did not make any settings in postfix.

root@cp:~# ps -p 15819 -o pid,ppid,cmd,etime
PID PPID CMD ELAPSED
root@cp:~# ss -anp | grep 69.70.146.98 # or use netstat -anp
root@cp:~#

Well, for starters, it doesn’t look standard. The stress= option seems incomplete, and the -s 2 option is pretty uncommon.

But maybe I’m wrong. The OP should know. I wonder what they have in their Postfix config, i.e.:

grep 'smtpd' /etc/postfix/master.cf

Look at a newer system. I see pretty much exactly that on a recent install. -o stress= isn’t in master.cf, it seems to be automatically added by Postfix smtpd when starting the smtp sub-process. I dunno why, but I don’t see any reason to be alarmed by it.

But, yes, OP should know what software they have installed, and should spend some time reading documentation when adding stuff to the system (like CSF/LFD).

https://www.abuseipdb.com/check/69.70.146.98
This IP was reported 8,462 times. Confidence of Abuse is 100%
:slight_smile:

What’s the IP got to do with anything?

It’s a mail server, at any given time there will be some spammers connecting to it and trying to send spam. That’s not surprising or alarming.

Even root does not have to be compromised, just any mail account is enough.

But I say it is better to block this ip: 69.70.146.98
or the 69.70.146.0/24 or the 69.70.0.0/16
or the whole ASN: AS5769
Screenshot 2024-05-15 at 23-31-54 ConfigServer Security & Firewall — Webmin 2.111 (Ubuntu Linux 22.04.4)

on CSF settings: see the picture

What is the solution? The installation is new.

This may be a spammer attempting ‘something’. Whatever ‘something’ is in this case. They probably didn’t succeed which is why the process was running so long. This message may have just triggered based on 83 seconds being a long time to send an email between servers.

Check you mail logs for any other instances of that IP address. Probably nothing of note happened. Your mail server will be under constant attack. Just life in the sever world. :frowning: