Hi,
I am fedup locating the user/script which is sending out mail from our server. i am using postfix as MTA. I am not able to locate who is sending out the emails or the scripts which is already compromised. I have scanned the whole server using clamscan and unable to find out any infected files.
[root@site]# postconfig -n
-bash: postconfig: command not found
[root@site postfix]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
allow_percent_hack = no
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
milter_default_action = accept
milter_protocol = 2
mydestination = $myhostname, localhost.$mydomain, localhost, cl-t205-013cl.privatedns.com
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = local:/var/run/milter-greylist/milter-greylist.sock
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sender_bcc_maps = hash:/etc/postfix/bcc
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_milters = local:/var/run/milter-greylist/milter-greylist.sock
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual
Around 100s of mails are being sent out from the server. I was checking the log /var/log/maillog. Currently I have stopped the postfix service since the server is already added in most of the blacklists. I am not familiar with postfix and only with exim since I used it before. Following are the sample logs :
Feb 26 02:38:56 cl-t205-013cl postfix/smtp[7283]: 14DE3300741: to=, relay=mailscanner-pri.connect.com.fj[119.235.102.5]:25, delay=654, delays=650/0.45/3.7/0, dsn=4.0.0, status=deferred (host mailscanner-pri.connect.com.fj[119.235.102.5] refused to talk to me: 554-mailscanner-pri.connect.com.fj 554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.)
Feb 26 02:38:56 cl-t205-013cl postfix/smtp[7232]: D355C300742: to=, relay=mailgate1.grindrod.com[196.216.172.111]:25, delay=657, delays=653/0.27/3.9/0, dsn=4.0.0, status=deferred (host mailgate1.grindrod.com[196.216.172.111] refused to talk to me: 554-mailgate1.grindrod.com 554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.)
Feb 26 02:38:56 cl-t205-013cl postfix/smtp[7243]: 2C98830075C: to=, relay=mail02.bdi-online.de[139.1.144.9]:25, delay=619, delays=617/0.89/0.38/0, dsn=4.0.0, status=deferred (host mail02.bdi-online.de[139.1.144.9] refused to talk to me: 554-fraosmx003.os-srv.de 554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.)
Feb 26 02:38:56 cl-t205-013cl postfix/smtp[7233]: D355C300742: to=, relay=spool.mail.gandi.net[217.70.184.6]:25, delay=657, delays=653/0.28/0.53/3.6, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 1873A2A8065)
Feb 26 02:38:56 cl-t205-013cl postfix/smtp[7280]: 66C02300409: to=, relay=smtp2.iitd.ernet.in[103.27.10.44]:25, delay=4343, delays=4339/0.44/2.8/1.2, dsn=4.7.1, status=deferred (host smtp2.iitd.ernet.in[103.27.10.44] said: 450 4.7.1 Client host rejected: cannot find your hostname, [*.*.*.*.] (in reply to RCPT TO command))
Feb 26 02:38:56 cl-t205-013cl postfix/smtp[7298]: 8F2C83005DD: host hostrelay01.logix.in[115.112.214.41] refused to talk to me: 554-delta.logix.in 554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.
Feb 26 02:38:56 cl-t205-013cl postfix/smtp[7212]: 9F110300645: to=, relay=hostrelay03.logix.in[115.112.241.70]:25, delay=4101, delays=4097/0.77/3.5/0, dsn=4.0.0, status=deferred (host hostrelay03.logix.in[115.112.241.70] refused to talk to me: 554-delta.logix.in 554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.)
Feb 26 02:38:56 cl-t205-013cl postfix/smtp[7217]: 8F2C83005DD: to=, relay=hostrelay01.logix.in[115.112.214.41]:25, delay=4471, delays=4467/1.3/3/0, dsn=4.0.0, status=deferred (host hostrelay01.logix.in[115.112.214.41] refused to talk to me: 554-delta.logix.in 554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.)
Feb 26 02:38:56 cl-t205-013cl postfix/smtp[7296]: BF61F300696: to=, relay=in.mx2.mailhostbox.com[115.114.58.15]:25, delay=1287, delays=1283/1.9/2.3/0.29, dsn=4.7.1, status=deferred (host in.mx2.mailhostbox.com[115.114.58.15] said: 450-4.7.1 Client host rejected: cannot find your reverse hostname, [*.*.*.*.] 450 4.7.1 Please see http://support.mailhostbox.com/email-administrators-guide/error-codes for explanation of the problem. (in reply to RCPT TO command))
Can I locate the actual user sending out the emails ? I have checked whether the server is open relay in :
http://mxtoolbox.com/diagnostic.aspx
SMTP Open Relay OK - Not an open relay.
I want to know if it is possible to set only one user who can send out emails from the server and block all others ?
Thanks,