Unknown Sender Spamming through Virtualmin platform

Hi Professional Guys,

I am newly installed Virtualmin on my vps, its was working very smoothly, but from last 15 days, i have noticed in my mail queue more than 15000 emails are stuck. when I opened these queued emails then I have noticed that these emails senders are unknown (means using any of the user from my server but from UNKNOWN sender) that using through my vps, and when I checked my IP reputation have been lost in many websites using these spamming, I delete all these emails from my queue, and then on Friday 22 Nov 2019 I received an email from my service provider that ur ip is used in spamming, and after checking I again noticed that more than 10000 emails stuck in queue and all like previous, so I activate the Configserver Firewall (Process Tracking etc) and meanwhile disabled my root user and activate ssh based login and changed my password for control panel. Now Configserver sent me alert about “Suspicious file/directory alert”, whats the mean of this alert.

Is any one facing the same problem in which sender account is unknown and using your server ip, thats mean someone using your server but through hacking etc or what else I am not able to understand. Can anyone help me in this regard. I have the pics of the spamming emails and emails headers etc. in which clearly shown my server ip but sender account is unknown and constantly shows 2 ips, so for security reason I have permanently block these 2 ips in my firewall.

Need experts help.

Regards.

Maybe an odd question - did you harden your VPS after installing the O\S but prior to installing Virtualmin?

all these things also happened after implementing the changing passwords and ssh based login, today i have also more than 15000 emails in sending queue, whats the solution? with thanks & regards

where I can check the sent emails in my webmin/virtualmin vps?

Hardening a VPS is more than just changing passwords and implementing SSH.

Check your mail logs.

I have disabled root user, create wheel user and ssh based login, Configserver firewall and comodo WAF is also installed earlier. is there anything else that can help me in this matter?

Dear, I have checked the Webmin Actions Logfile from last week, but cant find any activity, and all the actions of the each user is understandable, then how can it be possible that someone use your ip address and/or ur mailserver etc. for using sending spam emails, I can’t find any unknown or suspicious login or action in my webmin actions log file.

Check your mail logs - all incoming & outgoing emails (usually) will be logged in the mail log.

Hi Dibs, Thanks for suggestions, I have read my logs and found very dangerous things in my maillog, someone sends email externally using smtp port, then I will searched on internet and secure my mail rely/smtp using helo/ehlo command in /etc/postfix/main.cf.

the code have been added in main.cf as below:

smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks permit_sasl_authenticated check_helo_access hash:/etc/postfix/helo_access reject_invalid_helo_hostname reject_non_fqdn_help_hostname reject_unknown_helo_hostname
smtpd_sender_restrictions = permit_mynetworks permit_sasl_authenticated reject_unknown_sender_domain reject_unknown_reverse_client_hostname reject_unknown_client_hostname
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination

after that code and attacker also used my port and able to sent and yesterday I have added one more line that is under:
disable_vrfy_command = yes

after that the attacker are not able to use my system, is these things are ok for my vps or I need more things regarding this.

but after those code my server are not able to received any email from internal email addresses although external. I am posting you the log sample of the error.

Dec 11 13:57:02 panel postfix/smtpd[19782]: error: open database /etc/postfix/helo_access.db: No such file or directory

Dec 11 13:57:02 panel postfix/smtpd[19782]: connect from localhost[127.0.0.1]

Dec 11 13:57:02 panel milter-greylist: smfi_getsymval failed for {daemon_port}, using default smtp port

Dec 11 13:57:02 panel milter-greylist: smfi_getsymval failed for {i}

Dec 11 13:57:02 panel milter-greylist: (unknown id): Sender IP 127.0.0.1 and address cs@mobilotalk.com are SPF-compliant, bypassing greylist

Dec 11 13:57:02 panel postfix/smtpd[19782]: D823C4560: client=localhost[127.0.0.1]

Dec 11 13:57:02 panel postfix/cleanup[19787]: D823C4560: message-id=1576069022.19781@mobilotalk.com

Dec 11 13:57:02 panel opendkim[1211]: D823C4560: DKIM-Signature field added (s=default, d=mobilotalk.com)

Dec 11 13:57:02 panel postfix/qmgr[1728]: D823C4560: from=cs@mobilotalk.com, size=728, nrcpt=1 (queue active)

Dec 11 13:57:02 panel postfix/smtpd[19782]: disconnect from localhost[127.0.0.1]

Dec 11 13:57:03 panel postfix/error[19788]: D823C4560: to=info-madnishuttle.com@msoftsys.com, orig_to=info@madnishuttle.com, relay=none, delay=0.16, delays=0.12/0.02/0/0.02, dsn=5.1.1, status=bounced (User unknown in virtual alias table)

Dec 11 13:57:03 panel postfix/cleanup[19787]: 07AD14562: message-id=20191211125703.07AD14562@panel.msoftsys.com

Dec 11 13:57:03 panel postfix/qmgr[1728]: 07AD14562: from=<>, size=3366, nrcpt=1 (queue active)

Dec 11 13:57:03 panel postfix/bounce[19789]: D823C4560: sender non-delivery notification: 07AD14562

Dec 11 13:57:03 panel postfix/qmgr[1728]: D823C4560: removed

Dec 11 13:57:03 panel postfix/error[19788]: 07AD14562: to=cs-mobilotalk.com@msoftsys.com, orig_to=cs@mobilotalk.com, relay=none, delay=0.01, delays=0.01/0/0/0, dsn=5.1.1, status=bounced (User unknown in virtual alias table)

Dec 11 13:57:03 panel postfix/qmgr[1728]: 07AD14562: removed

In this log I tried to send one email to another but those are hosted in my same vps.

Finding the solution, regarding the incoming email problem.

Thanks you in advance.

@Faisal

Dec 11 13:57:02 panel postfix/smtpd[19782]: error: open database /etc/postfix/helo_access.db: No such file or directory

Have you created the helo_access.db & hashed it? Suspect not.

You look to be enabling Greylisting and filters etc. My advice would be to strip such things out for the moment & get it working securely and simply.

Post up your entire master.cfg file and also check your MX records for your domain\s that are having the mail issues.

Thanks for your help,
I am not creating any helo_access.db nor hashed it.
please describe how can i working securely and simply because i am not known in depth, its my first time to handle these things in depths, i am very thankful to you for this act of kindness.

I am posting my master.cf file as under:

Postfix master process configuration file. For details on the format

of the file, see the master(5) manual page (command: “man 5 master”).

Do not forget to execute “postfix reload” after editing this file.

==========================================================================

service type private unpriv chroot wakeup maxproc command + args

(yes) (yes) (yes) (never) (100)

==========================================================================

smtp inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes
#smtp inet n - n - 1 postscreen
#smtpd pass - - n - - smtpd
#dnsblog unix - - n - 0 dnsblog
#tlsproxy unix - - n - 0 tlsproxy
#submission inet n - n - - smtpd

-o syslog_name=postfix/submission

-o smtpd_tls_security_level=encrypt

-o smtpd_sasl_auth_enable=yes

-o smtpd_reject_unlisted_recipient=no

-o smtpd_client_restrictions=$mua_client_restrictions

-o smtpd_helo_restrictions=$mua_helo_restrictions

-o smtpd_sender_restrictions=$mua_sender_restrictions

-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject

-o milter_macro_daemon_name=ORIGINATING

#smtps inet n - n - - smtpd

-o syslog_name=postfix/smtps

-o smtpd_tls_wrappermode=yes

-o smtpd_sasl_auth_enable=yes

-o smtpd_reject_unlisted_recipient=no

-o smtpd_client_restrictions=$mua_client_restrictions

-o smtpd_helo_restrictions=$mua_helo_restrictions

-o smtpd_sender_restrictions=$mua_sender_restrictions

-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject

-o milter_macro_daemon_name=ORIGINATING

#628 inet n - n - - qmqpd
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp

-o smtp_helo_timeout=5 -o smtp_connect_timeout=5

showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache

====================================================================

Interfaces to non-Postfix software. Be sure to examine the manual

pages of the non-Postfix software to find out what options it wants.

Many of the following services use the Postfix pipe(8) delivery

agent. See the pipe(8) man page for information about ${recipient}

and other message envelope options.

====================================================================

maildrop. See the Postfix MAILDROP_README file for details.

Also specify in main.cf: maildrop_destination_recipient_limit=1

#maildrop unix - n n - - pipe

flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}

====================================================================

Recent Cyrus versions can use the existing “lmtp” master.cf entry.

Specify in cyrus.conf:

lmtp cmd=“lmtpd -a” listen=“localhost:lmtp” proto=tcp4

Specify in main.cf one or more of the following:

mailbox_transport = lmtp:inet:localhost

virtual_transport = lmtp:inet:localhost

====================================================================

Cyrus 2.1.5 (Amos Gouaux)

Also specify in main.cf: cyrus_destination_recipient_limit=1

#cyrus unix - n n - - pipe

user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}

====================================================================

Old example of delivery via Cyrus.

#old-cyrus unix - n n - - pipe

flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}

====================================================================

See the Postfix UUCP_README file for configuration details.

#uucp unix - n n - - pipe

flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)

====================================================================

Other external delivery methods.

#ifmail unix - n n - - pipe

flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)

#bsmtp unix - n n - - pipe

flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient

#scalemail-backend unix - n n - 2 pipe

flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store

${nexthop} ${user} ${extension}

#mailman unix - n n - - pipe

flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py

${nexthop} ${user}

submission inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes

What’s in your main.cf?

main.cf

Global Postfix configuration file. This file lists only a subset

of all parameters. For the syntax, and for a complete parameter

list, see the postconf(5) manual page (command: “man 5 postconf”).

For common configuration examples, see BASIC_CONFIGURATION_README

and STANDARD_CONFIGURATION_README. To find these documents, use

the command “postconf html_directory readme_directory”, or go to

http://www.postfix.org/.

For best results, change no more than 2-3 parameters at a time,

and test if Postfix still works after every change.

SOFT BOUNCE

The soft_bounce parameter provides a limited safety net for

testing. When soft_bounce is enabled, mail will remain queued that

would otherwise bounce. This parameter disables locally-generated

bounces, and prevents the SMTP server from rejecting mail permanently

(by changing 5xx replies into 4xx replies). However, soft_bounce

is no cure for address rewriting mistakes or mail routing mistakes.

#soft_bounce = no

LOCAL PATHNAME INFORMATION

The queue_directory specifies the location of the Postfix queue.

This is also the root directory of Postfix daemons that run chrooted.

See the files in examples/chroot-setup for setting up Postfix chroot

environments on different UNIX systems.

The command_directory parameter specifies the location of all

postXXX commands.

command_directory = /usr/sbin

The daemon_directory parameter specifies the location of all Postfix

daemon programs (i.e. programs listed in the master.cf file). This

directory must be owned by root.

daemon_directory = /usr/libexec/postfix

The data_directory parameter specifies the location of Postfix-writable

data files (caches, random numbers). This directory must be owned

by the mail_owner account (see below).

data_directory = /var/lib/postfix

QUEUE AND PROCESS OWNERSHIP

The mail_owner parameter specifies the owner of the Postfix queue

and of most Postfix daemon processes. Specify the name of a user

account THAT DOES NOT SHARE ITS USER OR GROUP ID WITH OTHER ACCOUNTS

AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM. In

particular, don’t specify nobody or daemon. PLEASE USE A DEDICATED

USER.

The default_privs parameter specifies the default rights used by

the local delivery agent for delivery to external file or command.

These rights are used in the absence of a recipient user context.

DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER.

#default_privs = nobody

INTERNET HOST AND DOMAIN NAMES

The myhostname parameter specifies the internet hostname of this

mail system. The default is to use the fully-qualified domain name

from gethostname(). $myhostname is used as a default value for many

other configuration parameters.

#myhostname = host.domain.tld
#myhostname = virtual.domain.tld

The mydomain parameter specifies the local internet domain name.

The default is to use $myhostname minus the first component.

$mydomain is used as a default value for many other configuration

parameters.

#mydomain = domain.tld

SENDING MAIL

The myorigin parameter specifies the domain that locally-posted

mail appears to come from. The default is to append $myhostname,

which is fine for small sites. If you run a domain with multiple

machines, you should (1) change this to $mydomain and (2) set up

a domain-wide alias database that aliases each user to

user@that.users.mailhost.

For the sake of consistency between sender and recipient addresses,

myorigin also specifies the default domain name that is appended

to recipient addresses that have no @domain part.

#myorigin = $myhostname
#myorigin = $mydomain

RECEIVING MAIL

The inet_interfaces parameter specifies the network interface

addresses that this mail system receives mail on. By default,

the software claims all active interfaces on the machine. The

parameter also controls delivery of mail to user@[ip.address].

See also the proxy_interfaces parameter, for network addresses that

are forwarded to us via a proxy or network address translator.

Note: you need to stop/start Postfix when this parameter changes.

inet_interfaces = loopback-only
#inet_interfaces = $myhostname
#inet_interfaces = $myhostname, localhost

Enable IPv4, and IPv6 if supported

inet_protocols = all

The proxy_interfaces parameter specifies the network interface

addresses that this mail system receives mail on by way of a

proxy or network address translation unit. This setting extends

the address list specified with the inet_interfaces parameter.

You must specify your proxy/NAT addresses when your system is a

backup MX host for other domains, otherwise mail delivery loops

will happen when the primary MX host is down.

#proxy_interfaces =
#proxy_interfaces = 1.2.3.4

The mydestination parameter specifies the list of domains that this

machine considers itself the final destination for.

These domains are routed to the delivery agent specified with the

local_transport parameter setting. By default, that is the UNIX

compatible delivery agent that lookups all recipients in /etc/passwd

and /etc/aliases or their equivalent.

The default is $myhostname + localhost.$mydomain. On a mail domain

gateway, you should also include $mydomain.

Do not specify the names of virtual domains - those domains are

specified elsewhere (see VIRTUAL_README).

Do not specify the names of domains that this machine is backup MX

host for. Specify those names via the relay_domains settings for

the SMTP server, or use permit_mx_backup if you are lazy (see

STANDARD_CONFIGURATION_README).

The local machine is always the final destination for mail addressed

to user@[the.net.work.address] of an interface that the mail system

receives mail on (see the inet_interfaces parameter).

Specify a list of host or domain names, /file/name or type:table

patterns, separated by commas and/or whitespace. A /file/name

pattern is replaced by its contents; a type:table is matched when

a name matches a lookup key (the right-hand side is ignored).

Continue long lines by starting the next line with whitespace.

See also below, section “REJECTING MAIL FOR UNKNOWN LOCAL USERS”.

mydestination = $myhostname, localhost.$mydomain, localhost, panel.msoftsys.com
#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,

mail.$mydomain, www.$mydomain, ftp.$mydomain

REJECTING MAIL FOR UNKNOWN LOCAL USERS

The local_recipient_maps parameter specifies optional lookup tables

with all names or addresses of users that are local with respect

to $mydestination, $inet_interfaces or $proxy_interfaces.

If this parameter is defined, then the SMTP server will reject

mail for unknown local users. This parameter is defined by default.

To turn off local recipient checking in the SMTP server, specify

local_recipient_maps = (i.e. empty).

The default setting assumes that you use the default Postfix local

delivery agent for local delivery. You need to update the

local_recipient_maps setting if:

- You define $mydestination domain recipients in files other than

/etc/passwd, /etc/aliases, or the $virtual_alias_maps files.

For example, you define $mydestination domain recipients in

the $virtual_mailbox_maps files.

- You redefine the local delivery agent in master.cf.

- You redefine the “local_transport” setting in main.cf.

- You use the “luser_relay”, “mailbox_transport”, or “fallback_transport”

feature of the Postfix local delivery agent (see local(8)).

Details are described in the LOCAL_RECIPIENT_README file.

Beware: if the Postfix SMTP server runs chrooted, you probably have

to access the passwd file via the proxymap service, in order to

overcome chroot restrictions. The alternative, having a copy of

the system passwd file in the chroot jail is just not practical.

The right-hand side of the lookup tables is conveniently ignored.

In the left-hand side, specify a bare username, an @domain.tld

wild-card, or specify a user@domain.tld address.

#local_recipient_maps = unix:passwd.byname $alias_maps
#local_recipient_maps = proxy:unix:passwd.byname $alias_maps
#local_recipient_maps =

The unknown_local_recipient_reject_code specifies the SMTP server

response code when a recipient domain matches $mydestination or

${proxy,inet}_interfaces, while $local_recipient_maps is non-empty

and the recipient address or address local-part is not found.

The default setting is 550 (reject mail) but it is safer to start

with 450 (try again later) until you are certain that your

local_recipient_maps settings are OK.

unknown_local_recipient_reject_code = 550

TRUST AND RELAY CONTROL

The mynetworks parameter specifies the list of “trusted” SMTP

clients that have more privileges than “strangers”.

In particular, “trusted” SMTP clients are allowed to relay mail

through Postfix. See the smtpd_recipient_restrictions parameter

in postconf(5).

You can specify the list of “trusted” network addresses by hand

or you can let Postfix do it for you (which is the default).

By default (mynetworks_style = subnet), Postfix “trusts” SMTP

clients in the same IP subnetworks as the local machine.

On Linux, this does works correctly only with interfaces specified

with the “ifconfig” command.

Specify “mynetworks_style = class” when Postfix should “trust” SMTP

clients in the same IP class A/B/C networks as the local machine.

Don’t do this with a dialup site - it would cause Postfix to “trust”

your entire provider’s network. Instead, specify an explicit

mynetworks list by hand, as described below.

Specify “mynetworks_style = host” when Postfix should “trust”

only the local machine.

#mynetworks_style = class
#mynetworks_style = subnet
#mynetworks_style = host

Alternatively, you can specify the mynetworks list by hand, in

which case Postfix ignores the mynetworks_style setting.

Specify an explicit list of network/netmask patterns, where the

mask specifies the number of bits in the network part of a host

address.

You can also specify the absolute pathname of a pattern file instead

of listing the patterns here. Specify type:table for table-based lookups

(the value on the table right-hand side is not used).

#mynetworks = 168.100.189.0/28, 127.0.0.0/8
#mynetworks = $config_directory/mynetworks
#mynetworks = hash:/etc/postfix/network_table

The relay_domains parameter restricts what destinations this system will

relay mail to. See the smtpd_recipient_restrictions description in

postconf(5) for detailed information.

By default, Postfix relays mail

- from “trusted” clients (IP address matches $mynetworks) to any destination,

- from “untrusted” clients to destinations that match $relay_domains or

subdomains thereof, except addresses with sender-specified routing.

The default relay_domains value is $mydestination.

In addition to the above, the Postfix SMTP server by default accepts mail

that Postfix is final destination for:

- destinations that match $inet_interfaces or $proxy_interfaces,

- destinations that match $mydestination

- destinations that match $virtual_alias_domains,

- destinations that match $virtual_mailbox_domains.

These destinations do not need to be listed in $relay_domains.

Specify a list of hosts or domains, /file/name patterns or type:name

lookup tables, separated by commas and/or whitespace. Continue

long lines by starting the next line with whitespace. A file name

is replaced by its contents; a type:name table is matched when a

(parent) domain appears as lookup key.

NOTE: Postfix will not automatically forward mail for domains that

list this system as their primary or backup MX host. See the

permit_mx_backup restriction description in postconf(5).

#relay_domains = $mydestination

INTERNET OR INTRANET

The relayhost parameter specifies the default host to send mail to

when no entry is matched in the optional transport(5) table. When

no relayhost is given, mail is routed directly to the destination.

On an intranet, specify the organizational domain name. If your

internal DNS uses no MX records, specify the name of the intranet

gateway host instead.

In the case of SMTP, specify a domain, host, host:port, [host]:port,

[address] or [address]:port; the form [host] turns off MX lookups.

If you’re connected via UUCP, see also the default_transport parameter.

#relayhost = $mydomain
#relayhost = [gateway.my.domain]
#relayhost = [mailserver.isp.tld]
#relayhost = uucphost
#relayhost = [an.ip.add.ress]

REJECTING UNKNOWN RELAY USERS

The relay_recipient_maps parameter specifies optional lookup tables

with all addresses in the domains that match $relay_domains.

If this parameter is defined, then the SMTP server will reject

mail for unknown relay users. This feature is off by default.

The right-hand side of the lookup tables is conveniently ignored.

In the left-hand side, specify an @domain.tld wild-card, or specify

a user@domain.tld address.

#relay_recipient_maps = hash:/etc/postfix/relay_recipients

INPUT RATE CONTROL

The in_flow_delay configuration parameter implements mail input

flow control. This feature is turned on by default, although it

still needs further development (it’s disabled on SCO UNIX due

to an SCO bug).

A Postfix process will pause for $in_flow_delay seconds before

accepting a new message, when the message arrival rate exceeds the

message delivery rate. With the default 100 SMTP server process

limit, this limits the mail inflow to 100 messages a second more

than the number of messages delivered per second.

Specify 0 to disable the feature. Valid delays are 0…10.

#in_flow_delay = 1s

ADDRESS REWRITING

The ADDRESS_REWRITING_README document gives information about

address masquerading or other forms of address rewriting including

username->Firstname.Lastname mapping.

ADDRESS REDIRECTION (VIRTUAL DOMAIN)

The VIRTUAL_README document gives information about the many forms

of domain hosting that Postfix supports.

“USER HAS MOVED” BOUNCE MESSAGES

See the discussion in the ADDRESS_REWRITING_README document.

TRANSPORT MAP

See the discussion in the ADDRESS_REWRITING_README document.

ALIAS DATABASE

The alias_maps parameter specifies the list of alias databases used

by the local delivery agent. The default list is system dependent.

On systems with NIS, the default is to search the local alias

database, then the NIS alias database. See aliases(5) for syntax

details.

If you change the alias database, run “postalias /etc/aliases” (or

wherever your system stores the mail alias file), or simply run

“newaliases” to build the necessary DBM or DB file.

It will take a minute or so before changes become visible. Use

“postfix reload” to eliminate the delay.

#alias_maps = dbm:/etc/aliases
alias_maps = hash:/etc/aliases
#alias_maps = hash:/etc/aliases, nis:mail.aliases
#alias_maps = netinfo:/aliases

The alias_database parameter specifies the alias database(s) that

are built with “newaliases” or “sendmail -bi”. This is a separate

configuration parameter, because alias_maps (see above) may specify

tables that are not necessarily all under control by Postfix.

#alias_database = dbm:/etc/aliases
#alias_database = dbm:/etc/mail/aliases
#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases

ADDRESS EXTENSIONS (e.g., user+foo)

The recipient_delimiter parameter specifies the separator between

user names and address extensions (user+foo). See canonical(5),

local(8), relocated(5) and virtual(5) for the effects this has on

aliases, canonical, virtual, relocated and .forward file lookups.

Basically, the software tries user+foo and .forward+foo before

trying user and .forward.

#recipient_delimiter = +

DELIVERY TO MAILBOX

The home_mailbox parameter specifies the optional pathname of a

mailbox file relative to a user’s home directory. The default

mailbox file is /var/spool/mail/user or /var/mail/user. Specify

“Maildir/” for qmail-style delivery (the / is required).

#home_mailbox = Mailbox
#home_mailbox = Maildir/

The mail_spool_directory parameter specifies the directory where

UNIX-style mailboxes are kept. The default setting depends on the

system type.

#mail_spool_directory = /var/mail
#mail_spool_directory = /var/spool/mail

The mailbox_command parameter specifies the optional external

command to use instead of mailbox delivery. The command is run as

the recipient with proper HOME, SHELL and LOGNAME environment settings.

Exception: delivery for root is done as $default_user.

Other environment variables of interest: USER (recipient username),

EXTENSION (address extension), DOMAIN (domain part of address),

and LOCAL (the address localpart).

Unlike other Postfix configuration parameters, the mailbox_command

parameter is not subjected to $parameter substitutions. This is to

make it easier to specify shell syntax (see example below).

Avoid shell meta characters because they will force Postfix to run

an expensive shell process. Procmail alone is expensive enough.

IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN

ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER.

#mailbox_command = /some/where/procmail
#mailbox_command = /some/where/procmail -a “$EXTENSION”

The mailbox_transport specifies the optional transport in master.cf

to use after processing aliases and .forward files. This parameter

has precedence over the mailbox_command, fallback_transport and

luser_relay parameters.

Specify a string of the form transport:nexthop, where transport is

the name of a mail delivery transport defined in master.cf. The

:nexthop part is optional. For more details see the sample transport

configuration file.

NOTE: if you use this feature for accounts not in the UNIX password

file, then you must update the “local_recipient_maps” setting in

the main.cf file, otherwise the SMTP server will reject mail for

non-UNIX accounts with “User unknown in local recipient table”.

Cyrus IMAP over LMTP. Specify ``lmtpunix cmd=“lmtpd”

listen="/var/imap/socket/lmtp" prefork=0’’ in cyrus.conf.

#mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp

If using the cyrus-imapd IMAP server deliver local mail to the IMAP

server using LMTP (Local Mail Transport Protocol), this is prefered

over the older cyrus deliver program by setting the

mailbox_transport as below:

mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp

The efficiency of LMTP delivery for cyrus-imapd can be enhanced via

these settings.

local_destination_recipient_limit = 300

local_destination_concurrency_limit = 5

Of course you should adjust these settings as appropriate for the

capacity of the hardware you are using. The recipient limit setting

can be used to take advantage of the single instance message store

capability of Cyrus. The concurrency limit can be used to control

how many simultaneous LMTP sessions will be permitted to the Cyrus

message store.

Cyrus IMAP via command line. Uncomment the “cyrus…pipe” and

subsequent line in master.cf.

#mailbox_transport = cyrus

The fallback_transport specifies the optional transport in master.cf

to use for recipients that are not found in the UNIX passwd database.

This parameter has precedence over the luser_relay parameter.

Specify a string of the form transport:nexthop, where transport is

the name of a mail delivery transport defined in master.cf. The

:nexthop part is optional. For more details see the sample transport

configuration file.

NOTE: if you use this feature for accounts not in the UNIX password

file, then you must update the “local_recipient_maps” setting in

the main.cf file, otherwise the SMTP server will reject mail for

non-UNIX accounts with “User unknown in local recipient table”.

#fallback_transport = lmtp:unix:/var/lib/imap/socket/lmtp
#fallback_transport =

The luser_relay parameter specifies an optional destination address

for unknown recipients. By default, mail for unknown@$mydestination,

unknown@[$inet_interfaces] or unknown@[$proxy_interfaces] is returned

as undeliverable.

The following expansions are done on luser_relay: $user (recipient

username), $shell (recipient shell), $home (recipient home directory),

$recipient (full recipient address), $extension (recipient address

extension), $domain (recipient domain), $local (entire recipient

localpart), $recipient_delimiter. Specify ${name?value} or

${name:value} to expand value only when $name does (does not) exist.

luser_relay works only for the default Postfix local delivery agent.

NOTE: if you use this feature for accounts not in the UNIX password

file, then you must specify “local_recipient_maps =” (i.e. empty) in

the main.cf file, otherwise the SMTP server will reject mail for

non-UNIX accounts with “User unknown in local recipient table”.

#luser_relay = $user@other.host
#luser_relay = $local@other.host
#luser_relay = admin+$local

JUNK MAIL CONTROLS

The controls listed here are only a very small subset. The file

SMTPD_ACCESS_README provides an overview.

The header_checks parameter specifies an optional table with patterns

that each logical message header is matched against, including

headers that span multiple physical lines.

By default, these patterns also apply to MIME headers and to the

headers of attached messages. With older Postfix versions, MIME and

attached message headers were treated as body text.

For details, see “man header_checks”.

#header_checks = regexp:/etc/postfix/header_checks

FAST ETRN SERVICE

Postfix maintains per-destination logfiles with information about

deferred mail, so that mail can be flushed quickly with the SMTP

“ETRN domain.tld” command, or by executing “sendmail -qRdomain.tld”.

See the ETRN_README document for a detailed description.

The fast_flush_domains parameter controls what destinations are

eligible for this service. By default, they are all domains that

this server is willing to relay mail to.

#fast_flush_domains = $relay_domains

SHOW SOFTWARE VERSION OR NOT

The smtpd_banner parameter specifies the text that follows the 220

code in the SMTP server’s greeting banner. Some people like to see

the mail version advertised. By default, Postfix shows no version.

You MUST specify $myhostname at the start of the text. That is an

RFC requirement. Postfix itself does not care.

#smtpd_banner = $myhostname ESMTP $mail_name
#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)

PARALLEL DELIVERY TO THE SAME DESTINATION

How many parallel deliveries to the same user or domain? With local

delivery, it does not make sense to do massively parallel delivery

to the same user, because mailbox updates must happen sequentially,

and expensive pipelines in .forward files can cause disasters when

too many are run at the same time. With SMTP deliveries, 10

simultaneous connections to the same domain could be sufficient to

raise eyebrows.

Each message delivery transport has its XXX_destination_concurrency_limit

parameter. The default is $default_destination_concurrency_limit for

most delivery transports. For the local delivery agent the default is 2.

#local_destination_concurrency_limit = 2
#default_destination_concurrency_limit = 20

DEBUGGING CONTROL

The debug_peer_level parameter specifies the increment in verbose

logging level when an SMTP client or server host name or address

matches a pattern in the debug_peer_list parameter.

debug_peer_level = 2

The debug_peer_list parameter specifies an optional list of domain

or network patterns, /file/name patterns or type:name tables. When

an SMTP client or server host name or address matches a pattern,

increase the verbose logging level by the amount specified in the

debug_peer_level parameter.

#debug_peer_list = 127.0.0.1
#debug_peer_list = some.domain

The debugger_command specifies the external command that is executed

when a Postfix daemon program is run with the -D option.

Use “command … & sleep 5” so that the debugger can attach before

the process marches on. If you use an X-based debugger, be sure to

set up your XAUTHORITY environment variable before starting Postfix.

debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5

If you can’t use X, use this to capture the call stack when a

daemon crashes. The result is in a file in the configuration

directory, and is named after the process name and the process ID.

debugger_command =

PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont;

echo where) | gdb $daemon_directory/$process_name $process_id 2>&1

>$config_directory/$process_name.$process_id.log & sleep 5

Another possibility is to run gdb under a detached screen session.

To attach to the screen sesssion, su root and run "screen -r

<id_string>" where <id_string> uniquely matches one of the detached

sessions (from “screen -list”).

debugger_command =

PATH=/bin:/usr/bin:/sbin:/usr/sbin; export PATH; screen

-dmS $process_name gdb $daemon_directory/$process_name

$process_id & sleep 1

INSTALL-TIME CONFIGURATION INFORMATION

The following parameters are used when installing a new Postfix version.

sendmail_path: The full pathname of the Postfix sendmail command.

This is the Sendmail-compatible mail posting interface.

sendmail_path = /usr/sbin/sendmail.postfix

newaliases_path: The full pathname of the Postfix newaliases command.

This is the Sendmail-compatible command to build alias databases.

newaliases_path = /usr/bin/newaliases.postfix

mailq_path: The full pathname of the Postfix mailq command. This

is the Sendmail-compatible mail queue listing command.

mailq_path = /usr/bin/mailq.postfix

setgid_group: The group for mail submission and queue management

commands. This must be a group name with a numerical group ID that

is not shared with other accounts, not even with the Postfix account.

setgid_group = postdrop

html_directory: The location of the Postfix HTML documentation.

html_directory = no

manpage_directory: The location of the Postfix on-line manual pages.

manpage_directory = /usr/share/man

sample_directory: The location of the Postfix sample configuration files.

This parameter is obsolete as of Postfix 2.1.

sample_directory = /usr/share/doc/postfix-2.10.1/samples

readme_directory: The location of the Postfix README files.

readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES

virtual_alias_maps = hash:/etc/postfix/virtual

sender_bcc_maps = hash:/etc/postfix/bcc

sender_dependent_default_transport_maps = hash:/etc/postfix/dependent

mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME

home_mailbox = Maildir/

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

broken_sasl_auth_clients = yes

smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination

smtp_tls_security_level = may

mailbox_size_limit = 0

allow_percent_hack = no

milter_default_action = accept

milter_protocol = 2

smtpd_milters = inet:localhost:8891,local:/run/milter-greylist/milter-greylist.sock

non_smtpd_milters = inet:localhost:8891,local:/run/milter-greylist/milter-greylist.sock

default_destination_recipient_limit = 5

default_destination_concurrency_limit = 10

myorigin = $mydomain

smtp_destination_recipient_limit = 5

smtp_destination_concurrency_limit = 5

smtpd_helo_required = yes

disable_vrfy_command = yes

smtpd_helo_restrictions = permit_mynetworks permit_sasl_authenticated check_helo_access hash:/etc/postfix/helo_access reject_invalid_helo_hostname reject_non_fqdn_help_hostname reject_unknown_helo_hostname

smtpd_sender_restrictions = permit_mynetworks permit_sasl_authenticated reject_unknown_sender_domain reject_unknown_reverse_client_hostname reject_unknown_client_hostname

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination

Can you repost your main.cf file but wrap it in “code” tags? Before you post, read - Virtualmin Tips - that should explain how to post code snippets. That way the formatting doesn’t go all weird.

did you have the following setting in your postfix config?
smtp_sasl_security_options = noanonymous
(EDIT…oh i see it, yep you did)
Whilst i havent had email problems like this yet, my backup will be to implement what google cloud do, that is to eventually change all email configuration to non standard ports (completely blocking standard ones) and use a mail relay such as mailgun or sendgrid.

Obviously you may not be using google cloud compute VPS, however, the use of a relay as shown in tutorial below is still applicable.

https://cloud.google.com/compute/docs/tutorials/sending-mail/using-sendgrid

@Adam - without wanting to distract from the OP’s issues (when he posts up his main.cf in a code block - can pick it up then), why go down the road of mailgun\sendgrid as opposed to say another VPS that’s a backup (cold or hot standby)?

Dear
I am really upset regarding this issue, even i have made changes in postfix main.cf file, but the attacker somehow used my smtp port and again sent email flood through my vps, the changes that have made is as under:

‘’’
smtpd_helo_required = yes

disable_vrfy_command = yes

smtpd_helo_restrictions = permit_mynetworks permit_sasl_authenticated check_helo_access hash:/etc/postfix/helo_access reject_invalid_helo_hostname reject_non_fqdn_help_hostname reject_unknown_helo_hostname

smtpd_sender_restrictions = permit_mynetworks permit_sasl_authenticated reject_unknown_sender_domain reject_unknown_reverse_client_hostname reject_unknown_client_hostname

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
‘’’
What can i do to prevent these spamming. And smoothly run my vps.

Hoping a favorable response with bundle of thanks.

Dear, i tried my best to convert into code block but failed, can u copy paste the above text and convert into code block please.

@Faisal - I can’t cut and paste your content into a code block as the original formatting has been lost.

Perhaps wipe down your VPS and spin up a fresh one with a new O\S, harden it properly, limit root access, enable ssh and then install Virtualmin again? Bit brutal - but it should stop unauthorised access if you’ve done things correctly.

@Dibs,
But the attacker uses only smtp port not any other things, is virtualmin paid version is more secure?