Unknown Sender Spamming through Virtualmin platform

Dibs · December 12, 2019, 4:50pm

@Faisal - Virtualmin from a Postfix perspective is relatively secure out of the box. You need to post up your main.cf file in a code block properly for us to to be able to help you. Moving to the paid version isn’t going to automatically fix anything.

Out of the box Virtualmin & Postfix should not allow anyone to use your server to send out emails. At best you might get a ton of spam and the associated bounces back to existent & non-existent email addresses, which causes other problems.

faisalmnr · December 12, 2019, 6:46pm

main.cf


command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
inet_interfaces = all
#inet_interfaces = $myhostname
#inet_interfaces = $myhostname, localhost
Enable IPv4, and IPv6 if supported
inet_protocols = all
See also below, section “REJECTING MAIL FOR UNKNOWN LOCAL USERS”.

mydestination = $myhostname, localhost.$mydomain, localhost, panel.msoftsys.com

#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain

#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
mail.$mydomain, www.$mydomain, ftp.$mydomain
unknown_local_recipient_reject_code = 550
TRUST AND RELAY CONTROL
#mynetworks_style = class

#mynetworks_style = subnet

#mynetworks_style = host

#mynetworks = 168.100.189.0/28, 127.0.0.0/8

#mynetworks = $config_directory/mynetworks

#mynetworks = hash:/etc/postfix/network_table

#relay_domains = $mydestination
INTERNET OR INTRANET

#relayhost = $mydomain

#relayhost = [gateway.my.domain]

#relayhost = [mailserver.isp.tld]

#relayhost = uucphost

#relayhost = [an.ip.add.ress]
REJECTING UNKNOWN RELAY USERS
#relay_recipient_maps = hash:/etc/postfix/relay_recipients
INPUT RATE CONTROL
#in_flow_delay = 1s
ALIAS DATABASE

#alias_maps = dbm:/etc/aliases

alias_maps = hash:/etc/aliases

#alias_maps = hash:/etc/aliases, nis:mail.aliases

#alias_maps = netinfo:/aliases
DELIVERY TO MAILBOX

#home_mailbox = Mailbox

#home_mailbox = Maildir/
The mail_spool_directory parameter specifies the directory where
UNIX-style mailboxes are kept. The default setting depends on the
system type.

#mail_spool_directory = /var/mail

#mail_spool_directory = /var/spool/mail
#mailbox_command = /some/where/procmail

#mailbox_command = /some/where/procmail -a “$EXTENSION”
local_destination_recipient_limit = 300
local_destination_concurrency_limit = 5

debug_peer_level = 2
debugger_command =

PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin

ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.10.1/samples
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
virtual_alias_maps = hash:/etc/postfix/virtual
sender_bcc_maps = hash:/etc/postfix/bcc
sender_dependent_default_transport_maps = hash:/etc/postfix/dependent
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
home_mailbox = Maildir/
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtp_tls_security_level = may
mailbox_size_limit = 0
allow_percent_hack = no
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891,local:/run/milter-greylist/milter-greylist.sock
non_smtpd_milters = inet:localhost:8891,local:/run/milter-greylist/milter-greylist.sock
default_destination_recipient_limit = 5
default_destination_concurrency_limit = 10
myorigin = $mydomain
smtp_destination_recipient_limit = 5
smtp_destination_concurrency_limit = 5
smtpd_helo_required = yes
disable_vrfy_command = yes
smtpd_helo_restrictions = permit_mynetworks  permit_sasl_authenticated  check_helo_access hash:/etc/postfix/helo_access  reject_invalid_helo_hostname  reject_non_fqdn_help_hostname  reject_unknown_helo_hostname
smtpd_sender_restrictions =  permit_mynetworks  permit_sasl_authenticated  reject_unknown_sender_domain  reject_unknown_reverse_client_hostname  reject_unknown_client_hostname
smtpd_relay_restrictions =  permit_mynetworks  permit_sasl_authenticated  defer_unauth_destination.

Dibs · December 12, 2019, 9:31pm

Post a set of lines from your mail.log where you believe someone is using your server to send unauthorised emails?

Dibs · December 12, 2019, 9:46pm


smtpd_relay_restrictions =  permit_mynetworks  permit_sasl_authenticated  defer_unauth_destination.

The above is wrong - there should be no ‘.’ on the end.

Your smtpd restrictions would be better off as, (although slightly heavy handed)


smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_hostname, reject_invalid_hostname, permit
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_sender_domain, reject_unknown_reverse_client_hostname, reject_unknown_client_hostname
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination

Also you are missing


mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

BUT BEFORE you make any changes, it would be better to see the entries from your mail.log where you believe someone is sending unauthorized mail.

faisalmnr · December 12, 2019, 10:40pm

I am posting the few log lines, but actually today’s log file consists of more than 150000 lines, so its not possible to send all these,
The attacker started approx 5am, below is few minutes log:


Dec 12 05:19:37 panel postfix/smtpd[26614]: connect from unknown[185.228.82.250]
Dec 12 05:19:37 panel milter-greylist: smfi_getsymval failed for {daemon_port}, using default smtp port
Dec 12 05:19:38 panel postfix/smtpd[26614]: warning: unknown[185.228.82.250]: SASL LOGIN authentication failed: authentication failure
Dec 12 05:19:38 panel postfix/smtpd[26614]: lost connection after AUTH from unknown[185.228.82.250]
Dec 12 05:19:38 panel postfix/smtpd[26614]: disconnect from unknown[185.228.82.250]
Dec 12 05:19:38 panel postfix/smtpd[26602]: connect from unknown[185.228.82.250]
Dec 12 05:19:38 panel milter-greylist: smfi_getsymval failed for {daemon_port}, using default smtp port
Dec 12 05:19:41 panel postfix/smtpd[26602]: warning: unknown[185.228.82.250]: SASL LOGIN authentication failed: authentication failure
Dec 12 05:19:41 panel postfix/smtpd[26602]: lost connection after AUTH from unknown[185.228.82.250]
Dec 12 05:19:41 panel postfix/smtpd[26602]: disconnect from unknown[185.228.82.250]
Dec 12 05:19:41 panel postfix/smtpd[26614]: connect from unknown[185.228.82.250]
Dec 12 05:19:41 panel milter-greylist: smfi_getsymval failed for {daemon_port}, using default smtp port
Dec 12 05:19:42 panel postfix/smtpd[26614]: warning: unknown[185.228.82.250]: SASL LOGIN authentication failed: authentication failure
Dec 12 05:19:42 panel postfix/smtpd[26614]: lost connection after AUTH from unknown[185.228.82.250]
Dec 12 05:19:42 panel postfix/smtpd[26614]: disconnect from unknown[185.228.82.250]
Dec 12 05:19:42 panel postfix/smtpd[26602]: connect from unknown[185.228.82.250]
Dec 12 05:19:42 panel milter-greylist: smfi_getsymval failed for {daemon_port}, using default smtp port
Dec 12 05:19:43 panel postfix/anvil[14616]: statistics: max connection rate 31/60s for (smtp:185.228.82.250) at Dec 12 05:12:44
Dec 12 05:19:43 panel postfix/anvil[14616]: statistics: max connection count 1 for (smtp:185.228.82.250) at Dec 12 05:09:43
Dec 12 05:19:43 panel postfix/anvil[14616]: statistics: max cache size 9 at Dec 12 05:17:57
Dec 12 05:19:44 panel postfix/smtpd[26602]: warning: unknown[185.228.82.250]: SASL LOGIN authentication failed: authentication failure
Dec 12 05:19:44 panel postfix/smtpd[26602]: lost connection after AUTH from unknown[185.228.82.250]
Dec 12 05:19:44 panel postfix/smtpd[26602]: disconnect from unknown[185.228.82.250]
Dec 12 05:19:44 panel postfix/smtpd[26614]: connect from unknown[185.228.82.250]
Dec 12 05:19:44 panel milter-greylist: smfi_getsymval failed for {daemon_port}, using default smtp port
Dec 12 05:19:46 panel postfix/smtpd[26614]: warning: unknown[185.228.82.250]: SASL LOGIN authentication failed: authentication failure
Dec 12 05:19:46 panel postfix/smtpd[26614]: lost connection after AUTH from unknown[185.228.82.250]
Dec 12 05:19:46 panel postfix/smtpd[26614]: disconnect from unknown[185.228.82.250]
Dec 12 05:19:46 panel postfix/smtpd[26602]: connect from unknown[185.228.82.250]
Dec 12 05:19:46 panel milter-greylist: smfi_getsymval failed for {daemon_port}, using default smtp port
Dec 12 05:19:48 panel postfix/smtpd[26602]: warning: unknown[185.228.82.250]: SASL LOGIN authentication failed: authentication failure
Dec 12 05:19:48 panel postfix/smtpd[26602]: lost connection after AUTH from unknown[185.228.82.250]
Dec 12 05:19:48 panel postfix/smtpd[26602]: disconnect from unknown[185.228.82.250]
Dec 12 05:19:48 panel postfix/smtpd[26617]: connect from unknown[185.228.82.250]
Dec 12 05:19:48 panel milter-greylist: smfi_getsymval failed for {daemon_port}, using default smtp port
Dec 12 05:19:49 panel postfix/smtpd[26617]: warning: unknown[185.228.82.250]: SASL LOGIN authentication failed: authentication failure
Dec 12 05:19:49 panel postfix/smtpd[26617]: lost connection after AUTH from unknown[185.228.82.250]
Dec 12 05:19:49 panel postfix/smtpd[26617]: disconnect from unknown[185.228.82.250]
Dec 12 05:19:49 panel postfix/smtpd[26602]: connect from unknown[185.228.82.250]
Dec 12 05:19:49 panel milter-greylist: smfi_getsymval failed for {daemon_port}, using default smtp port
Dec 12 05:19:52 panel postfix/smtpd[26602]: warning: unknown[185.228.82.250]: SASL LOGIN authentication failed: authentication failure
Dec 12 05:19:52 panel postfix/smtpd[26602]: lost connection after AUTH from unknown[185.228.82.250]
Dec 12 05:19:52 panel postfix/smtpd[26602]: disconnect from unknown[185.228.82.250]
Dec 12 05:19:52 panel postfix/smtpd[26617]: connect from unknown[185.228.82.250]
Dec 12 05:19:52 panel milter-greylist: smfi_getsymval failed for {daemon_port}, using default smtp port
Dec 12 05:19:55 panel postfix/smtpd[26617]: warning: unknown[185.228.82.250]: SASL LOGIN authentication failed: authentication failure
Dec 12 05:19:55 panel postfix/smtpd[26617]: lost connection after AUTH from unknown[185.228.82.250]
Dec 12 05:19:55 panel postfix/smtpd[26617]: disconnect from unknown[185.228.82.250]
Dec 12 05:19:55 panel postfix/smtpd[26602]: connect from unknown[185.228.82.250]
Dec 12 05:19:55 panel milter-greylist: smfi_getsymval failed for {daemon_port}, using default smtp port
Dec 12 05:19:56 panel postfix/smtpd[26617]: connect from mail-pf1-f187.google.com[209.85.210.187]
Dec 12 05:19:56 panel milter-greylist: smfi_getsymval failed for {daemon_port}, using default smtp port
Dec 12 05:19:56 panel postfix/smtpd[26617]: warning: unknown smtpd restriction: "reject_non_fqdn_help_hostname"
Dec 12 05:19:56 panel postfix/smtpd[26617]: NOQUEUE: reject: RCPT from mail-pf1-f187.google.com[209.85.210.187]: 451 4.3.5 Server configuration error; from= to= proto=ESMTP helo=
Dec 12 05:19:56 panel postfix/cleanup[28392]: B5E19449C: message-id=<20191212041956.B5E19449C@panel.msoftsys.com>
Dec 12 05:19:56 panel postfix/smtpd[26617]: disconnect from mail-pf1-f187.google.com[209.85.210.187]
Dec 12 05:19:56 panel postfix/qmgr[14236]: B5E19449C: from=, size=1108, nrcpt=1 (queue active)
Dec 12 05:19:56 panel postfix/smtpd[26602]: warning: unknown[185.228.82.250]: SASL LOGIN authentication failed: authentication failure
Dec 12 05:19:56 panel postfix/error[25992]: B5E19449C: to=, orig_to=, relay=none, delay=0.01, delays=0/0/0/0, dsn=5.1.1, status=bounced (User unknown in virtual alias table)
Dec 12 05:19:56 panel postfix/bounce[25993]: warning: B5E19449C: undeliverable postmaster notification discarded
Dec 12 05:19:56 panel postfix/qmgr[14236]: B5E19449C: removed
Dec 12 05:19:56 panel postfix/smtpd[26602]: lost connection after AUTH from unknown[185.228.82.250]
Dec 12 05:19:56 panel postfix/smtpd[26602]: disconnect from unknown[185.228.82.250]
Dec 12 05:19:56 panel postfix/smtpd[26614]: connect from unknown[185.228.82.250]
Dec 12 05:19:56 panel milter-greylist: smfi_getsymval failed for {daemon_port}, using default smtp port
Dec 12 05:19:58 panel postfix/smtpd[26614]: warning: unknown[185.228.82.250]: SASL LOGIN authentication failed: authentication failure
Dec 12 05:19:58 panel postfix/smtpd[26614]: lost connection after AUTH from unknown[185.228.82.250]
Dec 12 05:19:58 panel postfix/smtpd[26614]: disconnect from unknown[185.228.82.250]
Dec 12 05:19:58 panel postfix/smtpd[26602]: connect from unknown[185.228.82.250]
Dec 12 05:19:58 panel milter-greylist: smfi_getsymval failed for {daemon_port}, using default smtp port
Dec 12 05:20:00 panel postfix/smtpd[26602]: warning: unknown[185.228.82.250]: SASL LOGIN authentication failed: authentication failure
Dec 12 05:20:00 panel postfix/smtpd[26602]: lost connection after AUTH from unknown[185.228.82.250]
Dec 12 05:20:00 panel postfix/smtpd[26602]: disconnect from unknown[185.228.82.250]
Dec 12 05:20:00 panel postfix/smtpd[26617]: connect from unknown[185.228.82.250]
Dec 12 05:20:00 panel milter-greylist: smfi_getsymval failed for {daemon_port}, using default smtp port
Dec 12 05:20:01 panel postfix/smtpd[26617]: warning: unknown[185.228.82.250]: SASL LOGIN authentication failed: authentication failure
Dec 12 05:20:01 panel postfix/smtpd[26617]: lost connection after AUTH from unknown[185.228.82.250]
Dec 12 05:20:01 panel postfix/smtpd[26617]: disconnect from unknown[185.228.82.250]
Dec 12 05:20:01 panel postfix/smtpd[26602]: connect from unknown[185.228.82.250]
Dec 12 05:20:01 panel milter-greylist: smfi_getsymval failed for {daemon_port}, using default smtp port
Dec 12 05:20:04 panel postfix/smtpd[26602]: warning: unknown[185.228.82.250]: SASL LOGIN authentication failed: authentication failure
Dec 12 05:20:04 panel postfix/smtpd[26602]: lost connection after AUTH from unknown[185.228.82.250]
Dec 12 05:20:04 panel postfix/smtpd[26602]: disconnect from unknown[185.228.82.250]
Dec 12 05:20:04 panel postfix/smtpd[26614]: connect from unknown[185.228.82.250]
Dec 12 05:20:04 panel milter-greylist: smfi_getsymval failed for {daemon_port}, using default smtp port
Dec 12 05:20:06 panel postfix/smtpd[26614]: warning: unknown[185.228.82.250]: SASL LOGIN authentication failed: authentication failure
Dec 12 05:20:07 panel postfix/smtpd[26614]: lost connection after AUTH from unknown[185.228.82.250]
Dec 12 05:20:07 panel postfix/smtpd[26614]: disconnect from unknown[185.228.82.250]
Dec 12 05:20:07 panel postfix/smtpd[26617]: connect from unknown[185.228.82.250]
Dec 12 05:20:07 panel milter-greylist: smfi_getsymval failed for {daemon_port}, using default smtp port
Dec 12 05:20:08 panel postfix/smtpd[26617]: warning: unknown[185.228.82.250]: SASL LOGIN authentication failed: authentication failure
Dec 12 05:20:08 panel postfix/smtpd[26617]: lost connection after AUTH from unknown[185.228.82.250]
Dec 12 05:20:08 panel postfix/smtpd[26617]: disconnect from unknown[185.228.82.250]
Dec 12 05:20:08 panel postfix/smtpd[26602]: connect from unknown[185.228.82.250]
Dec 12 05:20:08 panel milter-greylist: smfi_getsymval failed for {daemon_port}, using default smtp port
Dec 12 05:20:10 panel postfix/smtpd[26602]: warning: unknown[185.228.82.250]: SASL LOGIN authentication failed: authentication failure
Dec 12 05:20:10 panel postfix/smtpd[26602]: lost connection after AUTH from unknown[185.228.82.250]
Dec 12 05:20:10 panel postfix/smtpd[26602]: disconnect from unknown[185.228.82.250]
Dec 12 05:20:10 panel postfix/smtpd[26614]: connect from unknown[185.228.82.250]
Dec 12 05:20:10 panel milter-greylist: smfi_getsymval failed for {daemon_port}, using default smtp port
Dec 12 05:20:12 panel postfix/smtpd[26614]: warning: unknown[185.228.82.250]: SASL LOGIN authentication failed: authentication failure
Dec 12 05:20:12 panel postfix/smtpd[26614]: lost connection after AUTH from unknown[185.228.82.250]
Dec 12 05:20:12 panel postfix/smtpd[26614]: disconnect from unknown[185.228.82.250]
Dec 12 05:20:12 panel postfix/smtpd[26617]: connect from unknown[185.228.82.250]
Dec 12 05:20:12 panel milter-greylist: smfi_getsymval failed for {daemon_port}, using default smtp port
Dec 12 05:20:14 panel postfix/smtpd[26617]: warning: unknown[185.228.82.250]: SASL LOGIN authentication failed: authentication failure
Dec 12 05:20:14 panel postfix/smtpd[26617]: lost connection after AUTH from unknown[185.228.82.250]
Dec 12 05:20:14 panel postfix/smtpd[26617]: disconnect from unknown[185.228.82.250]
Dec 12 05:20:14 panel postfix/smtpd[26602]: connect from unknown[185.228.82.250]
Dec 12 05:20:14 panel milter-greylist: smfi_getsymval failed for {daemon_port}, using default smtp port
Dec 12 05:20:16 panel postfix/smtpd[26602]: warning: unknown[185.228.82.250]: SASL LOGIN authentication failed: authentication failure
Dec 12 05:20:16 panel postfix/smtpd[26602]: lost connection after AUTH from unknown[185.228.82.250]
Dec 12 05:20:16 panel postfix/smtpd[26602]: disconnect from unknown[185.228.82.250]
Dec 12 05:20:16 panel postfix/smtpd[26617]: connect from unknown[185.228.82.250]
Dec 12 05:20:16 panel milter-greylist: smfi_getsymval failed for {daemon_port}, using default smtp port
Dec 12 05:20:18 panel postfix/smtpd[26602]: connect from mail3.faysalbank.com[103.85.152.240]
Dec 12 05:20:18 panel milter-greylist: smfi_getsymval failed for {daemon_port}, using default smtp port
Dec 12 05:20:18 panel postfix/smtpd[26602]: warning: unknown smtpd restriction: "reject_non_fqdn_help_hostname"
Dec 12 05:20:18 panel postfix/smtpd[26602]: NOQUEUE: reject: RCPT from mail3.faysalbank.com[103.85.152.240]: 451 4.3.5 Server configuration error; from= to= proto=ESMTP helo=
Dec 12 05:20:19 panel postfix/smtpd[26617]: warning: unknown[185.228.82.250]: SASL LOGIN authentication failed: authentication failure
Dec 12 05:20:19 panel postfix/smtpd[26617]: lost connection after AUTH from unknown[185.228.82.250]
Dec 12 05:20:19 panel postfix/smtpd[26617]: disconnect from unknown[185.228.82.250]
Dec 12 05:20:19 panel postfix/smtpd[26614]: connect from unknown[185.228.82.250]
Dec 12 05:20:19 panel milter-greylist: smfi_getsymval failed for {daemon_port}, using default smtp port
Dec 12 05:20:19 panel postfix/smtpd[26602]: warning: unknown smtpd restriction: "reject_non_fqdn_help_hostname"
Dec 12 05:20:19 panel postfix/smtpd[26602]: NOQUEUE: reject: RCPT from mail3.faysalbank.com[103.85.152.240]: 451 4.3.5 Server configuration error; from= to= proto=ESMTP helo=
Dec 12 05:20:19 panel postfix/cleanup[28392]: 2F71E41A6: message-id=<20191212042019.2F71E41A6@panel.msoftsys.com>
Dec 12 05:20:19 panel postfix/smtpd[26602]: disconnect from mail3.faysalbank.com[103.85.152.240]
Dec 12 05:20:19 panel postfix/qmgr[14236]: 2F71E41A6: from=, size=1182, nrcpt=1 (queue active)
Dec 12 05:20:19 panel postfix/error[25992]: 2F71E41A6: to=, orig_to=, relay=none, delay=0.01, delays=0.01/0/0/0, dsn=5.1.1, status=bounced (User unknown in virtual alias table)
Dec 12 05:20:19 panel postfix/bounce[25993]: warning: 2F71E41A6: undeliverable postmaster notification discarded
Dec 12 05:20:19 panel postfix/qmgr[14236]: 2F71E41A6: removed
Dec 12 05:20:20 panel postfix/smtpd[26614]: warning: unknown[185.228.82.250]: SASL LOGIN authentication failed: authentication failure
Dec 12 05:20:20 panel postfix/smtpd[26614]: lost connection after AUTH from unknown[185.228.82.250]
Dec 12 05:20:20 panel postfix/smtpd[26614]: disconnect from unknown[185.228.82.250]
Dec 12 05:20:20 panel postfix/smtpd[26617]: connect from unknown[185.228.82.250]
Dec 12 05:20:20 panel milter-greylist: smfi_getsymval failed for {daemon_port}, using default smtp port
Dec 12 05:20:22 panel postfix/smtpd[26617]: warning: unknown[185.228.82.250]: SASL LOGIN authentication failed: authentication failure
Dec 12 05:20:22 panel postfix/smtpd[26617]: lost connection after AUTH from unknown[185.228.82.250]
Dec 12 05:20:22 panel postfix/smtpd[26617]: disconnect from unknown[185.228.82.250]
Dec 12 05:20:22 panel postfix/smtpd[26602]: connect from unknown[185.228.82.250]
Dec 12 05:20:22 panel milter-greylist: smfi_getsymval failed for {daemon_port}, using default smtp port
Dec 12 05:20:24 panel postfix/smtpd[26602]: warning: unknown[185.228.82.250]: SASL LOGIN authentication failed: authentication failure
Dec 12 05:20:24 panel postfix/smtpd[26602]: lost connection after AUTH from unknown[185.228.82.250]
Dec 12 05:20:24 panel postfix/smtpd[26602]: disconnect from unknown[185.228.82.250]
Dec 12 05:20:24 panel postfix/smtpd[26617]: connect from unknown[185.228.82.250]
Dec 12 05:20:24 panel milter-greylist: smfi_getsymval failed for {daemon_port}, using default smtp port
Dec 12 05:20:27 panel postfix/smtpd[26617]: warning: unknown[185.228.82.250]: SASL LOGIN authentication failed: authentication failure
Dec 12 05:20:27 panel postfix/smtpd[26617]: lost connection after AUTH from unknown[185.228.82.250]
Dec 12 05:20:27 panel postfix/smtpd[26617]: disconnect from unknown[185.228.82.250]
Dec 12 05:20:27 panel postfix/smtpd[26614]: connect from unknown[185.228.82.250]
Dec 12 05:20:27 panel milter-greylist: smfi_getsymval failed for {daemon_port}, using default smtp port
Dec 12 05:20:29 panel postfix/smtpd[26614]: warning: unknown[185.228.82.250]: SASL LOGIN authentication failed: authentication failure
Dec 12 05:20:29 panel postfix/smtpd[26614]: lost connection after AUTH from unknown[185.228.82.250]
Dec 12 05:20:29 panel postfix/smtpd[26614]: disconnect from unknown[185.228.82.250]
Dec 12 05:20:29 panel postfix/smtpd[26617]: connect from unknown[185.228.82.250]
Dec 12 05:20:29 panel milter-greylist: smfi_getsymval failed for {daemon_port}, using default smtp port
Dec 12 05:20:30 panel postfix/smtpd[26614]: connect from unknown[106.110.164.11]
Dec 12 05:20:30 panel milter-greylist: smfi_getsymval failed for {daemon_port}, using default smtp port
Dec 12 05:20:31 panel postfix/smtpd[26617]: warning: unknown[185.228.82.250]: SASL LOGIN authentication failed: authentication failure
Dec 12 05:20:31 panel postfix/smtpd[26617]: lost connection after AUTH from unknown[185.228.82.250]
Dec 12 05:20:31 panel postfix/smtpd[26617]: disconnect from unknown[185.228.82.250]
Dec 12 05:20:31 panel postfix/smtpd[26617]: connect from unknown[185.228.82.250]
Dec 12 05:20:31 panel milter-greylist: smfi_getsymval failed for {daemon_port}, using default smtp port
Dec 12 05:20:31 panel postfix/smtpd[26614]: warning: unknown smtpd restriction: "reject_non_fqdn_help_hostname"
Dec 12 05:20:31 panel postfix/smtpd[26614]: NOQUEUE: reject: RCPT from unknown[106.110.164.11]: 451 4.3.5 Server configuration error; from= to= proto=ESMTP helo=
Dec 12 05:20:31 panel postfix/cleanup[28392]: 6EAAF41A6: message-id=<20191212042031.6EAAF41A6@panel.msoftsys.com>
Dec 12 05:20:31 panel postfix/smtpd[26614]: disconnect from unknown[106.110.164.11]
Dec 12 05:20:31 panel postfix/qmgr[14236]: 6EAAF41A6: from=, size=955, nrcpt=1 (queue active)
Dec 12 05:20:31 panel postfix/error[25992]: 6EAAF41A6: to=, orig_to=, relay=none, delay=0.02, delays=0.01/0/0/0, dsn=5.1.1, status=bounced (User unknown in virtual alias table)
Dec 12 05:20:31 panel postfix/bounce[25993]: warning: 6EAAF41A6: undeliverable postmaster notification discarded
Dec 12 05:20:31 panel postfix/qmgr[14236]: 6EAAF41A6: removed
Dec 12 05:20:32 panel postfix/smtpd[26617]: warning: unknown[185.228.82.250]: SASL LOGIN authentication failed: authentication failure
Dec 12 05:20:32 panel postfix/smtpd[26617]: lost connection after AUTH from unknown[185.228.82.250]
Dec 12 05:20:32 panel postfix/smtpd[26617]: disconnect from unknown[185.228.82.250]
Dec 12 05:20:32 panel postfix/smtpd[26614]: connect from unknown[185.228.82.250]
Dec 12 05:20:32 panel milter-greylist: smfi_getsymval failed for {daemon_port}, using default smtp port
Dec 12 05:20:34 panel postfix/smtpd[26614]: warning: unknown[185.228.82.250]: SASL LOGIN authentication failed: authentication failure
Dec 12 05:20:34 panel postfix/smtpd[26614]: lost connection after AUTH from unknown[185.228.82.250]
Dec 12 05:20:34 panel postfix/smtpd[26614]: disconnect from unknown[185.228.82.250]

faisalmnr · December 12, 2019, 10:41pm

at 7:48 he is able to start mailing as per log:
Dec 12 07:48:45 panel postfix/smtp[19850]: connect to gmail-smtp-in.l.google.com[2a00:1450:4013:c00::1b]:25: Network is unreachable Dec 12 07:48:45 panel postfix/smtpd[19845]: disconnect from unknown[41.220.75.172] Dec 12 07:48:45 panel postfix/smtpd[19767]: warning: unknown[185.228.82.250]: SASL LOGIN authentication failed: authentication failure Dec 12 07:48:45 panel postfix/smtpd[19767]: lost connection after AUTH from unknown[185.228.82.250] Dec 12 07:48:45 panel postfix/smtpd[19767]: disconnect from unknown[185.228.82.250] Dec 12 07:48:46 panel postfix/smtpd[19178]: connect from unknown[185.228.82.250] Dec 12 07:48:46 panel milter-greylist: smfi_getsymval failed for {daemon_port}, using default smtp port Dec 12 07:48:46 panel postfix/smtp[19850]: 46CE441A6: to=pesno.jak@gmail.com, relay=gmail-smtp-in.l.google.com[108.177.119.27]:25, delay=2, delays=0.79/0.02/0.2/0.99, dsn=2.0.0, status=sent (250 2.0.0 OK 1576133323 f4si3232074ejd.306 - gsmtp)

faisalmnr · December 12, 2019, 10:47pm

but able to sent only 6 emails from 7:48am to 11:40am, but after 11:40am he sent thousands of emails, the log of few minutes as under:
Dec 12 11:40:41 panel postfix/smtpd[25571]: connect from unknown[185.228.82.250] Dec 12 11:40:41 panel milter-greylist: smfi_getsymval failed for {daemon_port}, using default smtp port Dec 12 11:40:44 panel postfix/smtpd[25571]: warning: unknown[185.228.82.250]: SASL LOGIN authentication failed: authentication failure Dec 12 11:40:44 panel postfix/smtpd[25571]: lost connection after AUTH from unknown[185.228.82.250] Dec 12 11:40:44 panel postfix/smtpd[25571]: disconnect from unknown[185.228.82.250] Dec 12 11:40:44 panel postfix/smtpd[24746]: connect from unknown[185.228.82.250] Dec 12 11:40:44 panel milter-greylist: smfi_getsymval failed for {daemon_port}, using default smtp port Dec 12 11:40:44 panel opendkim[1213]: 76575456C: no signing domain match for ‘gmail.com’ Dec 12 11:40:44 panel opendkim[1213]: 76575456C: no signing subdomain match for ‘gmail.com’ Dec 12 11:40:44 panel opendkim[1213]: 76575456C: no signature data Dec 12 11:40:44 panel postfix/qmgr[14236]: 76575456C: from=anna.weiss@gmail.com, size=2269193, nrcpt=50 (queue active) Dec 12 11:40:44 panel postfix/smtp[25684]: warning: no MX host for abiinternational.us has a valid address record Dec 12 11:40:44 panel postfix/smtp[25684]: 76575456C: to=abinesh@abiinternational.us, relay=none, delay=130, delays=130/0.03/0.08/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=abiinternational-us.mail.protection.outlook.com type=AAAA: Host not found) Dec 12 11:40:45 panel postfix/smtp[25684]: connect to aspmx.l.google.com[2a00:1450:4013:c08::1a]:25: Network is unreachable Dec 12 11:40:45 panel postfix/smtp[25690]: connect to aspmx.l.google.com[2a00:1450:4013:c08::1a]:25: Network is unreachable Dec 12 11:40:45 panel postfix/smtp[25704]: warning: numeric domain name in resource data of MX record for fedegan.org.com: 0.0.0.0 Dec 12 11:40:45 panel postfix/smtpd[24923]: connect from localhost[127.0.0.1] Dec 12 11:40:45 panel milter-greylist: smfi_getsymval failed for {daemon_port}, using default smtp port Dec 12 11:40:45 panel postfix/smtp[25704]: warning: host 0.0.0.0[0.0.0.0]:25 greeted me with my own hostname panel.msoftsys.com Dec 12 11:40:45 panel postfix/smtp[25704]: warning: host 0.0.0.0[0.0.0.0]:25 replied to HELO/EHLO with my own hostname panel.msoftsys.com Dec 12 11:40:45 panel postfix/smtp[25704]: 76575456C: to=aborrero@fedegan.org.com, relay=0.0.0.0[0.0.0.0]:25, delay=130, delays=130/0.35/0.1/0, dsn=5.4.6, status=bounced (mail for fedegan.org.com loops back to myself) Dec 12 11:40:45 panel postfix/smtpd[24923]: disconnect from localhost[127.0.0.1] Dec 12 11:40:45 panel postfix/smtpd[25425]: disconnect from unknown[59.36.74.85] Dec 12 11:40:45 panel postfix/smtp[25699]: 76575456C: to=abo@bva-bikemedia.de, relay=bvabikemedia-de0i.mail.protection.outlook.com[104.47.14.36]:25, delay=130, delays=130/0.27/0.28/0.12, dsn=5.4.1, status=bounced (host bvabikemedia-de0i.mail.protection.outlook.com[104.47.14.36] said: 550 5.4.1 Recipient address rejected: Access denied [VI1EUR04FT048.eop-eur04.prod.protection.outlook.com] (in reply to RCPT TO command)) Dec 12 11:40:45 panel postfix/smtp[25708]: connect to aspmx.l.google.com[2a00:1450:4013:c02::1a]:25: Network is unreachable Dec 12 11:40:45 panel postfix/smtp[25701]: 76575456C: to=abigail.baker@data911.com, relay=aspmx.l.google.com[108.177.126.27]:25, delay=131, delays=130/0.3/0.23/0.29, dsn=5.7.0, status=bounced (host aspmx.l.google.com[108.177.126.27] said: 552-5.7.0 This message was blocked because its content presents a potential 552-5.7.0 security issue. Please visit 552-5.7.0 https://support.google.com/mail/?p=BlockedMessage to review our 552 5.7.0 message content and attachment content guidelines. cy26si3746815edb.7 - gsmtp (in reply to end of DATA command)) Dec 12 11:40:45 panel postfix/smtp[25697]: 76575456C: to=abhishek@brothersgas.ae, relay=brothersgas-ae.mail.protection.outlook.com[104.47.9.36]:25, delay=131, delays=130/0.23/0.41/0.18, dsn=5.4.1, status=bounced (host brothersgas-ae.mail.protection.outlook.com[104.47.9.36] said: 550 5.4.1 Recipient address rejected: Access denied [VE1EUR03FT019.eop-EUR03.prod.protection.outlook.com] (in reply to RCPT TO command)) Dec 12 11:40:45 panel postfix/smtp[25689]: connect to ASPMX.L.GOOGLE.COM[2a00:1450:4013:c08::1a]:25: Network is unreachable Dec 12 11:40:45 panel postfix/smtp[25684]: 76575456C: to=abhishek.chopra@acma.in, relay=aspmx.l.google.com[108.177.126.27]:25, delay=131, delays=130/0.12/0.25/0.72, dsn=5.7.0, status=bounced (host aspmx.l.google.com[108.177.126.27] said: 552-5.7.0 This message was blocked because its content presents a potential 552-5.7.0 security issue. Please visit 552-5.7.0 https://support.google.com/mail/?p=BlockedMessage to review our 552 5.7.0 message content and attachment content guidelines. e3si3701945ejc.405 - gsmtp (in reply to end of DATA command)) Dec 12 11:40:45 panel postfix/smtp[25690]: 76575456C: to=abhishekshah@aceast.com, relay=aspmx.l.google.com[108.177.126.27]:25, delay=131, delays=130/0.12/0.33/0.72, dsn=5.7.0, status=bounced (host aspmx.l.google.com[108.177.126.27] said: 552-5.7.0 This message was blocked because its content presents a potential 552-5.7.0 security issue. Please visit 552-5.7.0 https://support.google.com/mail/?p=BlockedMessage to review our 552 5.7.0 message content and attachment content guidelines. o20si3543408ejx.211 - gsmtp (in reply to end of DATA command)) Dec 12 11:40:45 panel postfix/smtp[25715]: 76575456C: to=aboris@libero.it, relay=smtp-in.libero.it[213.209.1.129]:25, delay=131, delays=130/0.49/0.36/0.33, dsn=5.0.0, status=bounced (host smtp-in.libero.it[213.209.1.129] said: 552 Virus Found [smtp-10.iol.local; LIB_602] (in reply to end of DATA command)) Dec 12 11:40:46 panel postfix/smtp[25717]: connect to aspmx.l.google.com[2a00:1450:4013:c08::1a]:25: Network is unreachable Dec 12 11:40:46 panel postfix/smtp[25685]: 76575456C: host kr1-aspmx1.worksmobile.com[125.209.209.251] refused to talk to me: 421 4.3.2 Your ip blocked from this server RDLrg-TKQs6vEznD71cDrw - nsmtp Dec 12 11:40:46 panel postfix/smtp[25721]: 76575456C: to=abhishek@rawmets.net, relay=aspmx.l.google.com[108.177.126.27]:25, delay=131, delays=130/0.59/0.42/0.41, dsn=5.7.0, status=bounced (host aspmx.l.google.com[108.177.126.27] said: 552-5.7.0 This message was blocked because its content presents a potential 552-5.7.0 security issue. Please visit 552-5.7.0 https://support.google.com/mail/?p=BlockedMessage to review our 552 5.7.0 message content and attachment content guidelines. h12si3413923edn.221 - gsmtp (in reply to end of DATA command)) Dec 12 11:40:46 panel postfix/smtp[25703]: 76575456C: to=abmarine@emirates.net.ae, relay=dcmimail.emirates.net.ae[86.96.229.27]:25, delay=131, delays=130/0.33/0.76/0.36, dsn=5.0.0, status=bounced (host dcmimail.emirates.net.ae[86.96.229.27] said: 550 Invalid Recipient [609] (in reply to RCPT TO command)) Dec 12 11:40:46 panel postfix/smtp[25708]: 76575456C: to=abhishek@innovativeindia.com, relay=aspmx.l.google.com[108.177.126.27]:25, delay=131, delays=130/0.41/0.46/0.6, dsn=5.7.0, status=bounced (host aspmx.l.google.com[108.177.126.27] said: 552-5.7.0 This message was blocked because its content presents a potential 552-5.7.0 security issue. Please visit 552-5.7.0 https://support.google.com/mail/?p=BlockedMessage to review our 552 5.7.0 message content and attachment content guidelines. d3si3549235eds.75 - gsmtp (in reply to end of DATA command)) Dec 12 11:40:46 panel postfix/smtp[25689]: 76575456C: to=abhishek@abslogistics.in, relay=ASPMX.L.GOOGLE.COM[108.177.126.27]:25, delay=131, delays=130/0.1/0.88/0.51, dsn=5.7.0, status=bounced (host ASPMX.L.GOOGLE.COM[108.177.126.27] said: 552-5.7.0 This message was blocked because its content presents a potential 552-5.7.0 security issue. Please visit 552-5.7.0 https://support.google.com/mail/?p=BlockedMessage to review our 552 5.7.0 message content and attachment content guidelines. c14si3924816eds.9 - gsmtp (in reply to end of DATA command)) Dec 12 11:40:46 panel postfix/smtp[25703]: 76575456C: to=abmcdxb@emirates.net.ae, relay=dcmimail.emirates.net.ae[86.96.229.27]:25, delay=131, delays=130/0.33/0.76/0.48, dsn=5.0.0, status=bounced (host dcmimail.emirates.net.ae[86.96.229.27] said: 550 Invalid Recipient [609] (in reply to RCPT TO command)) Dec 12 11:40:46 panel postfix/smtp[25703]: 76575456C: to=abmotor@emirates.net.ae, relay=dcmimail.emirates.net.ae[86.96.229.27]:25, delay=132, delays=130/0.33/0.76/0.61, dsn=5.0.0, status=bounced (host dcmimail.emirates.net.ae[86.96.229.27] said: 550 Invalid Recipient [609] (in reply to RCPT TO command)) Dec 12 11:40:46 panel postfix/smtp[25717]: 76575456C: to=abhishek@panglobaltrading.com, relay=aspmx.l.google.com[108.177.126.27]:25, delay=132, delays=130/0.52/0.79/0.39, dsn=5.7.0, status=bounced (host aspmx.l.google.com[108.177.126.27] said: 552-5.7.0 This message was blocked because its content presents a potential 552-5.7.0 security issue. Please visit 552-5.7.0 https://support.google.com/mail/?p=BlockedMessage to review our 552 5.7.0 message content and attachment content guidelines. c10si3775473edv.360 - gsmtp (in reply to end of DATA command)) Dec 12 11:40:46 panel postfix/smtp[25694]: 76575456C: to=abid@beckonpk.com, relay=beckonpk.com[72.18.132.34]:25, delay=132, delays=130/0.18/1.6/0.22, dsn=5.0.0, status=bounced (host beckonpk.com[72.18.132.34] said: 550-“JunkMail rejected - panel.msoftsys.com [91.228.52.135]:60090 is in an RBL: 550 http://www.barracudanetworks.com/reputation/?pr=1&ip=91.228.52.135” (in reply to RCPT TO command)) Dec 12 11:40:46 panel postfix/smtp[25718]: 76575456C: host mx1.emailsrvr.com[184.106.54.1] said: 451 4.7.1 Received too many messages from a new or untrusted IP: 91.228.52.135 (Z27/32D0F70) (G28) (in reply to RCPT TO command) Dec 12 11:40:46 panel postfix/smtp[25718]: 76575456C: lost connection with mx1.emailsrvr.com[184.106.54.1] while sending DATA command Dec 12 11:40:46 panel postfix/smtp[25685]: 76575456C: to=ablue@ablue.kr, relay=kr1-aspmx2.worksmobile.com[125.209.209.251]:25, delay=132, delays=130/0.04/2.1/0, dsn=4.3.2, status=deferred (host kr1-aspmx2.worksmobile.com[125.209.209.251] refused to talk to me: 421 4.3.2 Your ip blocked from this server WNFe3TrsQ2i9oV0V1qETfg - nsmtp) Dec 12 11:40:47 panel postfix/smtpd[24746]: warning: unknown[185.228.82.250]: SASL LOGIN authentication failed: authentication failure Dec 12 11:40:47 panel postfix/smtpd[24746]: lost connection after AUTH from unknown[185.228.82.250] Dec 12 11:40:47 panel postfix/smtpd[24746]: disconnect from unknown[185.228.82.250] Dec 12 11:40:47 panel postfix/smtpd[24936]: connect from unknown[185.228.82.250] Dec 12 11:40:47 panel milter-greylist: smfi_getsymval failed for {daemon_port}, using default smtp port Dec 12 11:40:47 panel postfix/smtp[25698]: 76575456C: to=abid@brunet.bn, relay=smtp.brunet.bn[61.6.254.106]:25, delay=133, delays=130/0.25/2.6/0.22, dsn=5.1.1, status=bounced (host smtp.brunet.bn[61.6.254.106] said: 550 5.1.1 abid@brunet.bn… User unknown (in reply to RCPT TO command)) Dec 12 11:40:48 panel postfix/smtp[25718]: 76575456C: to=abid@proline.com.pk, relay=mx2.emailsrvr.com[146.20.161.2]:25, delay=133, delays=130/0.54/2.5/0.17, dsn=4.7.1, status=deferred (host mx2.emailsrvr.com[146.20.161.2] said: 451 4.7.1 Received too many messages from a new or untrusted IP: 91.228.52.135 (Z27/32D0F70) (G28) (in reply to RCPT TO command)) Dec 12 11:40:48 panel postfix/smtp[25696]: 76575456C: host mx.zoho.com[136.143.190.121] said: 451 4.7.1 Greylisted, try again after some time (in reply to RCPT TO command) Dec 12 11:40:48 panel postfix/smtp[25703]: 76575456C: to=abintrs@emirates.net.ae, relay=dcmimail.emirates.net.ae[86.96.229.27]:25, delay=133, delays=130/0.33/0.76/2.5, dsn=2.0.0, status=sent (250 cygh2100W2v1oUB01ygi9g mail accepted for delivery) Dec 12 11:40:48 panel postfix/smtpd[24936]: warning: unknown[185.228.82.250]: SASL LOGIN authentication failed: authentication failure Dec 12 11:40:48 panel postfix/smtpd[24936]: lost connection after AUTH from unknown[185.228.82.250] Dec 12 11:40:48 panel postfix/smtpd[24936]: disconnect from unknown[185.228.82.250] Dec 12 11:40:48 panel postfix/smtpd[24923]: connect from unknown[185.228.82.250] Dec 12 11:40:48 panel milter-greylist: smfi_getsymval failed for {daemon_port}, using default smtp port Dec 12 11:40:48 panel postfix/smtp[25692]: 76575456C: to=abid.hussain@alkachemicals.com, relay=mx10.mailspamprotection.com[184.154.177.50]:25, delay=134, delays=130/0.15/1.6/2.1, dsn=2.0.0, status=sent (250 OK id=1ifLtj-00018e-8X) Dec 12 11:40:48 panel postfix/smtp[25719]: 76575456C: host mx2.uc.cl[146.155.1.44] refused to talk to me: 554 mx2.uc.cl

Dibs · December 12, 2019, 11:17pm

There are tons of SASL login failures which is better than successes. Do you not have something like IPTables and Fail2ban in place to block repeated failed attempts?

I would suggest you make the changes I suggested earlier and also include the following line


relayhost =

It’s blank. Then reload Postfix.

Probably more or as importantly - sort out Iptables & fail2ban!

Dibs · December 12, 2019, 11:25pm

At the risk of upsetting you or anyone else - what on earth are you doing setting up DKIM & Milter when it appears (and I apologise if I am wrong) that you can’t (currently) get a basic VPS running securely?

My advice (and free advice usually is ignored as no one pays for it) is to do things the following way (or some thing similar)

Spin up a VPS
restrict root access
enable SSH access
lock the shit out of it - so nothing can break in (easily). That means iptables (or similar) and fail2ban.
Install Virtualmin & open the necessary ports using IPTables like 80, 443 & your admin port.
Create a Virtual server (with only HTTP & SSL - no mail). Create a test page and verify things work (including PHP).
Then enable mail. Open ports for SMTP & POP.
Put the fail2ban jails in place for Postfix & test they work along with fail2ban blocking the IP.
Then whitelist your own home IP (assuming it’s static).
Ensure the server is working and secure - monitor your logs.

Then add things like milter, spam filters or DKIM or whatever you fancy.

Apologies - but you need to learn stuff, you can’t just do a Windows style, Next, Next & Finish & hope for the best.

faisalmnr · December 13, 2019, 2:44am

@Dibs, i already have installed Configserver firewall and fail2ban and comodo WAF also, but not installed the ssl on panel address. One thing u see in depth that each try will be from new ip.

What changes recommended regarding relayhost =

Dibs · December 13, 2019, 3:47am

I’m not familiar with either but a quick Google suggests that Configserver firewall & Comodo WAF appear to do the same or similar things.

Why?

faisalmnr · December 16, 2019, 12:45pm

@Dibs, everything is working now. I have found the solution without new installation, now my server sending and receiving emails, but the next step is to more secure the postfix and installation of ssl on panel url and also secure apache. How can i send logs into my emails on daily basis.

Dibs · December 16, 2019, 2:04pm

What was your solution?

unborn · January 2, 2020, 11:25pm

@faisalmnr bash script… easy peasy… you can even use emails outside of your server for sending them out… like from some@gmail.com to some-other@email-or-gmail.com

faisalmnr · January 3, 2020, 7:42pm

Hi @Dibs,
Firstly Happy & Blessed New Year.

I have removed this line from the main.cf “smtpd_helo_restrictions = permit_mynetworks permit_sasl_authenticated reject_invalid_helo_hostname reject_non_fqdn_help_hostname reject_unknown_helo_hostname” and compared the main.cf file with my another webmin server and then run “re-check configuration” in Virtualmin -> System Setting.

Dibs · January 15, 2020, 8:22pm

Hi Faisalmnr

You appeared to be missing " permit" on the end of that line. By all means put the line back like

smtpd_helo_restrictions = permit_mynetworks permit_sasl_authenticated reject_invalid_helo_hostname reject_non_fqdn_help_hostname reject_unknown_helo_hostname permit ”

And see how it goes for you.