Rejtélyes SPAM

Hello,

Lehet h csak nekem rejtély, de nem tudok rájönni, hogy hogyan tudott levelet küldeni ez a rohadék.
Éjjel egykor még elhajtja a postfix 6-kor meg már vígan ontja a spam-et :(.
Olyat is láttam ma du., hogy smtp.customerdomain.hu-nak meg mail.customerdomain.hu-nak hazudja magát.
Ezt abszolút nem értem, mivel lekérdezve az én DNS szervereim a jó ip-t adják vissza.
Konfigon semmit sem változtattam, nem open relay, benne van (remélhetőleg) minden nyalánkság ami postfix, dovecot, amavis háromszögben lehet.
Egyelőre kitiltottam ip-re, de amíg nem tudom mi volt a gond nem vagyok nyugodt.
Ha valakinek lenne ötlete szívesen fogadnám!
Köszi!


Nov 13 01:54:57 myhost postfix/smtpd[22307]: connect from rdns-09.meudns06.biz[198.20.69.2]
Nov 13 01:54:57 myhost postfix/smtpd[22487]: connect from rdns-09.meudns06.biz[198.20.69.2]
Nov 13 01:54:57 myhost postfix/smtpd[22490]: connect from rdns-09.meudns06.biz[198.20.69.2]
Nov 13 01:54:57 myhost postfix/smtpd[22491]: connect from rdns-09.meudns06.biz[198.20.69.2]
Nov 13 01:54:57 myhost postfix/smtpd[22488]: connect from rdns-09.meudns06.biz[198.20.69.2]
Nov 13 01:54:57 myhost postfix/smtpd[22489]: connect from rdns-09.meudns06.biz[198.20.69.2]
Nov 13 01:54:57 myhost postfix/smtpd[22492]: connect from unknown[190.237.40.53]
Nov 13 01:54:57 myhost postfix/smtpd[22492]: NOQUEUE: reject: CONNECT from unknown[190.237.40.53]: 554 5.7.1 : Client host rejected: Access denied; proto=SMTP
Nov 13 01:54:57 myhost postfix/smtpd[22492]: lost connection after CONNECT from unknown[190.237.40.53]
Nov 13 01:54:57 myhost postfix/smtpd[22492]: disconnect from unknown[190.237.40.53]
Nov 13 01:54:58 myhost postfix/smtpd[22307]: NOQUEUE: reject: RCPT from rdns-09.meudns06.biz[198.20.69.2]: 554 5.7.1 Service unavailable; Client host [198.20.69.2] blocked using sbl-xbl.spamhaus.org; http://www.spamhaus.org/query/bl?ip=
Nov 13 01:54:58 myhost postfix/smtpd[22489]: NOQUEUE: reject: RCPT from rdns-09.meudns06.biz[198.20.69.2]: 554 5.7.1 Service unavailable; Client host [198.20.69.2] blocked using sbl-xbl.spamhaus.org; http://www.spamhaus.org/query/bl?ip=
Nov 13 01:54:58 myhost postfix/smtpd[22488]: NOQUEUE: reject: RCPT from rdns-09.meudns06.biz[198.20.69.2]: 554 5.7.1 Service unavailable; Client host [198.20.69.2] blocked using sbl-xbl.spamhaus.org; http://www.spamhaus.org/query/bl?ip=
Nov 13 01:54:58 myhost postfix/smtpd[22490]: NOQUEUE: reject: RCPT from rdns-09.meudns06.biz[198.20.69.2]: 554 5.7.1 Service unavailable; Client host [198.20.69.2] blocked using sbl-xbl.spamhaus.org; http://www.spamhaus.org/query/bl?ip=
Nov 13 01:54:58 myhost postfix/smtpd[22491]: NOQUEUE: reject: RCPT from rdns-09.meudns06.biz[198.20.69.2]: 554 5.7.1 Service unavailable; Client host [198.20.69.2] blocked using sbl-xbl.spamhaus.org; http://www.spamhaus.org/query/bl?ip=
Nov 13 01:54:58 myhost postfix/smtpd[22487]: NOQUEUE: reject: RCPT from rdns-09.meudns06.biz[198.20.69.2]: 554 5.7.1 Service unavailable; Client host [198.20.69.2] blocked using sbl-xbl.spamhaus.org; http://www.spamhaus.org/query/bl?ip=
Nov 13 01:54:58 myhost postfix/smtpd[22489]: disconnect from rdns-09.meudns06.biz[198.20.69.2]
Nov 13 01:54:58 myhost postfix/smtpd[22307]: disconnect from rdns-09.meudns06.biz[198.20.69.2]
Nov 13 01:54:58 myhost postfix/smtpd[22488]: disconnect from rdns-09.meudns06.biz[198.20.69.2]
Nov 13 01:54:58 myhost postfix/smtpd[22491]: disconnect from rdns-09.meudns06.biz[198.20.69.2]
Nov 13 01:54:58 myhost postfix/smtpd[22490]: disconnect from rdns-09.meudns06.biz[198.20.69.2]
Nov 13 01:54:58 myhost postfix/smtpd[22487]: disconnect from rdns-09.meudns06.biz[198.20.69.2]

Nov 13 06:08:22 myhost postfix/smtpd[23056]: connect from rdns-09.meudns06.biz[198.20.69.2]
Nov 13 06:08:22 myhost postfix/smtpd[23653]: connect from rdns-09.meudns06.biz[198.20.69.2]
Nov 13 06:08:22 myhost postfix/smtpd[23652]: connect from rdns-09.meudns06.biz[198.20.69.2]
Nov 13 06:08:22 myhost postfix/smtpd[23650]: connect from rdns-09.meudns06.biz[198.20.69.2]
Nov 13 06:08:22 myhost postfix/smtpd[23654]: connect from rdns-09.meudns06.biz[198.20.69.2]
Nov 13 06:08:22 myhost postfix/smtpd[23651]: connect from rdns-09.meudns06.biz[198.20.69.2]
Nov 13 06:08:23 myhost postfix/smtpd[23056]: 284E3BF84: client=rdns-09.meudns06.biz[198.20.69.2]
Nov 13 06:08:23 myhost postfix/smtpd[23654]: 2D271BF90: client=rdns-09.meudns06.biz[198.20.69.2]
Nov 13 06:08:23 myhost postfix/smtpd[23653]: 315FFBF91: client=rdns-09.meudns06.biz[198.20.69.2]
Nov 13 06:08:23 myhost postfix/smtpd[23650]: 36652BF92: client=rdns-09.meudns06.biz[198.20.69.2]
Nov 13 06:08:23 myhost postfix/smtpd[23651]: 3A8BBBF93: client=rdns-09.meudns06.biz[198.20.69.2]
Nov 13 06:08:23 myhost postfix/cleanup[23507]: 284E3BF84: message-id=<20141113050823.284E3BF84@myhost.mydomain.hu>
Nov 13 06:08:23 myhost postfix/cleanup[23655]: 2D271BF90: message-id=<20141113050823.2D271BF90@myhost.mydomain.hu>
Nov 13 06:08:23 myhost postfix/cleanup[23656]: 315FFBF91: message-id=<20141113050823.315FFBF91@myhost.mydomain.hu>
Nov 13 06:08:23 myhost postfix/qmgr[25082]: 315FFBF91: from=, size=1089, nrcpt=1 (queue active)
Nov 13 06:08:23 myhost postfix/qmgr[25082]: 2D271BF90: from=<9gfhaqi@customerdomain.hu>, size=1090, nrcpt=1 (queue active)
Nov 13 06:08:23 myhost postfix/qmgr[25082]: 284E3BF84: from=
, size=1090, nrcpt=1 (queue active)
Nov 13 06:08:24 myhost postfix/cleanup[23657]: 36652BF92: message-id=<20141113050823.36652BF92@myhost.mydomain.hu>
Nov 13 06:08:24 myhost postfix/cleanup[23658]: 3A8BBBF93: message-id=<20141113050823.3A8BBBF93@myhost.mydomain.hu>
Nov 13 06:08:24 myhost postfix/qmgr[25082]: 3A8BBBF93: from=, size=1088, nrcpt=1 (queue active)
Nov 13 06:08:24 myhost postfix/qmgr[25082]: 36652BF92: from=, size=1089, nrcpt=1 (queue active)
Nov 13 06:08:28 myhost postfix/smtpd[23663]: connect from localhost.localdomain[127.0.0.1]
Nov 13 06:08:28 myhost postfix/smtpd[23663]: 34E1CBF95: client=localhost.localdomain[127.0.0.1]
Nov 13 06:08:28 myhost postfix/cleanup[23507]: 34E1CBF95: message-id=<20141113050823.315FFBF91@myhost.mydomain.hu>
Nov 13 06:08:28 myhost postfix/smtpd[23663]: disconnect from localhost.localdomain[127.0.0.1]

Hozzászólások

Köszönöm a válaszokat. Egyet nem értek csak. Hogy a rákban tudott authetikáció nélkül rajtam keresztül levelet küldeni (nem backscatter levelek voltak) ?
Így néz ki a main.cf-em. Ránéznétek ? Köszönöm!

--------


transport_maps = hash:/etc/postfix/transport
sender_based_routing = yes
smtpd_use_tls = yes
smtpd_tls_key_file = /etc/ssl/private/myhost.mydomain.hu.nopass
smtpd_tls_cert_file = /etc/ssl/certs/myhost.mydomain.hu.crt
smtpd_tls_CAfile = /etc/postfix/ssl/CA.crt
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_delay_reject = no
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
delay_warning_time = 4h
myhostname = myhost.mydomain.hu
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = localhost,
                mx.mydomain.hu

mynetworks = 127.0.0.0/8, x.x.x.116,  x.x.x.114
mailbox_command = procmail -a "$EXTENSION"
recipient_delimiter = +
smtp_data_done_timeout = 1200s
smtp_data_init_timeout = 120s
smtp_data_xfer_timeout = 1200s
inet_interfaces = all
smtpd_sender_restrictions = permit_mynetworks,
                            permit_sasl_authenticated,
                            check_helo_access hash:/etc/postfix/helo_access,
                            reject_unknown_sender_domain,
                            reject_non_fqdn_sender,
                            reject_unauth_pipelining,
                            reject_unknown_client

smtpd_recipient_restrictions = permit_mynetworks,
                               permit_sasl_authenticated,
                               check_helo_access hash:/etc/postfix/helo_access,
                               reject_rbl_client sbl-xbl.spamhaus.org,                   
                               reject_unauth_destination,
                               reject_unknown_recipient_domain,
                               reject_unauth_pipelining

header_checks=pcre:/etc/postfix/regexp.header-checks
body_checks = pcre:/etc/postfix/body_checks
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
                          permit_sasl_authenticated,
                          check_helo_access hash:/etc/postfix/helo_access
smtpd_client_restrictions = permit_mynetworks,
                            permit_sasl_authenticated,
                            check_client_access pcre:/etc/postfix/sender.regexp,
                            check_client_access hash:/etc/postfix/client_checks,
                            reject_unknown_sender_domain
strict_rfc821_envelopes = no
parent_domain_matches_subdomains=
mailbox_size_limit = 0
message_size_limit = 30240000
content_filter=smtp-amavis:[127.0.0.1]:10024
alias_maps = hash:/etc/aliases, hash:/usr/share/dtc/etc/postfix_aliases
relay_domains = /usr/share/dtc/etc/postfix_relay_domains
relay_recipient_maps = hash:/usr/share/dtc/etc/postfix_relay_recipients
virtual_uid_maps = hash:/usr/share/dtc/etc/postfix_virtual_uid_mapping
virtual_mailbox_domains = hash:/usr/share/dtc/etc/postfix_virtual_mailbox_domains
virtual_mailbox_base = /
virtual_mailbox_maps = hash:/usr/share/dtc/etc/postfix_vmailbox,ldap:localrecipients, ldap:ldapgroups
virtual_minimum_uid = 100
virtual_uid_maps = static:65534
virtual_gid_maps = static:65534
virtual_alias_maps = hash:/usr/share/dtc/etc/postfix_virtual
local_recipient_maps =

localrecipients_server_host = localhost
localrecipients_version = 3
localrecipients_search_base = ou=Users,dc=office,dc=mydomain,dc=hu
localrecipients_server_port =389
localrecipients_query_filter = (&(mail=%s)(objectclass=mailUser))
localrecipients_result_attribute = mail
localrecipients_bind = no


ldapgroups_server_host = localhost
ldapgroups_server_port = 389
ldapgroups_version = 3
ldapgroups_search_base = ou=Groups,dc=office,dc=mydomain,dc=hu
ldapgroups_bind = no
ldapgroups_timeout = 30
ldapgroups_query_filter = (&(mail=%s)(objectclass=mailGroup))
ldapgroups_result_attribute = mail

recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
virtual_transport = maildrop
maildrop_destination_recipient_limit = 1

Rég postfixeztem, de nem lehet, hogy hiányzik egy reject sor minden egyes restricions-os sor végéről? Az más kérdés, hogy elvileg az unauth destination-nek meg kéne fognia, de nem ismerem a pontos viselkédését.

Illetve a B opció, ez véletlenül nem egy exchange előtti postfix? Mert abban az esetben az Exchange-en felvett mail kontaktoknak is lesz smtp: property-je és abban az esetben adott domainek felé elképzelhető, hogy relayez.

nálam is volt ilyen... fail2ban-t beizzítottam azóta nincs :)

Megvan. Lyukat ütöttem a pajzson. Találtam egy ilyen sort a sender.regexp-ben

/\.hu/ OK

Így, ha a küldő .hu-s sendernek hazudja magát és amúgy a többi feltételnek megfelel, akkor elveszi a levelet.
:((((.
Köszi mindenkinek!

smtpd_client_restrictions = permit_mynetworks,
permit_sasl_authenticated,
check_client_access pcre:/etc/postfix/sender.regexp,

Ezek szerint az itt felsorold kliensek szó nélkül küldhetnek levelet? Az OK nem csak annyit jelent, hogy nem utasítja el, tehát rosszul bekonfigolt gépek is csatlakozhatnak hozzád? Megjegyzem, ha ez a cél, az smtp auth legyen előtte és akkor minden smtp authos, bármilyen bénán is van beállítva, tud küldeni.
Visszatérve, a client után még van jó pár szabály, pl. sender ellenőrzés...az miért nem fogdta meg, hogy ne legyne kvázi open-relay?

A permit_sasl_authenticated mindenképp meg kell, hogy fogja.
Az open relayt pedig teszteltem, nem az.
A check_client_access pcre:/etc/postfix/sender.regexp,
-ben azok a gépek vannak felsorolva, akiket tiltólistára raktam vagy megbízhatóak,de nem jó pl. a reverse dns beállításuk, azonbab minden egyéb feltételnek megfelelnek.