Results 1 to 6 of 6

Thread: How to set up Postfix security against external spammers?

  1. #1
    Join Date
    Jun 2012
    Posts
    6
    Rep Power
    3

    Default How to set up Postfix security against external spammers?

    I noticed that thousands of spam messages were sent out from my zimbra server to my relay host (ISP) since yesterday. The messages were received by postfix as connected from 127.0.0.1 localhost.localdomain. However, I confirmed that they come from outside: once I disable port 25 forwarding from my router, there were no more spam messages sending out from the zimbra server. The spamming resume once I re-enable the port 25 port forwarding. Is it possible that some spammers masquerade their IP as 127.0.0.1 to get connected to my zimbra server? How to solve this problem? I have tried various configuration for postfix including rejecting unlisted sender, unlisted recipient, unauthorised sender etc., without success. Any suggestions?

  2. #2
    Join Date
    May 2012
    Posts
    20
    Rep Power
    3

    Default

    im on same situation you can check all my posts triying to solve these situation tweaking adding coomands , installe mailscanner, etc.. and no luck

    but is curious if i close the port 25 on my FW zimbra stop sending any mail! from my users and spammer and all everything...

  3. #3
    Join Date
    Jun 2012
    Location
    Michigan
    Posts
    2
    Rep Power
    3

    Default

    Sounds like you have a compromised account. What I do in this circumstance is the following:
    grep "sasl_username=" /var/log/mail.log|more
    If you run that on your server, it will search that log file (/var/log/mail.log) for each instance when a user authenticated. If you see a bunch of repeating logins, that's most likely it. Usually you'll see dozens of lines over a short period of time and that'll be it.

  4. #4
    Join Date
    Jun 2012
    Posts
    6
    Rep Power
    3

    Default

    Quote Originally Posted by bstock View Post
    Sounds like you have a compromised account. What I do in this circumstance is the following:
    grep "sasl_username=" /var/log/mail.log|more
    If you run that on your server, it will search that log file (/var/log/mail.log) for each instance when a user authenticated. If you see a bunch of repeating logins, that's most likely it. Usually you'll see dozens of lines over a short period of time and that'll be it.
    My case probably is different. I cannot see any repeating logins on mail.log

    Inspecting my router log, I can see IP addresses of incoming connection attempts to port 25. However, the corresponding mail.log entry showed connection from 127.0.0.1 localhost.localdomain. That makes postfix think that the connection comes from the loopback interface and allow relaying of messages to the relaying SMTP server (of my ISP). After closing port 25 overnight, it seems that the spamming has stopped. I am yet to find an effective way to block that kind of attack.

  5. #5
    Join Date
    Jun 2012
    Location
    Michigan
    Posts
    2
    Rep Power
    3

    Default

    I have seen similar attacks before. Not sure why it's showing up as localhost, though I have seen that before on my server.

    Unless someone can specify why the addresses are showing up as localhost source, the best option would be to block as many of those IP's as possible on your router. Hopefully someone will chime in and let you know why it's not showing the correct address as the source.

  6. #6
    Join Date
    Feb 2012
    Location
    Las Vegas
    Posts
    65
    Rep Power
    3

    Default

    The Postfix docs might be a useful reference in this case:

    Postfix SMTP relay and access control

    Basically, if a rule allowing mail from localhost to be forwarded is placed before the access check rules, someone can just HELO as localhost and send anything they want.

    I doubt that Zimbra would create such a screwy rule automatically, but it's certainly possible for it to happen inadvertently.

Similar Threads

  1. spammers targetting our server
    By bhwong in forum Administrators
    Replies: 3
    Last Post: 11-25-2010, 12:50 AM
  2. [SOLVED] The Bat! spammers
    By padraig in forum Administrators
    Replies: 1
    Last Post: 01-14-2009, 05:23 AM
  3. [SOLVED] External Auth/Postfix prolems after 5.0 upgrade
    By greywolf in forum Administrators
    Replies: 2
    Last Post: 01-06-2008, 07:18 AM
  4. Is LMTP On External Interface A Security Issue?
    By freedomics in forum Installation
    Replies: 2
    Last Post: 08-27-2007, 01:37 PM
  5. External Postfix Server
    By backd00r in forum Installation
    Replies: 3
    Last Post: 03-15-2006, 04:17 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •