What Did I Learn Today

My experience, Your solution

252 Digital UK services

Copyright © 2023
License

Test remote port using Powershell Debian, missing SSH key

Postfix configuration

Sun, May 7, 2017 · 2 minute read
linuxhow to

For those of us running our own mail server,

If you see a sequence of log entries similar to the following:

May  6 13:34:59 vps postfix/submission/smtpd[1294]: connect from unknown[1.2.3.4]
...
May  6 13:35:08 vps postfix/submission/smtpd[1294]: NOQUEUE: filter: RCPT from unknown[1.2.3.4]: <unknown-user@your-domain.com>: Sender address triggers FILTER amavis:[127.0.0.1]:10026; from=<unknown-user@your-domain.com> to=<remote-user@example.com> proto=ESMTP helo=<your-domain.com>
May  6 13:35:08 vps postfix/submission/smtpd[1294]: 6FE52C0FDA: client=unknown[1.2.3.4], sasl_method=PLAIN, sasl_username=valid-user@your-domain.com

Then it is very likely your users credentials are being fraudulently used to send emails from your server.

First thing to do is change your email user passwords as soon as possible.

Second thing is to check and possibly change your Postfix configuration.
The changes suggested below will result in a more restricted environment which may not suit your needs.
You should absolutely review these changes before applying them to your installation and make your own decision whether to install or not.
These settings work for me, they may not work for you, proceed at your own risk!

Many sites will have you editing postfix configuration files, please don’t, there is no need.
Use postconf to change configuration, but remember that changes must all go on one line.

The following changes should be run as root (possibly using sudo).

Note:

i. The inclusion of Spamhaus RBL checking, also note their usage policy.
ii. This entry is for an ispConfig install so includes a MySQL recipient check.

# postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_invalid_hostname,reject_non_fqdn_hostname,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_sender_domain,reject_unknown_recipient_domain,reject_unauth_pipelining,reject_unauth_destination,reject_rbl_client zen.spamhaus.org,check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf'

Note again the inclusion of Spamhaus RBL check.

# postconf -e 'smtpd_helo_restrictions = permit_sasl_authenticated,permit_mynetworks,check_helo_access regexp:/etc/postfix/helo_access, reject_unauth_destination,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_non_fqdn_hostname,reject_invalid_hostname,reject_rbl_client zen.spamhaus.org,reject_unauth_pipelining,check_helo_access regexp:/etc/postfix/blacklist_helo'

This change will result in log messages similar to this:

May  8 08:10:25 vps postfix/smtpd[5583]: NOQUEUE: reject: RCPT from [1.2.3.4]: 554 5.7.1 Service unavailable; Client host [1.2.3.4] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/51.255.199.243 / https://www.spamhaus.org/sbl/query/SBLCSS; from=<user@rhacked-domain.com> to=<valid-user@your-domain.com> proto=ESMTP helo=<user@hacked-domain.com>

Disable verification of email addresses, helps prevent email harvesting. Default is ‘no’.

# postconf | grep disable_vrfy_command
disable_vrfy_command = no
# postconf -e 'disable_vrfy_command = yes'

Require that addresses received in SMTP MAIL FROM and RCPT TO commands are enclosed with <>, and that those addresses do not contain RFC 822 style comments or phrases. Default is ‘no’

# postconf -e 'strict_rfc821_envelopes = yes'

To enable the changes postfix must be restarted.

# systemctl restart postfix
Comment on this article using form below. Requires email login only for authentication. HTML forbidden, Markdown only.