Sending spam mail from my postfix SMTP server - email

Long time user and first time poster on stack-overflow but I'm a bit stumped.
A few months ago I bought and set up a virtual machine running CentOS 6 so that I could host a few websites and a mail server for myself and a few clients. I set the entire thing up myself from the Unix knowledge I already had, including the mail server - which was at the time something I had never done before.
The mail server is working as intended, dovecot enforces IMAP logins and everything was running smoothly, until recently when I noticed one of the domains has been sending mail from un-registered users.
To give you an extract from the log at /var/log/maillog
s18646572 postfix/qmgr[3763]: 45A9520F2DF8A: from=<daisy_gibson#friendsdomain.uk>, size=1321, nrcpt=1 (queue active)
s18646572 postfix/qmgr[3763]: A98FC20F2D350: from=<regina_reeves#friendsdomain.uk>, size=1420, nrcpt=1 (queue active)
s18646572 postfix/qmgr[3763]: E45E820F2DD3A: from=<robyn_holland#friendsdomain.uk>, size=1334, nrcpt=1 (queue active)
s18646572 postfix/qmgr[3763]: AD06220F28246: from=<lorraine_murphy#friendsdomain.uk>, size=1393, nrcpt=1 (queue active)
s18646572 postfix/qmgr[3763]: DC00D1849D7CC: from=<kristine_gardner#friendsdomain.uk>, size=1401, nrcpt=1 (queue active)
s18646572 postfix/qmgr[3763]: 890EE20F28F2A: from=<mae_shaw#friendsdomain.uk>, size=1418, nrcpt=1 (queue active)
So from what I can gather somebody is using his domain "friendsdomain.uk" but also piggybacking on our SMTP server to send the mail, given that it's being deposited into our queue.
I found a tool online to help test SMTP relay and managed to configure some rules to prevent SMTP relays - at least through this tools. Users now need to be SASL authenticated in order to send mail.
However, the mail is still going out - postfix doesn't seem to be stopping the spam at all which leads me to believe that whoever is using the server is already authenticated. I've changed the passwords of all users but that doesn't seem to have halted the problem - and the logs don't indicate which user is being used to send the mail.
Extract of my postfix config below:
### SMTP Setup ###
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination
broken_sasl_auth_clients = yes
smtpd_sender_login_maps = hash:/etc/postfix/sender_login_maps
smtpd_relay_restrictions = permit_sasl_authenticated, reject_unauth_destination
smtpd_sender_restrictions = permit_sasl_authenticated, reject_sender_login_mismatch, reject_unauthenticated_sender_login_mismatch, reject_unlisted_sender
I added the SMTP_sender restrictions following some other answers I found on the site - which seemingly prevented the relaying at least.
I paused the SMTP server and inspected a few of the mail items in the queue, extract below.
Subject: 1 New SnapF#ck AlertN=X-PHP-Originating-Script: 48:plugin.php(1959) : eval()'d codeN$
Date: Wed, 9 Dec 2015 22:02:26 +0000N5From: Kelly Fleming <kelly_fleming#friendsdomain.uk>N#Message-ID: <64b6713d232e7a4f88e85344aac5cc9c#friendsdomain.uk>N
X-Priority: 3w
0NCX-Mailer: PHPMailer 5.2.9 (https://github.com/PHPMailer/PHPMailer/)N
The headers indicate that whoever is doing this is using a PHP mailer
SO the problem still remains, people are sending spam using my SMTP server - I need a way to either user logins for the User logins, unless an account has been compromised in which case I need a way to find out which. I can't simply suspend the accounts as the genuine users still need access to their email - however now we're receiving so many hits that the TCP sockets are preventing other services from running.
Any advice would be greatly appreciated.
Thanks.

Solved the mystery (somewhat)
The mail was coming internally from one of our hosted sites. Either the site has been configured to use the SMTP with authentication or was not required to authenticate because it was on localhost.
The clue was in the sending error logs
Dec 10 11:35:15 s18646572 postfix/pickup[6439]: 9A7BA20F29112: uid=48 from=<sally_weaver#friendomain.uk>
The user id of the sender UID=48 indicated that it was a local user, and after checking the passwd file this was confirmed to be the apache user.
It is now evident that some part of the website hosted on frienddomain.uk is being exploited to send spam, and after suspending the website and restarting services the mail ceased.
The problem now is finding and removing the exploit, however if you wish you can disable the mail() function in your php.ini file.

Related

Mail delivery failed: returning message to sender (No such User here)

I have migrated my website and the email records to a new server (other provider). Everything was ok except that now when I want to send a message from my email (my email direction is the same), one of my clients can not receive my messages. I chatted with my client and his mails are ok, he is receiving mails without problems, as he said.
I reported the problem to my Hosting provider and they have changed the mail Exchanger from remote to local but it didn't finish with the problem. Someone knows what could be happening?
This is part of the message that appears:
"
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
peter#thisismyclientsdirection.com
No Such User Here
peter#thisismyclientsotherdirection.com
No Such User Here
Reporting-MTA: dns; cherry.theserversite.pro
Action: failed
Final-Recipient: rfc822;peter#thisismyclientsdirection.com
Status: 5.0.0
Action: failed
Final-Recipient: rfc822;peter#thisismyclientsotherdirection.com
Status: 5.0.0
Return-path: <comercial#mydomain.com>
Received: from [71.13.252.126] (port=58531 helo=[10.145.123.217])
by cherry.theserversite.pro with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.93)
(envelope-from <comercial#mydomain.com>)
id 1UZ6w-00EaD5-0h; Mon, 19 Oct 2020 13:38:33 -0400
To: peter#thisismyclientsdirection.com, peter#thisismyclientsotherdirection.com
From: comercial#mydomain.com
Subject: =?UTF-8?Q?Reenv=c3=ado_-_cotizaciones_mantenimiento?=
MIME-Version: 1.0
Content-Type: multipart/mixed;
Content-Language: es-ES
X-Antivirus: Avast (VPS 201019-2, 19/10/2020), Outbound message
X-Antivirus-Status: Clean
X-Exim-DSN-Information: Due to administrative limits only headers are returned
"
Thanks,
I found the solution. The problem was that the other websites (the domains of my client) are inside my server and in the Email Routing section (it is in the Cpanel) of those websites, the domains were targeted as "Local server" or not targeted. Despite it, the email server for those domains don't were in my server then the system was confused. I just changed the target to "Remote servers" for both domains (the domains of my client) and the problem disappear.
I hope this explanation could be useful for other developer.
Anyway thank you,
TheJohnny

Postfix transport: deliver different domains via different relayhosts

Postfix version 2.11.0
What I'm trying to accomplish is to have mail destined for a particular domain to be relayed through SendGrid but all other outgoing mail to be sent from my local server directly. I have this configuration in /etc/postfix/transport:
example.com smtp:[smtp.sendgrid.net]:587
.example.com smtp:[smtp.sendgrid.net]:587
* :
My understanding from all the searches I've done and reading the Postfix docs is that this should work but if I send to any other domain, for example gmail.com it's still getting relayed through SendGrid.
An example from /var/log/mail.log:
Oct 26 16:15:46 myhost postfix/smtp[25783]: A75F0C04F9: to=<PRIVACY_MASKED#gmail.com>, relay=smtp.sendgrid.net[108.168.190.108]:587, delay=11, delays=11/0.02/0.22/0.03, dsn=2.0.0, status=sent (250 Ok: queued as iTwf5zmCQQSgz_I6sVpSSA)
Is there some other configuration I'm missing?
Ok, now I see the error of my ways. In sasl_passwd I had this:
smtp.sendgrid.net USERNAME:PASSWD
But in transport I had this:
example.com smtp:[smtp.sendgrid.com]:587
The difference is .net versus .com.
Changed it to .net and works!

Amazon EC2 Email can only send to Yahoo Mail, Not Gmail

I have had a small issue with my EC2 email capabilities. While I am able to send emails from ec2 to my Yahoo Mail account, Gmail stopped receiving my EC2 emails as of 23 hours ago (ie, 23 hours ago, I could do the following and it would work.
mail("jetmail250#gmail.com", $subject, $message, $headers).
The code I use to send mail from my EC2 server is shown below. I checked all my spam box, filters, etc. in Gmail and have not seen any mail sent to my Gmail. In order to isolate the problem, I sent redirected all the messages sent from my EC2 from my Gmail to my Yahoo. And EC2 does successfully send emails to my Yahoo Mail account, with the modified code hilighted in orange below
I use this email feature on my website (www.JethroChan.com/contact.php) to allow people to use my form to send me emails directly from my website. My Gmail is the sole reciever of these emails from my Website's contact form.
<?php
//send email
$subject = $_REQUEST['subject'] ;
$headers = $_REQUEST['headers'] ;
$message = $_REQUEST['message'] ;
mail("jetmail250#yahoo.com (this was #gmail.com to a Valid Gmail account earlier)", $subject, $message, $headers);
//echo "Email Sent!";
?>
Please help me see why only Yahoo, and Not Google is capable of receiving my EC2 emails as of today :D
Generally speaking, its not recommended that you sent email directly from an ec2 instance. They have been used and and abused by spammers since day one, and many many email ISPs have taken the drastic step of blacklisting the entire range IP's used by EC2 from receiving email, just assuming it is all spam.
Much better to use amazon SES, which will cost next to nothing and is very simple drop-in replacement for your SMTP. It needs to be setup/verified, but after that it is pretty seamless. For what you are doing, it will probably cost you less than 10 cents a month.
http://aws.amazon.com/ses/
In order to maintain the quality of EC2 addresses for sending email, we enforce default limits on the amount of email that can be sent from EC2 accounts. If you wish to send larger amounts of email from EC2, you can apply to have these limits removed from your account by filling out this form
You can test mail connectivity with a simple telnet application :
find the address of the GMAIL mail relay
```
$ dig gmail.com
; <<>> DiG 9.8.3-P1 <<>> gmail.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16340
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 4
;; QUESTION SECTION:
;gmail.com. IN A
;; ANSWER SECTION:
gmail.com. 300 IN A 173.194.65.83
gmail.com. 300 IN A 173.194.65.17
gmail.com. 300 IN A 173.194.65.18
gmail.com. 300 IN A 173.194.65.19
;; AUTHORITY SECTION:
gmail.com. 108850 IN NS ns1.google.com.
gmail.com. 108850 IN NS ns2.google.com.
gmail.com. 108850 IN NS ns4.google.com.
gmail.com. 108850 IN NS ns3.google.com.
;; ADDITIONAL SECTION:
ns1.google.com. 24566 IN A 216.239.32.10
ns2.google.com. 173323 IN A 216.239.34.10
ns3.google.com. 173323 IN A 216.239.36.10
ns4.google.com. 173323 IN A 216.239.38.10
;; Query time: 46 msec
;; SERVER: 77.241.230.245#53(77.241.230.245)
;; WHEN: Sat Mar 29 08:18:46 2014
;; MSG SIZE rcvd: 234
telnet on port 25 and issue the following sequence :
```
$ telnet 173.194.65.83 25
Trying 173.194.65.83...
Connected to ee-in-f83.1e100.net.
Escape character is '^]'.
220 waldorf.attingo.nl ESMTP Exim 4.74 (Debian) Sat, 29 Mar 2014 08:21:56 +0100
helo sst
250 waldorf.attingo.nl Hello sst [77.241.230.246]
mail from:<seb#example.com>
250 OK
rcpt to:<seb#myaddress.com>
250 Accepted
data
354 Enter message, ending with "." on a line by itself
From:Seb
To:Seb
Subject:Test
Hello SMTP
.
250 OK id=1WTnb2-0003N9-2g
quit
221 waldorf.attingo.nl closing connection
Connection closed by foreign host.
(be sure to substitute the Mail From and RcptTo: with valid email addresses)

fetchmail forwarding to gmail via procmail - what is happening?

I've set up fetchmail with the following configuration
poll my.exchange.server protocol IMAP
user "my_name"
password "my_pass"
smtpname "my_gmail_account#gmail.com"
ssl
keep
no rewrite
mda "/usr/bin/procmail -f %F -d %T"'
Everything seems to be working fine. No errors from fetchmail, and the procmail log contains the e-mails that I want to be forwarded to GMail (an example is pasted below). However, none of the mail ever shows up in my GMail inbox. I've checked the 'All Mail' section to ensure it wasn't being treated as spam. Any ideas what could be going wrong? I'm doing all this on OS X version 10.8.5
Example procmail log for an e-mail that I want to show up in my gmail inbox
From my_exchange_email#my.exchange.server Mon Sep 30 11:03:55 2013
MIME-Version: 1.0
Received: from my.exchange.server [123.45.678.910]
by my_host_name with IMAP (fetchmail-6.3.26)
for <my_gmail_account#gmail.com> (single-drop); Mon, 30 Sep 2013 11:03:55 -0400 (EDT)
I figured out what I was missing. My procmail was configured incorrectly for forwarding. I fixed this by making the following procmailrc file
:0:
! my_gmail_account#gmail.com
That was it!

Gmail rejects emails. Openspf.net fails the tests.

I've got a problem with Gmail.
It started after one of our trojan infected PCs sent spam for one day from our IP address.
We've fixed the problem, but we got into 3 black lists. We've fixed that, too. But still every time we send an email to Gmail the message is rejected:
So I've checked Google Bulk Sender's guide once again and found an error in our SPF record and fixed it. Google says everything should become fine after some time, but this doesn't happen. 3 weeks already passed but we still can't send emails to Gmail.
Our mail setup is a bit complex, but not too much. We have a domain name delo-company.com, it has it's own mail #delo-company.com (this one is fine, but the problems are with sub-domain name corp.delo-company.com).
Delo-company.com domain has several DNS records fro its subdomain:
corp A 82.209.198.147
corp MX 20 corp.delo-company.com
corp.delo-company.com TXT "v=spf1 ip4:82.209.198.147 ~all"
(I set ~all for testing purposes only, it was -all before that)
These records are for our corporate Exchange 2003 server at 82.209.198.147. Its LAN name is s2.corp.delo-company.com so its HELO/EHLO greetings are also s2.corp.delo-company.com.
To pass EHLO check we've also created some records in delo-company.com's DNS:
s2.corp A 82.209.198.147
s2.corp.delo-company.com TXT "v=spf1 ip4:82.209.198.147 ~all"
As I understand SPF verifications should be passed in this way:
Out server s2 connects to MX of the recepient (Rcp.MX): EHLO s2.corp.delo-company.com
Rcp.MX says Ok, and makes SPF check of HELO/EHLO. It does NSlookup for s2.corp.delo-company.com and gets the above DNS-records. TXT records says that s2.corp.delo-company.com should be only from IP 82.209.198.147. So it should be passed.
Then our s2 server says RCPT FROM: <supruniuk-p#corp.delo-company.com>
Rcp.MX` server checks it, too. The values are the same so they should also be positive.
Maybe there is also a rDNS check, but I'm not sure what is checked HELO or RCPT FROM.
Our PTR record for 82.209.198.147 is:
147.198.209.82.in-addr.arpa. 86400 IN PTR s2.corp.delo-company.com.
To me everything looks fine, but anyway all emails are rejected by Gmail.
So, I've checked MXtoolbox.com - it says everything is fine, I passed http://www.kitterman.com/spf/validate.html Python check, I did 25port.com email test. It's fine, too:
Return-Path: <supruniuk-p#corp.delo-company.com>
Received: from s2.corp.delo-company.com (82.209.198.147) by verifier.port25.com id ha45na11u9cs for <check-auth#verifier.port25.com>; Fri, 2 Mar 2012 13:03:21 -0500 (envelope-from <supruniuk-p#corp.delo-company.com>)
Authentication-Results: verifier.port25.com; spf=pass smtp.mailfrom=supruniuk-p#corp.delo-company.com
Authentication-Results: verifier.port25.com; domainkeys=neutral (message not signed) header.From=supruniuk-p#corp.delo-company.com
Authentication-Results: verifier.port25.com; dkim=neutral (message not signed)
Authentication-Results: verifier.port25.com; sender-id=pass header.From=supruniuk-p#corp.delo-company.com
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01CCF89E.BE02A069"
Subject: test
Date: Fri, 2 Mar 2012 21:03:15 +0300
X-MimeOLE: Produced By Microsoft Exchange V6.5
Message-ID: <4C9EB1DB67831A428B2E14052F4A418707E1FF#s2.corp.delo-company.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: test
Thread-Index: Acz4jS34oznvbyFQR4S5rXsNQFvTdg==
From: =?koi8-r?B?89XQ0tXOwMsg8MHXxcw=?= <supruniuk-p#corp.delo-company.com>
To: <check-auth#verifier.port25.com>
I also checked with spf-test#openspf.net, but it FAILs all the time, no matter which SPF records I make:
<s2.corp.delo-company.com #5.7.1 smtp;550 5.7.1 <spf-test#openspf.net>: Recipient address rejected: SPF Tests: Mail-From Result="softfail": Mail From="supruniuk-p#corp.delo-company.com" HELO name="s2.corp.delo-company.com" HELO Result="softfail" Remote IP="82.209.198.147">
I've filled Gmail form twice, but nothing happens.
We do not send spam, only emails for our clients. 2 or 3 times we did mass emails (like New Year Greetings and sales promos) from corp.delo-company.com addresses, but they where all complying to Gmail Bulk Sender's Guide (I mean SPF, Open Relays, Precedence: Bulk and Unsubscribe tags). So, this should be not a problem.
Please, help me. What am I doing wrong?
I've been having serious problems with gmail rejecting legitimate mail. Somewhere I read a suggestion to delete URLs from your signature file. To my amazement, this worked. (My mail client is Eudora, which some of you may dimly remember.)
Hope it helps.
Gmail have now a postmaster tool you can check your domain/ip reputation, spam rate and in the "Authentication" area you can check DKIM/SPF/DMARC works correctly.
https://gmail.com/postmaster/
I recommend to use the CNAME record for authentication, if you are using the default TXT record also on SPF query this entry return.