CentOS: is my server spamming people?
Hi All,
Recently my CentOS 6.5 VPS server stopped sending emails via postfix.
A sample from the mail log is below tail
Any idea what is going on and how I can fix it?
Recently my CentOS 6.5 VPS server stopped sending emails via postfix.
A sample from the mail log is below tail
-f /var/log/maillogMar 4 22:14:53 www postfix/smtpd[11994]: connect from bl13-209-184.dsl.telepac.pt[85.246.209.184]
Mar 4 22:14:54 www postfix/smtpd[11994]: NOQUEUE: reject: RCPT from bl13-209-184.dsl.telepac.pt[85.246.209.184]: 554 5.7.1 <1fb4024bf@mydomain.com>: Relay access denied; from=<1fb4024bf@speedtouch.lan> to=<1fb4024bf@mydomain.com> proto=ESMTP helo=<speedtouch.lan>
Mar 4 22:14:54 www postfix/smtpd[11994]: disconnect from bl13-209-184.dsl.telepac.pt[85.246.209.184]
Mar 4 22:15:02 www postfix/smtpd[11969]: connect from 178235250213.sejny.vectranet.pl[178.235.250.213]
Mar 4 22:15:02 www postfix/smtpd[11969]: NOQUEUE: reject: RCPT from 178235250213.sejny.vectranet.pl[178.235.250.213]: 554 5.7.1 <79e366e7@mydomain.com>: Relay access denied; from=<79e366e7@sejny.vectranet.pl> to=<79e366e7@mydomain.com> proto=ESMTP helo=<178235250213.sejny.vectranet.pl>
Mar 4 22:15:02 www postfix/smtpd[11969]: disconnect from 178235250213.sejny.vectranet.pl[178.235.250.213]
Mar 4 22:15:02 www postfix/smtpd[11996]: connect from 190-20-119-31.baf.movistar.cl[190.20.119.31]
Mar 4 22:15:02 www postfix/smtpd[11996]: NOQUEUE: reject: RCPT from 190-20-119-31.baf.movistar.cl[190.20.119.31]: 554 5.7.1 <AEXFwKtxTE@mydomain.com>: Relay access denied; from=<AEXFwKtxTE@movistar.cl> to=<AEXFwKtxTE@mydomain.com> proto=ESMTP helo=<190-20-119-31.baf.movistar.cl>
Mar 4 22:15:03 www postfix/smtpd[11996]: disconnect from 190-20-119-31.baf.movistar.cl[190.20.119.31]
Mar 4 22:15:03 www postfix/smtp[12110]: connect to comcastbusiness.net[165.160.15.20]:25: Connection timed out
Mar 4 22:15:04 www postfix/smtp[12108]: connect to comcastbusiness.net[165.160.15.20]:25: Connection timed out
Mar 4 22:15:04 www postfix/smtp[12108]: 04CBBA2AAA: to=<bb363695@comcastbusiness.net>, relay=none, delay=430996, delays=430966/0/30/0, dsn=4.4.1, status=deferred (connect to comcastbusiness.net[165.160.15.20]:25: Connection timed out)
Mar 4 22:15:05 www postfix/smtpd[11994]: connect from fl-71-52-173-29.dhcp.embarqhsd.net[71.52.173.29]
Mar 4 22:15:05 www postfix/smtpd[11994]: NOQUEUE: reject: RCPT from fl-71-52-173-29.dhcp.embarqhsd.net[71.52.173.29]: 554 5.7.1 <oP@mydomain.com>: Relay access denied; from=<oP@dhcp.embarqhsd.net> to=<oP@mydomain.com> proto=ESMTP helo=<fl-71-52-173-29.dhcp.embarqhsd.net>
Mar 4 22:15:05 www postfix/smtpd[11994]: disconnect from fl-71-52-173-29.dhcp.embarqhsd.net[71.52.173.29]
Mar 4 22:15:07 www postfix/smtp[12111]: connect to comcastbusiness.net[165.160.15.20]:25: Connection timed out
Mar 4 22:15:08 www postfix/smtp[12114]: connect to comcastbusiness.net[165.160.13.20]:25: Connection timed outAny idea what is going on and how I can fix it?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Install CSF firewall and restrict access on port 25 by number of connections per second per IP.
TY/SA
TY/SA
ASKER
I'm a novice so you will have to walk me through that
ASKER
I've made quite a few ad-hoc changes now;
Here's a minutes excerts from the maillog tail -f /var/log/maillog
added a iptables rule (twice by accident)
Install fail2ban, which appears to now be updating iptables
[root@www ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-SMTP tcp -- anywhere anywhere tcp dpt:smtp
DROP tcp -- anywhere anywhere tcp dpt:smtp state NEW recent: UPDATE seconds: 60 hit_count: 10 name: DEFAULT side: source
tcp -- anywhere anywhere tcp dpt:smtp state NEW recent: SET name: DEFAULT side: source
tcp -- anywhere anywhere tcp dpt:smtp state NEW recent: SET name: DEFAULT side: source
DROP tcp -- anywhere anywhere tcp dpt:smtp state NEW recent: UPDATE seconds: 60 hit_count: 10 name: DEFAULT side: source
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-SMTP (1 references)
target prot opt source destination
DROP all -- LPuteaux-156-15-29-140.w82-127.abo.wanadoo.fr anywhere
DROP all -- LNantes-156-76-35-66.w82-127.abo.wanadoo.fr anywhere
DROP all -- 193.0.200.134 anywhere
DROP all -- 181-24-13-176.speedy.com.ar anywhere
DROP all -- LRouen-151-72-8-125.w80-13.abo.wanadoo.fr anywhere
DROP all -- cliente-76873.iberbanda.es anywhere
DROP all -- host86-177-102-152.range86-177.btcentralplus.com anywhere
DROP all -- 87.241.3.250 anywhere
RETURN all -- anywhere anywhereHere's a minutes excerts from the maillog tail -f /var/log/maillog
Mar 5 09:10:31 www postfix/smtpd[14857]: lost connection after CONNECT from 74.86.158.107-static.reverse.softlayer.com[74.86.158.107]
Mar 5 09:10:31 www postfix/smtpd[14857]: disconnect from 74.86.158.107-static.reverse.softlayer.com[74.86.158.107]
Mar 5 09:10:33 www postfix/smtpd[14820]: warning: 181.40.44.134: address not listed for hostname pool-134-44-40-181.telecel.com.py
Mar 5 09:10:33 www postfix/smtpd[14820]: connect from unknown[181.40.44.134]
Mar 5 09:10:33 www postfix/smtpd[15092]: connect from 015927474Z004.rain.fr[217.167.214.220]
Mar 5 09:10:33 www postfix/smtpd[14820]: NOQUEUE: reject: RCPT from unknown[181.40.44.134]: 554 5.7.1 <b7306cf@mydomain.co.uk>: Relay access denied; from=<b7306cf@telecel.com.py> to=<b7306cf@mydomain.co.uk> proto=ESMTP helo=<pool-134-44-40-181.telecel.com.py>
Mar 5 09:10:33 www postfix/smtpd[14820]: disconnect from unknown[181.40.44.134]
Mar 5 09:10:34 www postfix/smtpd[15092]: disconnect from 015927474Z004.rain.fr[217.167.214.220]
Mar 5 09:10:41 www postfix/smtpd[14857]: connect from pd95cf548.dip0.t-ipconnect.de[217.92.245.72]
Mar 5 09:10:41 www postfix/smtpd[14857]: NOQUEUE: reject: RCPT from pd95cf548.dip0.t-ipconnect.de[217.92.245.72]: 554 5.7.1 <0c3097a01@mydomain2.co.uk>: Relay access denied; from=<0c3097a01@jonfreyr.com> to=<0c3097a01@mydomain2.co.uk> proto=ESMTP helo=<pd95cf548.dip0.t-ipconnect.de>
Mar 5 09:10:42 www postfix/smtpd[14857]: disconnect from pd95cf548.dip0.t-ipconnect.de[217.92.245.72]
Mar 5 09:10:42 www postfix/smtpd[14854]: connect from unknown[82.114.91.214]
Mar 5 09:10:42 www postfix/smtpd[14854]: NOQUEUE: reject: RCPT from unknown[82.114.91.214]: 554 5.7.1 <fa28f3e0@mydomain.co.uk>: Relay access denied; from=<fa28f3e0@andersonlawfirm.net> to=<fa28f3e0@mydomain.co.uk> proto=ESMTP helo=<[82.114.91.214]>
Mar 5 09:10:42 www postfix/smtpd[14820]: connect from mail.viaminasltda.com.br[189.22.208.68]
Mar 5 09:10:42 www postfix/smtpd[14854]: disconnect from unknown[82.114.91.214]
Mar 5 09:10:43 www postfix/smtpd[14820]: NOQUEUE: reject: RCPT from mail.viaminasltda.com.br[189.22.208.68]: 550 5.1.1 <aphrodite@nufc.net>: Recipient address rejected: User unknown in local recipient table; from=<postmaster@imsva.trendmicro.com> to=<aphrodite@nufc.net> proto=ESMTP helo=<UDIMSS.aliardistribuidora.com.br>
Mar 5 09:10:43 www postfix/smtpd[14820]: disconnect from mail.viaminasltda.com.br[189.22.208.68]
Mar 5 09:10:43 www postfix/smtpd[14857]: connect from 93-57-94-158.ip163.fastwebnet.it[93.57.94.158]
Mar 5 09:10:43 www postfix/smtpd[14857]: NOQUEUE: reject: RCPT from 93-57-94-158.ip163.fastwebnet.it[93.57.94.158]: 554 5.7.1 <1381dc8@mydomain.co.uk>: Relay access denied; from=<1381dc8@techtrainassoc.com> to=<1381dc8@mydomain.co.uk> proto=ESMTP helo=<93-57-94-158.ip163.fastwebnet.it>
Mar 5 09:10:44 www postfix/smtpd[14857]: disconnect from 93-57-94-158.ip163.fastwebnet.it[93.57.94.158]
Mar 5 09:10:46 www postfix/smtpd[15092]: connect from unknown[210.176.78.35]
Mar 5 09:10:47 www postfix/smtpd[14854]: connect from unknown[124.80.150.175]
Mar 5 09:10:47 www postfix/smtpd[15092]: NOQUEUE: reject: RCPT from unknown[210.176.78.35]: 554 5.7.1 <f164298de6c32105@mydomain.co.uk>: Relay access denied; from=<ee.alert@ee.co.uk> to=<f164298de6c32105@mydomain.co.uk> proto=ESMTP helo=<[210.176.78.35]>
Mar 5 09:10:47 www postfix/smtpd[14820]: connect from unknown[78.97.237.213]
Mar 5 09:10:47 www postfix/smtpd[15092]: disconnect from unknown[210.176.78.35]
Mar 5 09:10:47 www postfix/smtpd[14854]: NOQUEUE: reject: RCPT from unknown[124.80.150.175]: 554 5.7.1 <558c2281@mydomain.co.uk>: Relay access denied; from=<ee.alert@ee.co.uk> to=<558c2281@mydomain.co.uk> proto=ESMTP helo=<TG-PC.tbroad>
Mar 5 09:10:47 www postfix/smtpd[14820]: NOQUEUE: reject: RCPT from unknown[78.97.237.213]: 554 5.7.1 <e8c7975@mydomain.co.uk>: Relay access denied; from=<ee.alert@ee.co.uk> to=<e8c7975@mydomain.co.uk> proto=ESMTP helo=<URSU-PC>
Mar 5 09:10:47 www postfix/smtpd[14820]: disconnect from unknown[78.97.237.213]
Mar 5 09:10:47 www postfix/smtpd[14854]: disconnect from unknown[124.80.150.175]
Mar 5 09:10:48 www postfix/smtpd[14857]: connect from unknown[188.245.82.93]
Mar 5 09:10:48 www postfix/smtpd[14857]: NOQUEUE: reject: RCPT from unknown[188.245.82.93]: 554 5.7.1 <360797f@mydomain.co.uk>: Relay access denied; from=<ee.alert@ee.co.uk> to=<360797f@mydomain.co.uk> proto=ESMTP helo=<91.99.231.197.parsonline.net>
Mar 5 09:10:49 www postfix/smtpd[14857]: disconnect from unknown[188.245.82.93]
Mar 5 09:10:52 www postfix/smtpd[15092]: warning: 78.189.233.12: address not listed for hostname 78.189.233.12.static.ttnet.com.tr
Mar 5 09:10:52 www postfix/smtpd[15092]: connect from unknown[78.189.233.12]
Mar 5 09:10:52 www postfix/smtpd[15092]: NOQUEUE: reject: RCPT from unknown[78.189.233.12]: 554 5.7.1 <tsXJIxckl@mydomain2.co.uk>: Relay access denied; from=<tsXJIxckl@ttnet.com.tr> to=<tsXJIxckl@mydomain2.co.uk> proto=ESMTP helo=<78.189.233.12.static.ttnet.com.tr>
Mar 5 09:10:52 www postfix/smtpd[15092]: disconnect from unknown[78.189.233.12]
Mar 5 09:10:55 www postfix/smtpd[14820]: warning: 113.167.172.10: address not listed for hostname localhost
Mar 5 09:10:55 www postfix/smtpd[14820]: connect from unknown[113.167.172.10]
Mar 5 09:10:55 www postfix/smtpd[14857]: connect from unknown[212.92.217.148]
Mar 5 09:10:55 www postfix/smtpd[14857]: NOQUEUE: reject: RCPT from unknown[212.92.217.148]: 554 5.7.1 <c1be0491@mydomain2.co.uk>: Relay access denied; from=<c1be0491@mysunvalleyhome.com> to=<c1be0491@mydomain2.co.uk> proto=ESMTP helo=<[212.92.217.148]>
Mar 5 09:10:56 www postfix/smtpd[14857]: disconnect from unknown[212.92.217.148]
Mar 5 09:10:56 www postfix/smtpd[14820]: NOQUEUE: reject: RCPT from unknown[113.167.172.10]: 554 5.7.1 <nrvjhyfle@mydomain.co.uk>: Relay access denied; from=<nrvjhyfle@falconhi.com> to=<nrvjhyfle@mydomain.co.uk> proto=ESMTP helo=<localhost>
Mar 5 09:10:56 www postfix/smtpd[14820]: disconnect from unknown[113.167.172.10]
Mar 5 09:10:57 www postfix/smtpd[14857]: connect from dslb-088-065-084-019.pools.arcor-ip.net[88.65.84.19]
Mar 5 09:10:57 www postfix/smtpd[15092]: warning: 66.94.72.130: address not listed for hostname net-66-94-72-130.arpa.fidelityaccess.net
Mar 5 09:10:57 www postfix/smtpd[15092]: connect from unknown[66.94.72.130]
Mar 5 09:10:57 www postfix/smtpd[15092]: NOQUEUE: reject: RCPT from unknown[66.94.72.130]: 554 5.7.1 <494e7f74@mydomain.co.uk>: Relay access denied; from=<494e7f74@fidelityaccess.net> to=<494e7f74@mydomain.co.uk> proto=ESMTP helo=<net-66-94-72-130.arpa.fidelityaccess.net>
Mar 5 09:10:57 www postfix/smtpd[14857]: NOQUEUE: reject: RCPT from dslb-088-065-084-019.pools.arcor-ip.net[88.65.84.19]: 554 5.7.1 <b80009e6@mydomain2.co.uk>: Relay access denied; from=<b80009e6@ourjewelryclub.com> to=<b80009e6@mydomain2.co.uk> proto=ESMTP helo=<dslb-088-065-084-019.pools.arcor-ip.net>
Mar 5 09:10:57 www postfix/smtpd[15092]: disconnect from unknown[66.94.72.130]
Mar 5 09:10:57 www postfix/smtpd[14857]: disconnect from dslb-088-065-084-019.pools.arcor-ip.net[88.65.84.19]
Mar 5 09:10:59 www postfix/scache[14956]: statistics: start interval Mar 5 09:06:50
Mar 5 09:10:59 www postfix/scache[14956]: statistics: domain lookup hits=0 miss=1 success=0%
Mar 5 09:10:59 www postfix/scache[14956]: statistics: address lookup hits=0 miss=1 success=0%
Mar 5 09:10:59 www postfix/scache[14956]: statistics: max simultaneous domains=1 addresses=1 connection=1
Mar 5 09:11:00 www postfix/smtpd[14820]: connect from 93-45-121-76.ip102.fastwebnet.it[93.45.121.76]
Mar 5 09:11:00 www postfix/smtpd[14820]: NOQUEUE: reject: RCPT from 93-45-121-76.ip102.fastwebnet.it[93.45.121.76]: 554 5.7.1 <6a2ca74@mydomain.co.uk>: Relay access denied; from=<6a2ca74@antraki.com> to=<6a2ca74@mydomain.co.uk> proto=ESMTP helo=<93-45-121-76.ip102.fastwebnet.it>
Mar 5 09:11:00 www postfix/smtpd[14820]: disconnect from 93-45-121-76.ip102.fastwebnet.it[93.45.121.76]
Mar 5 09:11:00 www postfix/smtpd[15092]: connect from unknown[78.136.97.139]
Mar 5 09:11:00 www postfix/smtpd[15092]: NOQUEUE: reject: RCPT from unknown[78.136.97.139]: 554 5.7.1 <c1e830b8@mydomain.co.uk>: Relay access denied; from=<ee.alert@ee.co.uk> to=<c1e830b8@mydomain.co.uk> proto=ESMTP helo=<GABOS-PC>
Mar 5 09:11:00 www postfix/smtpd[15092]: disconnect from unknown[78.136.97.139]
Mar 5 09:11:01 www postfix/smtpd[14854]: connect from unknown[24.138.216.238]
Mar 5 09:11:01 www postfix/smtpd[14854]: NOQUEUE: reject: RCPT from unknown[24.138.216.238]: 554 5.7.1 <a64aaded@mydomain2.co.uk>: Relay access denied; from=<a64aaded@gsconnect.nl> to=<a64aaded@mydomain2.co.uk> proto=ESMTP helo=<JORGERIVERA-PC>
MSOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
i assume this server is not the MX of any domain
what are the clients that are actually allowed to connect to this system over port 25 ?
first thing is to only allow these, either in the firewall or in postfix. it looks like you allowed relay to a list of domain through your server regardless of the origin of the connection.
what are the clients that are actually allowed to connect to this system over port 25 ?
first thing is to only allow these, either in the firewall or in postfix. it looks like you allowed relay to a list of domain through your server regardless of the origin of the connection.
if the server should not be sending any emails at all, why have postfix running?
ASKER
The server is an MX for receiving and forward mail. It looks like a couple of my postfix catch all rules have been getting abused.
I've no idea why someone would want to spam a domain a million times. But that's what's been happening.
I've no idea why someone would want to spam a domain a million times. But that's what's been happening.
Hackers and spammers search the web for open relays and try every trick in the book to attempt to get their message out to the real world. If you're system is seen as an open relay, then if an attacker is able to use your system for said relay, it would be you that gets blamed for allowing the message to be sent out, even if your system is deemed compromised.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
a couple of my postfix catch all rules
what are you talking about ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Dear,
Can you send ALL smtpd_*_restrictions from main.cf file
Master.cf does little for access control. Probably you can remove it. reinstall postfix and default will suit you well.
Can you send ALL smtpd_*_restrictions from main.cf file
Master.cf does little for access control. Probably you can remove it. reinstall postfix and default will suit you well.
@gheist : restrictions can be set in either files.
actually, i consider it best practice to enforce these restrictions in master when you have multiple smtpd services possibly linked with multiple cleanup services which is the case when you run content filters such as amavis(d-new)
actually, i consider it best practice to enforce these restrictions in master when you have multiple smtpd services possibly linked with multiple cleanup services which is the case when you run content filters such as amavis(d-new)
ASKER
can you let me know what the commands are to get the info you need?
less /etc/postfix/main.cf
/_restrictions[=\ ]
copy paste whole variable...
/_restrictions[=\ ]
copy paste whole variable...
# list restrictions in main
postconf | grep restrictions
# list restrictions in master
postconf -M | grep restrictionsASKER
[root@www ~]# postconf | grep restrictions
smtpd_client_restrictions =
smtpd_data_restrictions =
smtpd_end_of_data_restrictions =
smtpd_etrn_restrictions =
smtpd_helo_restrictions =
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
smtpd_sender_restrictions =There are no restrictions set;
[root@www ~]# postconf -m | grep restrictions
[root@www ~]#ASKER
I've had a play around with fail2ban and it's got the spam issue under control. However looking in my iptables list all the ip addresses it's blocked (and there are now hundreds) are all on DNSBL.
This question was orginally aimed at findoing out if my server was spamming people. It looks like it's not. SO I should really close the question and open a new one for setting up DNSBL
https://www.experts-exchange.com/questions/28379551/CentOS-Block-spammer.html
Many thanks for your time
This question was orginally aimed at findoing out if my server was spamming people. It looks like it's not. SO I should really close the question and open a new one for setting up DNSBL
https://www.experts-exchange.com/questions/28379551/CentOS-Block-spammer.html
Many thanks for your time
DNSBL product for postfix is called postgrey.
Your problem is that you accept all mail and dont filter it much, so you still have open relay with fail2ban and greylisting in place
Your problem is that you accept all mail and dont filter it much, so you still have open relay with fail2ban and greylisting in place
postgrey is a greylisting product that happens to also do dnsbl. applying aggressive greylisting to blacklisted ips is quite a good way to handle spam while limiting false posotives rates
postfix also has builtin support for dnsbl by adding the following to your *_restrictions
i'd recommend the combination of postscreen and either policydweight or postgrey
postscreen information can be found here (quite a lot to read)
http://www.postfix.org/POSTSCREEN_README.html
configure either of the above policy service (or yet another one) like this :
in /etc/postfix/master.cf:
add a line to spawn your filter when postfix needs it (always)
modify your smtpd line by adding the following arguments :
postfix also has builtin support for dnsbl by adding the following to your *_restrictions
reject_rbl_client sbl.spamhaus.orgi'd recommend the combination of postscreen and either policydweight or postgrey
postscreen information can be found here (quite a lot to read)
http://www.postfix.org/POSTSCREEN_README.html
configure either of the above policy service (or yet another one) like this :
in /etc/postfix/master.cf:
add a line to spawn your filter when postfix needs it (always)
policy unix - n n - 0 spawn
user=nobody argv=/some/where/policy-servermodify your smtpd line by adding the following arguments :
-o smtpd_recipient_restrictions,permit_mynetworks,reject_unauth_destination,check_policy_service unix:private/policy
ASKER
I'm a Linux novice so you may need to walk me through any info you need using SSH.
I tried to install fail2ban, but nothing happened.