AceT
asked on
postfix: How to create a hash for authorized_submit_users? (blocking spam from hacked account)
Hi,
A Wordpress site of a client got hacked and abused the server for spamming.
To prevent this in the future I created a script scanning for (an abundance of:
Oct 24 01:32:54 s01 postfix/pickup[23536]: ABC123: uid=1234 from=<different.mail@addre ss.es>
The trigger is the UID. When there are to much I want to block that account from sending mail. I searched the internet and thought it is best to use the postfix authorized_submit_users setting
I have found that this should work:
authorized_submit_users = !1234, static:all
But I want to automate this and don't want to dynamically alter the main.cf, for that I could use a hash:
after:
- creating file: /etc/postfix/sendmailAllow edUsers
- adding to main.cf: authorized_submit_users = hash:/etc/postfix/sendmail AllowedUse rs
- executing command: postfix reload
- executing command: postmap /etc/postfix/sendmailAllow edUsers
It all should work.. BUT what to put inside that has file?
I don't have the luxury to fumble around as it is a live server and don't have a comparable test server
I am guessing something like this:
# blocked users
1234
# allowed users
static:all
.. but if someone could tell me the right answer that would be great!
Also, can I append the "static:all" to the hash (that way I only have to enter the UIDs to the hash file. Like so?
authorized_submit_users = hash:/etc/postfix/sendmail AllowedUse rs, static:all
A Wordpress site of a client got hacked and abused the server for spamming.
To prevent this in the future I created a script scanning for (an abundance of:
Oct 24 01:32:54 s01 postfix/pickup[23536]: ABC123: uid=1234 from=<different.mail@addre
The trigger is the UID. When there are to much I want to block that account from sending mail. I searched the internet and thought it is best to use the postfix authorized_submit_users setting
I have found that this should work:
authorized_submit_users = !1234, static:all
But I want to automate this and don't want to dynamically alter the main.cf, for that I could use a hash:
after:
- creating file: /etc/postfix/sendmailAllow
- adding to main.cf: authorized_submit_users = hash:/etc/postfix/sendmail
- executing command: postfix reload
- executing command: postmap /etc/postfix/sendmailAllow
It all should work.. BUT what to put inside that has file?
I don't have the luxury to fumble around as it is a live server and don't have a comparable test server
I am guessing something like this:
# blocked users
1234
# allowed users
static:all
.. but if someone could tell me the right answer that would be great!
Also, can I append the "static:all" to the hash (that way I only have to enter the UIDs to the hash file. Like so?
authorized_submit_users = hash:/etc/postfix/sendmail
ASKER
@arnold,
OK, so if I understand you correctly the file should contain:
And Can I do?:
authorized_submit_users = hash:/etc/postfix/sendmail AllowedUse rs, static:all
(I have read that the "static:all" means "accept the rest")
That way, if something goes wrong in that file the rest will still work (that's the idea)
OK, so if I understand you correctly the file should contain:
1234:deny
5678:deny
And Can I do?:
authorized_submit_users = hash:/etc/postfix/sendmail
(I have read that the "static:all" means "accept the rest")
That way, if something goes wrong in that file the rest will still work (that's the idea)
What could go wrong with the file? Do you need to dynamically update the list of authorized submitters?
You need to test whether it is deny or reject.
And whether it will work with a hash and ..........
You need to test whether it is deny or reject.
And whether it will work with a hash and ..........
ASKER
I have tried to use this file (and "postmapped" it off course):
# BLOCKED
3129:block # hacked client
# The rest is OK
static:anyone # rest OK
Resulting in not able to use sendmail for any client:Nov 16 17:19:16 s01 postfix/sendmail[5449]: fatal: User userabc(1234) is not allowed to submit mail
I have tried (with and without comment # ):static:all
static:anyone
static all
static anyone
None of them work, suggestions are welcome
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have read that 'user OK' is the format for the hash. I have tried
Authorized_submit_user=!hash:/etc/postfix/disallow ed_user,st atic:all
with "user" and "user OK"
Also:
Authorized_submit_user=has h:/etc/pos tfix/disal lowed_user ,static:al l
with "user FAIL" and "user REJECT" "user !OK"
But all with no success. everything goes trough, no exceptions
I'd really like to use a small list for rejecting and a default "static:all" for the rest.
I am now fearing that I will need to generate a (large) list of everyone that is OK and failing the rest.. can you see a solution?
Authorized_submit_user=!hash:/etc/postfix/disallow
with "user" and "user OK"
Also:
Authorized_submit_user=has
with "user FAIL" and "user REJECT" "user !OK"
But all with no success. everything goes trough, no exceptions
I'd really like to use a small list for rejecting and a default "static:all" for the rest.
I am now fearing that I will need to generate a (large) list of everyone that is OK and failing the rest.. can you see a solution?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Arnold pointed me in the right direction, but I entered the complete solution for future reference (I gave all the points to arnold)
Ref http://www.postfix.org/postconf.5.html
for the variable.
User:allow
User2:deny
Some !pattern
You should run postmap before reloading postfix.