postfix: How to create a hash for authorized_submit_users? (blocking spam from hacked account)

Hi,

A Wordpress site of a client got hacked and abused the server for spamming.

To prevent this in the future I created a script scanning for (an abundance of:

Oct 24 01:32:54 s01 postfix/pickup[23536]: ABC123: uid=1234 from=<different.mail@address.es>

The trigger is the UID. When there are to much I want to block that account from sending mail. I searched the internet and thought it is best to use the postfix authorized_submit_users setting

I have found that this should work:

authorized_submit_users = !1234, static:all

But I want to automate this and don't want to dynamically alter the main.cf, for that I could use a hash:

after:
- creating file: /etc/postfix/sendmailAllowedUsers
- adding to main.cf: authorized_submit_users = hash:/etc/postfix/sendmailAllowedUsers
- executing command: postfix reload
- executing command: postmap /etc/postfix/sendmailAllowedUsers

It all should work.. BUT what to put inside that has file?

I don't have the luxury to fumble around as it is a live server and don't have a comparable test server

I am guessing something like this:

# blocked users
1234
# allowed users
static:all

.. but if someone could tell me the right answer that would be great!

Also, can I append the "static:all" to the hash (that way I only have to enter the UIDs to the hash file. Like so?

authorized_submit_users = hash:/etc/postfix/sendmailAllowedUsers, static:all
LVL 2
AceTAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
Sendmailauthorizedusers you need only add the users authorized.

Ref http://www.postfix.org/postconf.5.html
for the variable.
User:allow
User2:deny
Some !pattern
You should run postmap before reloading postfix.
AceTAuthor Commented:
@arnold,

OK, so if I understand you correctly the file should contain:
1234:deny
5678:deny

Open in new window


And Can I do?:
authorized_submit_users = hash:/etc/postfix/sendmailAllowedUsers, static:all

(I have read that the "static:all" means "accept the rest")

That way, if something goes wrong in that file the rest will still work (that's the idea)
arnoldCommented:
What could go wrong with the file? Do you need to dynamically update the list of authorized submitters?

You need to test whether it is deny or reject.

And whether it will work with a hash and ..........
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

AceTAuthor Commented:
I have tried to use this file (and "postmapped" it off course):
# BLOCKED
3129:block	# hacked client
# The rest is OK
static:anyone	# rest OK

Open in new window

Resulting in not able to use sendmail for any client:
Nov 16 17:19:16 s01 postfix/sendmail[5449]: fatal: User userabc(1234) is not allowed to submit mail

Open in new window

I have tried (with and without comment # ):
static:all
static:anyone
static all
static anyone

Open in new window

None of them work, suggestions are welcome
arnoldCommented:
Try the following allow user1 deny user2 allow all others.
User1
!user2
Static:all

Testing using a query test on the hash might reveal whether it would work.

Another possible option is to use two hash
Authorized_submit_user=!hash:/etc/postfix/disallowed_users,hash:/etc/postfix/allowedusers,static:all

Each list will have the username per line
The distinction will be based on the list in which the user is in.
AceTAuthor Commented:
I have read that 'user OK' is the format for the hash. I have tried

Authorized_submit_user=!hash:/etc/postfix/disallowed_user,static:all
with "user" and "user OK"

Also:
Authorized_submit_user=hash:/etc/postfix/disallowed_user,static:all
with "user FAIL" and "user REJECT" "user !OK"

But all with no success. everything goes trough, no exceptions

I'd really like to use a small list for rejecting and a default "static:all" for the rest.

I am now fearing that I will need to generate a (large) list of everyone that is OK and failing the rest.. can you see a solution?
AceTAuthor Commented:
GOT IT!

solution:

Authorized_submit_user=!hash:/etc/postfix/disallowed_users,static:all

With in the file /etc/postfix/disallowed_users
username1 # domain
username2 # domain

Open in new window

The comment is handy to prevent remarks from the postmap command (it expects key[space/tab]value)

I used the userID  (which is a number) and not the username!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AceTAuthor Commented:
Arnold pointed me in the right direction, but I entered the complete solution for future reference (I gave all the points to arnold)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.