I am running a Postfix mailserver on Ubuntu 19.10 and have mynetworks set to localhost so any attempts to relay email are blocked - i.e.:
telnet emailserver.com 25
helo testing.com
mail from:<>
rcpt to:<>
554 5.7.1 <>: Relay access deniedHowever the email server has just been added to a blacklist and looking through the mail log around that time and I see lines like this:
postfix/qmgr[1887]: 9B5D41BAA34: from=<>, size=2536, nrcpt=20 (queue active)
postfix/smtp[6764]: 53FA21B94EE: to=<>, relay=mx00.kundenserver.de[212.227.15.41]:25, delay=41155, delays=41154/0.96/0.1/0, dsn=4.0.0, status=deferred (host mx00.kundenserver.de[212.227.15.41] refused to talk to me: 554-kundenserver.de (mxeue011) Nemesis ESMTP Service not available 554-No SMTP service 554-Bad DNS PTR resource record. 554
postfix/error[6700]: 9B5D41BAA34: to=<>, relay=none, delay=30007, delays=30007/0.02/0/0, dsn=4.0.0, status=deferred (delivery temporarily suspended: host mx-ha02.web.de[212.227.17.8] refused to talk to me: 554-web.de (mxweb113) Nemesis ESMTP Service not available 554-No SMTP service 554-Bad DNS PTR resource record. 554The from addresses are all different and not users that exist on the server so I can't work out what could be wrong. The mail log has been filling up with messages like the ones above since 10:29 on the 23rd December and looks normal prior to this.
So it would appear my server is sending spam but according to tests I have done relaying is denied and as the from email doesn't match any user I don't know who's login may have been compromised, if this is the issue?
Here are the relevant sections from my configuration:
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
# Restrictions
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unlisted_recipient, reject_unauth_destination
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination
mydestination = localhostLooking at the mail log some more it looks like the emails may be getting relayed through my server:
Dec 23 10:56:06 rwshosting1810 postfix/qmgr[1887]: E99061B9FB8: from=<>, size=1911, nrcpt=20 (queue active)
Dec 23 10:56:07 rwshosting1810 postfix/qmgr[1887]: BDF221B9FC3: from=<>, size=2754, nrcpt=20 (queue active)
Dec 23 10:56:07 rwshosting1810 amavis[14683]: (14683-12) Passed CLEAN {RelayedInbound}, [188.162.43.235]:38411 [188.162.43.235] <> -> <>,<>,<>,<>,<>,<>,<>,<>,<>,<>,<>,<>,<>,<>,<>,<>,<>,<>,<>,<>, Queue-ID: E99061B9FB8, Message-ID: <>, mail_id: LkGzeR7_Yuv4, Hits: 1.885, size: 1911, queued_as: BDF221B9FC3, 1112 ms
Dec 23 10:57:40 rwshosting1810 postfix/smtp[12908]: C1F771B9FC6: to=<>, relay=mta.21cn.com[183.61.185.83]:25, delay=1.8, delays=0.01/0.01/1.6/0.22, dsn=5.0.0, status=bounced (host mta.21cn.com[183.61.185.83] said: 501 Syntax: MAIL FROM: <address> zm-as1 (in reply to MAIL FROM command))Looking at more of the logs it would seem that uses a range of different IP addresses in different subnets. If I then search on the IP address in the logs then I see entries like this:
Dec 23 12:52:58 rwshosting1810 postfix/submission/smtpd[16065]: connect from unknown[188.162.199.142]
Dec 23 12:52:58 rwshosting1810 postfix/submission/smtpd[16065]: lost connection after CONNECT from unknown[188.162.199.142]
Dec 23 12:52:58 rwshosting1810 postfix/submission/smtpd[16065]: disconnect from unknown[188.162.199.142] commands=0/0
Dec 23 12:52:59 rwshosting1810 amavis[21295]: (21295-07) Passed CLEAN {RelayedInbound}, [188.162.199.142]:11962 [188.162.199.142] <> -> <>,<>,<>,<>,<>,<>,<>,<>,<>,<>,<>,<>,<>,<>,<>,<>,<>,<>,<>,<>, Queue-ID: D80F51BA7EC, Message-ID: <>, mail_id: w5hrPYA4CZZC, Hits: 5.681, size: 1964, queued_as: 58BA61BA7ED, 1377 ms
Dec 23 12:53:00 rwshosting1810 postfix/submission/smtpd[14803]: warning: hostname client.yota.ru does not resolve to address 188.162.199.142: Name or service not knownThanks Robin
61 Answer
I have had the same output. Although I use SASL with saslauthd -a shadow my host was used as a spam relay. I noticed that the realm of SASL did not not comply with my real realm, that's because I had used a different hostname for my server before I took it into production. After syncing the SASL realm with the real hostname of the server, the authorization is working now.