need some urgent help
Apr 21 22:28:07 wiggins postfix/smtp[26636]: BFF6CF2401: to=<
Apr 21 22:28:07 wiggins postfix/smtp[26667]: connect to mindspring.net[209.86.62.44]:25: Connection timed out
Apr 21 22:28:07 wiggins postfix/smtp[26667]: 83C6CF263B: to=<
Apr 21 22:28:08 wiggins postfix/smtp[26679]: connect to mail.homelite.com[64.213.55.3]:25: Connection timed out
Apr 21 22:28:08 wiggins postfix/smtp[26679]: 4A150F263F: to=<
Apr 21 22:28:08 wiggins postfix/smtp[26678]: connect to forgreer.com[82.98.86.167]:25: Connection timed out
Apr 21 22:28:08 wiggins postfix/smtp[26678]: D7732F2828: to=<
Apr 21 22:28:08 wiggins postfix/smtp[26290]: connect to netants.net[70.39.99.88]:25: No route to host
Apr 21 22:28:08 wiggins postfix/smtp[26290]: 88274F281D: to=<
Apr 21 22:28:08 wiggins postfix/smtp[26694]: connect to mx3.pt.lu[195.46.255.249]:25: Connection timed out
Apr 21 22:28:08 wiggins postfix/smtp[26694]: 87C1FF2431: to=<
Apr 21 22:28:09 wiggins postfix/smtp[26652]: connect to postoffice03.mail-hub.dodo.com.au[202.136.40.236]:25: Connection timed out
I have no idea how to stop this. Is anyone willing to help me out if I pay you?
I'm sure it's a simple config thing, but I don't know enough to be able to sort it out. As you can see, my linode is getting blacklisted by everyone.
10 Replies
See /usr/share/postfix/main.cf.dist for a commented, more complete version
Debian specific: Specifying a file name will cause the first
line of that file to be used as the name. The Debian default
is /etc/mailname.
myorigin = /etc/mailname
smtpdbanner = $myhostname ESMTP $mailname (Debian/GNU)
biff = no
appending .domain is the MUA's job.
appenddotmydomain = no
Uncomment the next line to generate "delayed mail" warnings
delaywarningtime = 4h
readme_directory = /usr/share/doc/postfix
TLS parameters
smtpdtlscert_file = /etc/postfix/smtpd.cert
smtpdtlskey_file = /etc/postfix/smtpd.key
smtpdusetls = yes
smtpdtlssessioncachedatabase = btree:${datadirectory}/smtpdscache
smtptlssessioncachedatabase = btree:${datadirectory}/smtpscache
See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
information on enabling SSL in the smtp client.
myhostname = synthgear.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = synthgear.com, localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8
mailboxsizelimit = 0
recipient_delimiter = +
inet_interfaces = all
html_directory = /usr/share/doc/postfix/html
messagesizelimit = 30720000
virtualaliasdomains =
virtualaliasmaps = proxy:mysql:/etc/postfix/mysql-virtualforwardings.cf, mysql:/etc/postfix/mysql-virtualemail2email.cf
virtualmailboxdomains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtualmailboxmaps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtualmailboxbase = /home/vmail
virtualuidmaps = static:5000
virtualgidmaps = static:5000
smtpdsaslauth_enable = yes
brokensaslauth_clients = yes
smtpdsaslauthenticated_header = yes
smtpdrecipientrestrictions = permitmynetworks, permitsaslauthenticated, rejectunauth_destination
virtualcreatemaildirsize = yes
virtualmaildirextended = yes
proxyreadmaps = $localrecipientmaps $mydestination $virtualaliasmaps $virtualaliasdomains $virtualmailboxmaps $virtualmailboxdomains $relayrecipientmaps $relaydomains $canonicalmaps $sendercanonicalmaps $recipientcanonicalmaps $relocatedmaps $transportmaps $mynetworks $virtualmailboxlimit_maps
IP address is : 173.230.149.162
grep sasl /var/log/mail.log
and post the output (if any) that will see if these are being sent remotely or locally, they look local from what you've posted so far.
Apr 22 07:06:38 wiggins postfix/smtpd[9975]: E219BD2BC: client=unknown[92.47.76.39], saslmethod=LOGIN, saslusername=paul@xxxxxxxxxxxx
Apr 22 07:06:48 wiggins postfix/smtpd[9952]: 5CD25D2BE: client=unknown[151.16.147.99], saslmethod=LOGIN, saslusername=paul@xxxxxxxxxxx
Apr 22 07:06:51 wiggins postfix/smtpd[9966]: C9FE8D2BF: client=m90-131-123-167.cust.tele2.se[90.131.123.167], saslmethod=LOGIN, saslusername=paul@xxxxxxxxxxx
Apr 22 07:06:55 wiggins postfix/smtpd[10287]: 1C1DED2C0: client=unknown[112.134.219.100], saslmethod=LOGIN, saslusername=paul@xxxxxxxxxxxxxx
So do this
1) Reset the password for the user paul
2) Purge your mail que (this will delete anything pending) using sudo postsuper -d ALL
3) See if it stops
4) Find out how they got the password for the account.
This is what I tried yesterday - I use postfix/mysql, so i did this:
update users set password=encrypt("xxxxxxxx") where email="paul@xxxxxxxxxx";
then deleted the queue
it didn't seem to help. I just tried it again, perhaps I did something wrong last time.
So, as far as how this password was compromised, there really aren't too many ways this can happen, are there?
It seems unlikely that this particular password could have been brute-forced, and I've never actually logged in with this account (it automatically forwards to another email address), so I cannot imagine how someone would have found the password out, as it never gets typed in.
Does this leave a compromised vps? yuk.
That leaves you with things such as:
Brute force
Software bug in postfix/sasl (unlikely especially if your software's up to date)
Compromised database someone reset the password
Compromised vps (worse case)
You don't allow any web scripts on your server to connect to mysql as root do you? That would be a great way to get in.