為什麼我的伺服器(後綴)“中繼”郵件/我的伺服器被黑客入侵了嗎?
我的郵件伺服器上發生了一些奇怪的事情。我正在給朋友發郵件,但我的郵件被退回,因為我的伺服器的 ip 已被列入黑名單。
看來我的伺服器正在用於中繼垃圾郵件。(見下面的日誌摘錄)
我檢查了我的設置,它們不應該允許中繼(見下文)。我還檢查了幾個線上測試服務(全部清除/表示不允許中繼)。
有什麼我想念的嗎?
**編輯:**為什麼允許不存在的使用者轉發電子郵件(以及如何阻止它?)
**編輯2:**我試圖停止所有郵件,但它一直在繼續(也清空了隊列):
smtpd_sender_restrictions = reject smtpd_helo_restrictions = reject smtpd_client_restrictions=reject smtpd_recipient_restrictions = reject
我無法發送郵件,我無法接收郵件,但垃圾郵件一直在繼續!
(我已經安裝了所有可用的更新)
作業系統: Debian 7
軟體: Postfix 2.9.6-2 / 2.7.1-1+squeeze1
main.cf:
myhostname = hus42.se myorigin = /etc/mailname mydestination = localhost, localhost.localdomain relayhost = mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases smtpd_tls_cert_file=/etc/ssl/certs/mailcert.pem smtpd_tls_key_file=/etc/ssl/private/mail.key smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_tls_security_level=may smtpd_tls_protocols = !SSLv2, !SSLv3 local_recipient_maps = proxy:unix:passwd.byname $alias_maps home_mailbox = Maildir/ virtual_mailbox_domains = /etc/postfix/vhosts virtual_mailbox_base = /var/email virtual_mailbox_maps = hash:/etc/postfix/vmaps virtual_minimum_uid = 1000 virtual_uid_maps = hash:/etc/postfix/vuids virtual_gid_maps = hash:/etc/postfix/vuids
master.cf: http://pastebin.com/navLmxw3
日誌:
Apr 22 21:11:20 u0903576-01 postfix/qmgr[11974]: 28940B84981: from=<angela_joseph@chris.hindefjord.se>, size=1105, nrcpt=1 (queue active) Apr 22 21:11:20 u0903576-01 postfix/pickup[11973]: 4C6D3B84970: uid=33 from=<rita_robertson@chris.hindefjord.se> Apr 22 21:11:20 u0903576-01 postfix/qmgr[11974]: 1C241C388D2: from=<audrey_wallace@chris.hindefjord.se>, size=1045, nrcpt=1 (queue active) Apr 22 21:11:20 u0903576-01 postfix/cleanup[11975]: 4C6D3B84970: message-id=<718f45a9d35b948e57f3c522547b3124@chris.hindefjord.se> Apr 22 21:11:20 u0903576-01 postfix/qmgr[11974]: 1AC87C3924C: from=<lena_sutton@chris.hindefjord.se>, size=1092, nrcpt=1 (queue active) Apr 22 21:11:20 u0903576-01 postfix/qmgr[11974]: 1326EC3945C: from=<marianne_warren@chris.hindefjord.se>, size=1107, nrcpt=1 (queue active) Apr 22 21:11:20 u0903576-01 postfix/smtp[12089]: 1E1ADB848F8: host mailin-04.mx.aol.com[64.12.88.131] refused to talk to me: 421 4.7.1 : (DNS:NR) http://postmaster.info.aol.com/errors/421dnsnr.html Apr 22 21:11:20 u0903576-01 postfix/smtp[12003]: 1A7EAB845C8: host mailin-04.mx.aol.com[64.12.88.131] refused to talk to me: 421 4.7.1 : (DNS:NR) http://postmaster.info.aol.com/errors/421dnsnr.html Apr 22 21:11:20 u0903576-01 postfix/qmgr[11974]: 1952EC38CA3: from=<maryann_vega@chris.hindefjord.se>, size=1161, nrcpt=1 (queue active) Apr 22 21:11:20 u0903576-01 postfix/smtp[12109]: 15FA3C381AC: to=<empire1012@netzero.com>, relay=mx.dca.untd.com[64.136.44.37]:25, delay=86030, delays=86029/0.18/0.68/0, dsn=4.0.0, status=deferred (host mx.dca.untd.com[64.136.44.37] refused to talk to me: 550 Access denied...1fd94df0f070717104fd505175246524d094fd5411b50525c19d09b5c121c445d4eddddd40217d5dc41930...) Apr 22 21:11:20 u0903576-01 postfix/qmgr[11974]: 1229FC38479: from=<claire_mendoza@chris.hindefjord.se>, size=1078, nrcpt=1 (queue active) Apr 22 21:11:20 u0903576-01 postfix/smtp[12102]: 1AB62C380D1: host mx-ha02.web.de[212.227.17.8] refused to talk to me: 554-web.de (mxweb104) Nemesis ESMTP Service not available 554-No SMTP service 554 invalid DNS PTR resource record, IP=89.221.255.50 Apr 22 21:11:20 u0903576-01 postfix/smtp[12030]: 13DDDC38032: host mx-ha02.web.de[212.227.17.8] refused to talk to me: 554-web.de (mxweb108) Nemesis ESMTP Service not available 554-No SMTP service 554 invalid DNS PTR resource record, IP=89.221.255.50 Apr 22 21:11:20 u0903576-01 postfix/qmgr[11974]: 10717C38AA0: from=<erika_jordan@chris.hindefjord.se>, size=1105, nrcpt=1 (queue active) Apr 22 21:11:20 u0903576-01 postfix/smtp[12005]: 106F8C38229: host mailin-02.mx.aol.com[64.12.88.164] refused to talk to me: 421 4.7.1 : (DNS:NR) http://postmaster.info.aol.com/errors/421dnsnr.html Apr 22 21:11:20 u0903576-01 postfix/qmgr[11974]: 17F2FC39469: from=<marlene_roberson@chris.hindefjord.se>, size=1136, nrcpt=1 (queue active) Apr 22 21:11:20 u0903576-01 postfix/qmgr[11974]: 1E71DB8462E: from=<rochelle_allen@chris.hindefjord.se>, size=1100, nrcpt=1 (queue active) Apr 22 21:11:20 u0903576-01 postfix/smtp[12002]: 008B1B84986: to=<harriet_crawford@chris.hindefjord.se>, relay=none, delay=0.33, delays=0.17/0.14/0.01/0, dsn=5.4.6, status=bounced (mail for chris.hindefjord.se loops back to myself) Apr 22 21:11:20 u0903576-01 postfix/error[12111]: 28940B84981: to=<kuale84@yahoo.com>, relay=none, delay=422, delays=422/0.02/0/0.15, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta5.am0.yahoodns.net[98.138.112.33] while sending RCPT TO) Apr 22 21:11:20 u0903576-01 postfix/error[12138]: 1C241C388D2: to=<fredrahdar@yahoo.com>, relay=none, delay=60498, delays=60498/0.02/0/0.15, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta5.am0.yahoodns.net[98.138.112.33] while sending RCPT TO) Apr 22 21:11:20 u0903576-01 postfix/qmgr[11974]: 10D90C38F0C: from=<piotr_nowak@chris.hindefjord.se>, size=2892, nrcpt=1 (queue active) Apr 22 21:11:20 u0903576-01 postfix/smtp[12104]: 841E6B84976: to=<keith.corona@gmail.com>, relay=gmail-smtp-in.l.google.com[173.194.71.27]:25, delay=1985, delays=1984/0.07/0.16/0.71, dsn=2.0.0, status=sent (250 2.0.0 OK 1429737080 l3si4550344lbc.147 - gsmtp) Apr 22 21:11:20 u0903576-01 postfix/pickup[11973]: 77A24B84960: uid=33 from=<rita_robertson@chris.hindefjord.se> Apr 22 21:11:20 u0903576-01 postfix/cleanup[12216]: 77A24B84960: message-id=<8c2ad1168a2562aaf04f0eff7cda77c4@chris.hindefjord.se> Apr 22 21:11:20 u0903576-01 postfix/qmgr[11974]: 4C6D3B84970: from=<rita_robertson@chris.hindefjord.se>, size=1129, nrcpt=1 (queue active) Apr 22 21:11:20 u0903576-01 postfix/smtp[12078]: 1F84FC391C6: to=<karanbatta@rediffmail.com>, relay=mx.rediffmail.rediff.akadns.net[119.252.147.10]:25, delay=18938, delays=18937/0.02/1.1/0, dsn=4.0.0, status=deferred (host mx.rediffmail.rediff.akadns.net[119.252.147.10] refused to talk to me: 553 delivery from 89.221.255.50 is rejected. The connecting IP is blocked by REDIFF, if any concerns kindly contact the system administrator at ipreputation@rediff.co.in ) Apr 22 21:11:20 u0903576-01 postfix/error[12141]: 10717C38AA0: to=<titi_boss78@yahoo.com>, relay=none, delay=56161, delays=56160/0.02/0/0.05, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta5.am0.yahoodns.net[98.138.112.33] while sending RCPT TO)
我的郵件伺服器上發生了一些奇怪的事情。我正在給一個朋友發郵件,但我的郵件被退回了,因為我的伺服器的 IP 已被列入黑名單。
看來我的伺服器正在用於中繼垃圾郵件。(見下面的日誌摘錄)
是的
我檢查了我的設置,它們不應該允許中繼(見下文)。我還檢查了幾個線上測試服務(全部清除/表示不允許中繼)。
您的 postfix 配置,尤其是Postfix SMTP 中繼和訪問控制部分,是預設值。幸運的是,預設的後綴配置**足夠安全,**因此您不必擔心開放中繼。
正如 joeqwerty在他的回答中所說,您的伺服器沒有成為開放的中繼伺服器。您的線上測試證實了這一點。
有什麼我想念的嗎?
當您的伺服器發送垃圾郵件時,您可能會被巨大的 mail.log 淹沒,因為垃圾郵件發送者往往會在短時間內向數千個收件人發送電子郵件。起初,您會感到困惑,因為這麼多的數據,您不知道垃圾郵件的來源。
隔離後綴垃圾郵件問題的技巧之一是使用
grep
後綴來縮小單個隊列的範圍。例如,在您的 mail.log 中,我將執行此命令$ grep 4C6D3B84970 mail.log Apr 22 21:11:20 u0903576-01 postfix/pickup[11973]: 4C6D3B84970: uid=33 from=<rita_robertson@chris.hindefjord.se> Apr 22 21:11:20 u0903576-01 postfix/cleanup[11975]: 4C6D3B84970: message-id=<718f45a9d35b948e57f3c522547b3124@chris.hindefjord.se> Apr 22 21:11:20 u0903576-01 postfix/qmgr[11974]: 4C6D3B84970: from=<rita_robertson@chris.hindefjord.se>, size=1129, nrcpt=1 (queue active)
在那裡,您可以查看垃圾郵件的來源。顯然,uid 33 的使用者是罪魁禍首。在許多系統中,uid=33 是
www-data
使用者。該使用者通過 sendmail 而不是 smtpd 發送電子郵件,因此您smtpd_*_restriction
根本沒有任何影響。預設情況下,postfix 將信任(允許中繼)sendmail 呼叫的電子郵件。但是為什麼我
www-data
會發送垃圾郵件?在許多情況下,是您的 Web 應用程序導致了垃圾郵件的爆發。它告訴腳本向數千個收件人發送電子郵件。
要完全阻止垃圾郵件,您必須查找腳本並將其刪除。但這不是完整的解決方案。正確且完整的解決方案是重建系統並從眾所周知的備份中恢復。請參閱我們的規範問題如何處理受損的伺服器?