Postfix
如何防止 Postfix 中未經授權的郵件中繼
我們的郵件伺服器似乎被用來發送垃圾郵件。
- 電子郵件的發件人是我們伺服器上的虛假真實賬戶。
- 該帳戶的發送歷史記錄中沒有電子郵件。
我想知道是否有任何方法可以防止這種情況。歡迎任何建議。
後綴日誌:
May 9 22:12:21 mx postfix/submission/smtpd[1885206]: warning: hostname 201-91-101-26.customer.tdatabrasil.net.br does not resolve to address 201.91.101.26: Name or service not known May 9 22:12:21 mx postfix/submission/smtpd[1885206]: connect from unknown[201.91.101.26] May 9 22:12:27 mx postfix/submission/smtpd[1885206]: Anonymous TLS connection established from unknown[201.91.101.26]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256 May 9 22:12:29 mx postfix/submission/smtpd[1885206]: 984BB13B35D: client=unknown[201.91.101.26], sasl_method=PLAIN, sasl_username=user@my-domain.net May 9 22:12:31 mx postfix/sender-cleanup/cleanup[1892316]: 984BB13B35D: replace: header MIME-Version: 1.0 from unknown[201.91.101.26]; from=<user@my-domain.net> to=<****@yahoo.com.br> proto=ESMTP helo=<EHZDDZCUEY0FN7B75U0HKZOH1JP2P2UI>: Mime-Version: 1.0 May 9 22:12:32 mx postfix/qmgr[944]: 984BB13B35D: from=<user@my-domain.net>, size=18836, nrcpt=1 (queue active) May 9 22:12:32 mx postfix/smtp[1892491]: 984BB13B35D: to=<****@yahoo.com.br>, relay=smtp.****.****.com[192.***.***.***]:587, delay=3.9, delays=3.6/0.01/0.13/0.13, dsn=2.0.0, status=sent (250 Ok) May 9 22:12:32 mx postfix/qmgr[944]: 984BB13B35D: removed May 9 22:12:35 mx postfix/submission/smtpd[1885206]: E344C13B35D: client=unknown[201.91.101.26], sasl_method=PLAIN, sasl_username=user@my-domain.net
# postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases allow_min_user = yes anvil_rate_time_unit = 60s append_dot_mydomain = no biff = no bounce_queue_lifetime = 7200s compatibility_level = 2 default_process_limit = 5000 disable_vrfy_command = yes header_checks = pcre:/etc/postfix/maps/header_checks.pcre inet_interfaces = all inet_protocols = ipv4 mailbox_size_limit = 20000000000 maximal_backoff_time = 7200s maximal_queue_lifetime = 7200s message_size_limit = 52428800 milter_default_action = accept milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} milter_protocol = 6 minimal_backoff_time = 1600s mydestination = $myhostname, localhost.$mydomain, localhost mydomain = my-domain.net myhostname = mx.my-domain.net mynetworks = 127.0.0.0/8 [::1]/128 [fe80::]/64 192.168.18.0/24 10.102.0.0/16 172.18.0.0/16 10.102.0.0/16 non_smtpd_milters = inet:127.0.0.1:11332 policyd-spf_time_limit = 3600 postscreen_bare_newline_action = enforce postscreen_dnsbl_action = enforce postscreen_dnsbl_sites = zen.spamhaus.org*3 bl.mailspike.net b.barracudacentral.org*2 bl.spameatingmonkey.net dnsbl.sorbs.net psbl.surriel.com list.dnswl.org=127.0.[0..255].0*-2 list.dnswl.org=127.0.[0..255].1*-3 list.dnswl.org=127.0.[0..255].[2..3]*-4 postscreen_dnsbl_threshold = 3 postscreen_dnsbl_whitelist_threshold = -1 postscreen_greet_action = enforce queue_run_delay = 200s readme_directory = no recipient_delimiter = + relayhost = [smtp.****.****.com]:587 sender_dependent_relayhost_maps = texthash:/etc/postfix/relayhost_map smtp_destination_concurrency_limit = 10 smtp_discard_ehlo_keywords = size smtp_header_checks = pcre:/etc/postfix/maps/sender_header_filter.pcre smtp_initial_destination_concurrency = 2 smtp_sasl_auth_enable = yes smtp_sasl_password_maps = texthash:/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous smtp_sender_dependent_authentication = yes smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtp_tls_CApath = /etc/ssl/certs smtp_tls_loglevel = 1 smtp_tls_note_starttls_offer = yes smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtp_tls_security_level = may smtp_use_tls = yes smtpd_banner = $myhostname ESMTP smtpd_client_message_rate_limit = 100 smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access hash:/etc/postfix/client_access.map, reject_unknown_reverse_client_hostname smtpd_delay_reject = yes smtpd_error_sleep_time = 1s smtpd_hard_error_limit = 20 smtpd_helo_required = yes smtpd_helo_restrictions = check_helo_access pcre:/etc/postfix/helo_access.map permit_mynetworks permit_sasl_authenticated reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname smtpd_milters = inet:127.0.0.1:11332 smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain, check_policy_service inet:localhost:65265, reject_rbl_client zen.spamhaus.org smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_path = /var/spool/postfix/private/auth smtpd_sasl_type = dovecot smtpd_sender_login_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf mysql:/etc/postfix/mysql-virtual-alias-maps.cf mysql:/etc/postfix/mysql-virtual-sender-maps.cf smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch, check_sender_access hash:/etc/postfix/sender_access.map, reject_non_fqdn_sender, reject_sender_login_mismatch smtpd_soft_error_limit = 10 smtpd_tls_CApath = /etc/ssl/certs smtpd_tls_auth_only = yes smtpd_tls_chain_files = /etc/postfix/ssl/key /etc/postfix/ssl/cert smtpd_tls_dh1024_param_file = /etc/postfix/dhparams.pem smtpd_tls_exclude_ciphers = aNULL, SEED, CAMELLIA, RSA+AES smtpd_tls_loglevel = 1 smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtpd_tls_security_level = may smtputf8_enable = no strict_mailbox_ownership = no tls_high_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 tls_preempt_cipherlist = yes tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map tls_ssl_options = NO_COMPRESSION, NO_RENEGOTIATION transport_maps = hash:/etc/postfix/transport virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf virtual_mailbox_limit = 20000000000 virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf virtual_transport = lmtp:inet:localhost:24
# postconf -M smtp inet n - n - 1 postscreen smtpd pass - - n - - smtpd tlsproxy unix - - n - 0 tlsproxy dnsblog unix - - n - 0 dnsblog submission inet n - - - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_reject_unlisted_recipient=no -o smtpd_sasl_authenticated_header=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unknown_reverse_client_hostname,reject -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING -o cleanup_service_name=sender-cleanup smtps inet n - n - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_reject_unlisted_recipient=no -o smtpd_sasl_authenticated_header=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unknown_reverse_client_hostname,reject -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING -o cleanup_service_name=sender-cleanup pickup fifo n - y 60 1 pickup -o content_filter= -o receive_override_options=no_header_body_checks cleanup unix n - y - 0 cleanup qmgr unix n - n 300 1 qmgr tlsmgr unix - - y 1000? 1 tlsmgr rewrite unix - - y - - trivial-rewrite bounce unix - - y - 0 bounce defer unix - - y - 0 bounce trace unix - - y - 0 bounce verify unix - - y - 1 verify flush unix n - y 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - y - - smtp relay unix - - y - - smtp showq unix n - y - - showq error unix - - y - - error retry unix - - y - - error discard unix - - y - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - y - 1 anvil scache unix - - y - 1 scache maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} mailman unix - n n - - pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} sender-cleanup unix n - - - 0 cleanup -o syslog_name=postfix/sender-cleanup -o header_checks=pcre:/etc/postfix/maps/sender_header_filter.pcre policyd-spf unix - n n - 0 spawn user=policyd-spf argv=/usr/bin/policyd-spf smtp-amavis unix - - n - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=20 -o smtp_tls_security_level=none 127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions=reject_unauth_pipelining -o smtpd_end_of_data_restrictions= -o mynetworks=127.0.0.0/8 -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters -o smtp_tls_security_level=none slowrelay unix - - n - 2 smtp -o smtp_mx_session_limit=5 gmail-smtp unix - - n - 1 smtp -o syslog_name=postfix/gmail -o smtp_destination_concurrency_limit=1 -o smtp_destination_recipient_limit=1 -o anvil_rate_time_unit=60s -o smtpd_client_message_rate_limit=100 docomo-smtp unix - - n - 1 smtp -o smtp_destination_concurrency_limit=1 -o smtp_destination_recipient_limit=1 -o anvil_rate_time_unit=60s -o smtpd_client_message_rate_limit=100 au-smtp unix - - n - 1 smtp -o smtp_destination_concurrency_limit=1 -o smtp_destination_recipient_limit=1 -o anvil_rate_time_unit=60s -o smtpd_client_message_rate_limit=100 softbank-smtp unix - - n - 1 smtp -o smtp_destination_concurrency_limit=1 -o smtp_destination_recipient_limit=1 -o anvil_rate_time_unit=60s -o smtpd_client_message_rate_limit=100 ymobile-smtp unix - - n - 1 smtp -o smtp_destination_concurrency_limit=1 -o smtp_destination_recipient_limit=1 -o anvil_rate_time_unit=60s -o smtpd_client_message_rate_limit=100 icloud-smtp unix - - n - 1 smtp -o smtp_destination_concurrency_limit=1 -o smtp_destination_recipient_limit=1 -o anvil_rate_time_unit=30s -o smtpd_client_message_rate_limit=5 ms-smtp unix - - n - 1 smtp -o smtp_destination_concurrency_limit=1 -o smtp_destination_recipient_limit=1 -o anvil_rate_time_unit=30s -o smtpd_client_message_rate_limit=5
正如另一個答案已經正確得出的結論,惡意方獲得了您伺服器上某個帳戶的密碼。大概,太弱了。或者該帳戶的使用者擷取了從其電子郵件客戶端儲存中竊取已保存密碼的惡意軟體。
我強烈建議你做以下事情來抵消:
- 用於
fail2ban
監控 Postfix 日誌以阻止暴力破解。這樣您就可以減少破解類似字典的密碼的機會。- 使用
postfwd2
或任何其他有能力的 Postfix 策略守護程序來限制每個使用者可以發送的郵件數量。例如,如果通常使用者每天發送的郵件不超過 200 封,每小時不超過 50 封,則將其設置為限制,並且濫用您的服務的可能性將受到限制。即使帳戶被黑客入侵,他們也無法超越這些限制。作為獎勵,您將儘早收到有關問題的通知,因為使用者會抱怨他們突然達到限制,或者因為您將能夠監視策略守護程序的日誌文件。以及額外的建議。
mynetworks = 127.0.0.0/8 [::1]/128 [fe80::]/64 192.168.18.0/24 10.102.0.0/16 172.18.0.0/16 10.102.0.0/16
這很糟糕。最好的 mynetworks 只是 localhost,即使這樣也是有爭議的。最好刪除所有內容,僅保留 127.0.0.1 和
$$ ::1 $$並強制其他所有人進行身份驗證。這將使事情變得更加可控。