Postfix

如何防止 Postfix 中未經授權的郵件中繼

  • May 12, 2022

我們的郵件伺服器似乎被用來發送垃圾郵件。

  • 電子郵件的發件人是我們伺服器上的虛假真實賬戶。
  • 該帳戶的發送歷史記錄中沒有電子郵件。

我想知道是否有任何方法可以防止這種情況。歡迎任何建議。

後綴日誌:

May  9 22:12:21 mx postfix/submission/smtpd[1885206]: warning: hostname 201-91-101-26.customer.tdatabrasil.net.br does not resolve to address 201.91.101.26: Name or service not known
May  9 22:12:21 mx postfix/submission/smtpd[1885206]: connect from unknown[201.91.101.26]
May  9 22:12:27 mx postfix/submission/smtpd[1885206]: Anonymous TLS connection established from unknown[201.91.101.26]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256
May  9 22:12:29 mx postfix/submission/smtpd[1885206]: 984BB13B35D: client=unknown[201.91.101.26], sasl_method=PLAIN, sasl_username=user@my-domain.net
May  9 22:12:31 mx postfix/sender-cleanup/cleanup[1892316]: 984BB13B35D: replace: header MIME-Version: 1.0 from unknown[201.91.101.26]; from=<user@my-domain.net> to=<****@yahoo.com.br> proto=ESMTP helo=<EHZDDZCUEY0FN7B75U0HKZOH1JP2P2UI>: Mime-Version: 1.0
May  9 22:12:32 mx postfix/qmgr[944]: 984BB13B35D: from=<user@my-domain.net>, size=18836, nrcpt=1 (queue active)
May  9 22:12:32 mx postfix/smtp[1892491]: 984BB13B35D: to=<****@yahoo.com.br>, relay=smtp.****.****.com[192.***.***.***]:587, delay=3.9, delays=3.6/0.01/0.13/0.13, dsn=2.0.0, status=sent (250 Ok)
May  9 22:12:32 mx postfix/qmgr[944]: 984BB13B35D: removed
May  9 22:12:35 mx postfix/submission/smtpd[1885206]: E344C13B35D: client=unknown[201.91.101.26], sasl_method=PLAIN, sasl_username=user@my-domain.net
# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
allow_min_user = yes
anvil_rate_time_unit = 60s
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 7200s
compatibility_level = 2
default_process_limit = 5000
disable_vrfy_command = yes
header_checks = pcre:/etc/postfix/maps/header_checks.pcre
inet_interfaces = all
inet_protocols = ipv4
mailbox_size_limit = 20000000000
maximal_backoff_time = 7200s
maximal_queue_lifetime = 7200s
message_size_limit = 52428800
milter_default_action = accept
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_protocol = 6
minimal_backoff_time = 1600s
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = my-domain.net
myhostname = mx.my-domain.net
mynetworks = 127.0.0.0/8 [::1]/128 [fe80::]/64 192.168.18.0/24 10.102.0.0/16 172.18.0.0/16 10.102.0.0/16
non_smtpd_milters = inet:127.0.0.1:11332
policyd-spf_time_limit = 3600
postscreen_bare_newline_action = enforce
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org*3 bl.mailspike.net b.barracudacentral.org*2 bl.spameatingmonkey.net dnsbl.sorbs.net psbl.surriel.com list.dnswl.org=127.0.[0..255].0*-2 list.dnswl.org=127.0.[0..255].1*-3 list.dnswl.org=127.0.[0..255].[2..3]*-4
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_whitelist_threshold = -1
postscreen_greet_action = enforce
queue_run_delay = 200s
readme_directory = no
recipient_delimiter = +
relayhost = [smtp.****.****.com]:587
sender_dependent_relayhost_maps = texthash:/etc/postfix/relayhost_map
smtp_destination_concurrency_limit = 10
smtp_discard_ehlo_keywords = size
smtp_header_checks = pcre:/etc/postfix/maps/sender_header_filter.pcre
smtp_initial_destination_concurrency = 2
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = texthash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sender_dependent_authentication = yes
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtp_tls_security_level = may
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP
smtpd_client_message_rate_limit = 100
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access hash:/etc/postfix/client_access.map, reject_unknown_reverse_client_hostname
smtpd_delay_reject = yes
smtpd_error_sleep_time = 1s
smtpd_hard_error_limit = 20
smtpd_helo_required = yes
smtpd_helo_restrictions = check_helo_access pcre:/etc/postfix/helo_access.map permit_mynetworks permit_sasl_authenticated reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname
smtpd_milters = inet:127.0.0.1:11332
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain, check_policy_service inet:localhost:65265, reject_rbl_client zen.spamhaus.org
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = /var/spool/postfix/private/auth
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf mysql:/etc/postfix/mysql-virtual-alias-maps.cf mysql:/etc/postfix/mysql-virtual-sender-maps.cf
smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch, check_sender_access hash:/etc/postfix/sender_access.map, reject_non_fqdn_sender, reject_sender_login_mismatch
smtpd_soft_error_limit = 10
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_auth_only = yes
smtpd_tls_chain_files = /etc/postfix/ssl/key /etc/postfix/ssl/cert
smtpd_tls_dh1024_param_file = /etc/postfix/dhparams.pem
smtpd_tls_exclude_ciphers = aNULL, SEED, CAMELLIA, RSA+AES
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_security_level = may
smtputf8_enable = no
strict_mailbox_ownership = no
tls_high_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
tls_preempt_cipherlist = yes
tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map
tls_ssl_options = NO_COMPRESSION, NO_RENEGOTIATION
transport_maps = hash:/etc/postfix/transport
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_limit = 20000000000
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_transport = lmtp:inet:localhost:24
# postconf -M
smtp       inet  n       -       n       -       1       postscreen
smtpd      pass  -       -       n       -       -       smtpd
tlsproxy   unix  -       -       n       -       0       tlsproxy
dnsblog    unix  -       -       n       -       0       dnsblog
submission inet  n       -       -       -       -       smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_reject_unlisted_recipient=no -o smtpd_sasl_authenticated_header=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unknown_reverse_client_hostname,reject -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING -o cleanup_service_name=sender-cleanup
smtps      inet  n       -       n       -       -       smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_reject_unlisted_recipient=no -o smtpd_sasl_authenticated_header=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unknown_reverse_client_hostname,reject -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING -o cleanup_service_name=sender-cleanup
pickup     fifo  n       -       y       60      1       pickup -o content_filter= -o receive_override_options=no_header_body_checks
cleanup    unix  n       -       y       -       0       cleanup
qmgr       unix  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       y       1000?   1       tlsmgr
rewrite    unix  -       -       y       -       -       trivial-rewrite
bounce     unix  -       -       y       -       0       bounce
defer      unix  -       -       y       -       0       bounce
trace      unix  -       -       y       -       0       bounce
verify     unix  -       -       y       -       1       verify
flush      unix  n       -       y       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       y       -       -       smtp
relay      unix  -       -       y       -       -       smtp
showq      unix  n       -       y       -       -       showq
error      unix  -       -       y       -       -       error
retry      unix  -       -       y       -       -       error
discard    unix  -       -       y       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       n       -       -       lmtp
anvil      unix  -       -       y       -       1       anvil
scache     unix  -       -       y       -       1       scache
maildrop   unix  -       n       n       -       -       pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp       unix  -       n       n       -       -       pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail     unix  -       n       n       -       -       pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp      unix  -       n       n       -       -       pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n       n       -       2       pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman    unix  -       n       n       -       -       pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
sender-cleanup unix n    -       -       -       0       cleanup -o syslog_name=postfix/sender-cleanup -o header_checks=pcre:/etc/postfix/maps/sender_header_filter.pcre
policyd-spf unix -       n       n       -       0       spawn user=policyd-spf argv=/usr/bin/policyd-spf
smtp-amavis unix -       -       n       -       2       smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=20 -o smtp_tls_security_level=none
127.0.0.1:10025 inet n   -       n       -       -       smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions=reject_unauth_pipelining -o smtpd_end_of_data_restrictions= -o mynetworks=127.0.0.0/8 -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters -o smtp_tls_security_level=none
slowrelay  unix  -       -       n       -       2       smtp -o smtp_mx_session_limit=5
gmail-smtp unix  -       -       n       -       1       smtp -o syslog_name=postfix/gmail -o smtp_destination_concurrency_limit=1 -o smtp_destination_recipient_limit=1 -o anvil_rate_time_unit=60s -o smtpd_client_message_rate_limit=100
docomo-smtp unix -       -       n       -       1       smtp -o smtp_destination_concurrency_limit=1 -o smtp_destination_recipient_limit=1 -o anvil_rate_time_unit=60s -o smtpd_client_message_rate_limit=100
au-smtp    unix  -       -       n       -       1       smtp -o smtp_destination_concurrency_limit=1 -o smtp_destination_recipient_limit=1 -o anvil_rate_time_unit=60s -o smtpd_client_message_rate_limit=100
softbank-smtp unix -     -       n       -       1       smtp -o smtp_destination_concurrency_limit=1 -o smtp_destination_recipient_limit=1 -o anvil_rate_time_unit=60s -o smtpd_client_message_rate_limit=100
ymobile-smtp unix -      -       n       -       1       smtp -o smtp_destination_concurrency_limit=1 -o smtp_destination_recipient_limit=1 -o anvil_rate_time_unit=60s -o smtpd_client_message_rate_limit=100
icloud-smtp unix -       -       n       -       1       smtp -o smtp_destination_concurrency_limit=1 -o smtp_destination_recipient_limit=1 -o anvil_rate_time_unit=30s -o smtpd_client_message_rate_limit=5
ms-smtp    unix  -       -       n       -       1       smtp -o smtp_destination_concurrency_limit=1 -o smtp_destination_recipient_limit=1 -o anvil_rate_time_unit=30s -o smtpd_client_message_rate_limit=5

正如另一個答案已經正確得出的結論,惡意方獲得了您伺服器上某個帳戶的密碼。大概,太弱了。或者該帳戶的使用者擷取了從其電子郵件客戶端儲存中竊取已保存密碼的惡意軟體。

我強烈建議你做以下事情來抵消:

  1. 用於fail2ban監控 Postfix 日誌以阻止暴力破解。這樣您就可以減少破解類似字典的密碼的機會。
  2. 使用postfwd2或任何其他有能力的 Postfix 策略守護程序來限制每個使用者可以發送的郵件數量。例如,如果通常使用者每天發送的郵件不超過 200 封,每小時不超過 50 封,則將其設置為限制,並且濫用您的服務的可能性將受到限制。即使帳戶被黑客入侵,他們也無法超越這些限制。作為獎勵,您將儘早收到有關問題的通知,因為使用者會抱怨他們突然達到限制,或者因為您將能夠監視策略守護程序的日誌文件。

以及額外的建議。

mynetworks = 127.0.0.0/8 [::1]/128 [fe80::]/64 192.168.18.0/24 10.102.0.0/16 172.18.0.0/16 10.102.0.0/16

這很糟糕。最好的 mynetworks 只是 localhost,即使這樣也是有爭議的。最好刪除所有內容,僅保留 127.0.0.1 和

$$ ::1 $$並強制其他所有人進行身份驗證。這將使事情變得更加可控。

引用自:https://serverfault.com/questions/1100721