Postfix users receive spam pretending to be sent from their accounts avoiding reject_sender_login_mismatch The 2019 Stack Overflow Developer Survey Results Are In Unicorn Meta Zoo #1: Why another podcast? Announcing the arrival of Valued Associate #679: Cesar Manara Come Celebrate our 10 Year Anniversary!Multipart messages from postfix go to spam in gmail/hotmailUnable to receive any emails using postfix, dovecot, mysql, and virtual domain/mailboxesLAMP server domain can't send e-mail to Exchange server domain.. Different IP's but both on same networkPostfix: Recipient address rejected: Invalid HELO/EHLOUnexpected failure, please try later (in reply to end of DATA command)Postfix: find out why mail bouncesOutgoing spam from postfix using my domainsSetting up mailserver with relay hostpostfix: Cannot assign requested addressStrange mails from my email server
Did the UK government pay "millions and millions of dollars" to try to snag Julian Assange?
Can a flute soloist sit?
Is it ethical to upload a automatically generated paper to a non peer-reviewed site as part of a larger research?
How do I design a circuit to convert a 100 mV and 50 Hz sine wave to a square wave?
Homework question about an engine pulling a train
Deal with toxic manager when you can't quit
How to support a colleague who finds meetings extremely tiring?
Match Roman Numerals
Does Parliament need to approve the new Brexit delay to 31 October 2019?
Is every episode of "Where are my Pants?" identical?
Example of compact Riemannian manifold with only one geodesic.
Identify 80s or 90s comics with ripped creatures (not dwarves)
Can we generate random numbers using irrational numbers like π and e?
Loose spokes after only a few rides
Windows 10: How to Lock (not sleep) laptop on lid close?
Why doesn't a hydraulic lever violate conservation of energy?
How do spell lists change if the party levels up without taking a long rest?
Did the new image of black hole confirm the general theory of relativity?
Sort list of array linked objects by keys and values
How did passengers keep warm on sail ships?
What is the padding with red substance inside of steak packaging?
Is it ok to offer lower paid work as a trial period before negotiating for a full-time job?
Working through the single responsibility principle (SRP) in Python when calls are expensive
Is 'stolen' appropriate word?
Postfix users receive spam pretending to be sent from their accounts avoiding reject_sender_login_mismatch
The 2019 Stack Overflow Developer Survey Results Are In
Unicorn Meta Zoo #1: Why another podcast?
Announcing the arrival of Valued Associate #679: Cesar Manara
Come Celebrate our 10 Year Anniversary!Multipart messages from postfix go to spam in gmail/hotmailUnable to receive any emails using postfix, dovecot, mysql, and virtual domain/mailboxesLAMP server domain can't send e-mail to Exchange server domain.. Different IP's but both on same networkPostfix: Recipient address rejected: Invalid HELO/EHLOUnexpected failure, please try later (in reply to end of DATA command)Postfix: find out why mail bouncesOutgoing spam from postfix using my domainsSetting up mailserver with relay hostpostfix: Cannot assign requested addressStrange mails from my email server
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
-2
Postfix users receive spam pretending to be sent from their accounts.
in main.cf I have put:
smtpd_sender_login_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf,
mysql:/etc/postfix/mysql_virtual_alias_maps.cf
smtpd_sender_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_sender_login_mismatch,
I also have extensive rbl and other spam checks in main.cf which work, but this slips through it anyway (see msg source)
If I test it from my other server
root@othermail:~# mail -s test1 -a "From: user1@mydomain.tld" user1@mydomain.tld < /dev/null
The message gets rejected in log with
NOQUEUE: reject: RCPT from myother.server.tld[192.168.7.229]: 553 5.7.1 <user1@mydomain.tld>: Sender address rejected: not logged in; from=<user1@mydomain.tld> to=<user1@mydomain.tld>
I have DKIM which works and validates. IN main.cf
milter_default_action = accept
milter_protocol = 6
smtpd_milters = local:opendkim/opendkim.sock
non_smtpd_milters = local:opendkim/opendkim.sock
But the spamers somehow trick it by using DKIM? or other means.
Somehow after milter OpenDKIM there are no sender_login_mismatch checks. Should I install amavis? It seems so trivial to block spam which pretend to be sent as a spoofed message from oneself but yet I can't block it. Any suggestions? Thanks.
Message source looks like this:
Return-Path: <seisi@kousaikan.com>
X-Original-To: user1@mydomain.tld
Delivered-To: user1@mydomain.tld
Received: from mail.mydomain.tld (localhost [127.0.0.1])
by mail.mydomain.tld (Postfix) with ESMTP id 73A553008B0
for <user1@mydomain.tld>; Fri, 5 Apr 2019 17:16:49 +0300 (EEST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=mydomain.tld; s=201902;
t=1554473809; bh=MjZrE+ZNsa79fhqHRgjB41LtBj2nZeIT/I8ZyQz4lvI=;
h=Date:Subject:To:From:List-Help:From;
b=ajW/fpbQ9R/wu2ztE6OJecLpcUqvqENooIo6PW1V5GU0oAc/VqhvxuGPIc89t9n49
6pcXOw4knfTpp9lwoaHqUJ8lM2KpesQTSgLHzvfC74u8wi9CB6+cHpS42rT35bW5wx
LvdO7mLT9GEhrPAVeoI21yk2pCAEhBQaXLAFDsmY=
Received: from orange-leopard-671e4d6e5ce74ab6.znlc.jp (orange-leopard-671e4d6e5ce74ab6.znlc.jp [154.34.23.45])
by mail.mydomain.tld (Postfix) with ESMTPS id 36A99300704
for <user1@mydomain.tld>; Fri, 5 Apr 2019 17:16:47 +0300 (EEST)
Received: from [corporativo.static.gvt.net.br] (170.83.215.114-static.host.megalink.net.br [170.83.215.114])
by orange-leopard-671e4d6e5ce74ab6.znlc.jp (Postfix) with ESMTPSA id 1C8A2BDEE
for <user1@mydomain.tld>; Fri, 5 Apr 2019 22:12:20 +0900 (JST)
Date: Fri, 5 Apr 2019 15:12:18 +0200
Abuse-Reports-To: <abuse@mail.kousaikan.com>
X-Complaints-To: abuse@mail.kousaikan.com
Subject: [SPAM] user1
Message-ID: <j2w06zpo-msrn-unjm-z17p-4ld3vmq62lf7@mlcp.tzzu>
To: user1@mydomain.tld
Content-Type: multipart/related;
boundary="--_com.android.email_86436944273605"
MIME-Version: 1.0
X-Mailer: Summer Cart 4.0
From: <user1@mydomain.tld>
User-Agent: Roundcube Webmail/0.6
List-Help:
<http://www.kousaikan.com/lists/?p=preferences&uid=7oivc5xd99g9y6j9mcp0iztxw78pnnhu>
X-Antivirus: Dr.Web (R) for Unix mail servers drweb plugin ver.6.0.2.8
X-Antivirus-Code: 0x100000
X-Drweb-SpamState: yes
X-Drweb-SpamScore: 315
X-DrWeb-SpamReason: gggruggvucftvghtrhhoucdtuddrgeduuddrtdeiucetufdoteggodetrfcurfhrohhfihhlvgemuceonhhonhgvqeenuceurghilhhouhhtmecupfdsteenucgoteeftdduqddtudculdduhedmnegoufhprghmsghotheuvfevqdfggedutddqvdekucdlfedttddm
X-AV-Checked: ClamAV using ClamSMTP
Log file:
Apr 5 17:16:45 mydomain.tld postfix/smtpd[11659]: connect from orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45]
Apr 5 17:16:46 mydomain.tld postfix/smtpd[11659]: Anonymous TLS connection established from orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45]: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
Apr 5 17:16:47 mydomain.tld postfix/smtpd[11659]: 36A99300704: client=orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45]
Apr 5 17:16:47 mydomain.tld postfix/cleanup[11826]: 36A99300704: message-id=<j2w06zpo-msrn-unjm-z17p-4ld3vmq62lf7@mlcp.tzzu>
Apr 5 17:16:49 mydomain.tld opendkim[539]: 36A99300704: orange-leopard-671e4d6e5ce74ab6.znlc.jp [154.34.23.45] not internal
Apr 5 17:16:49 mydomain.tld opendkim[539]: 36A99300704: not authenticated
Apr 5 17:16:49 mydomain.tld opendkim[539]: 36A99300704: no signature data
Apr 5 17:16:49 mydomain.tld postfix/qmgr[11471]: 36A99300704: from=<seisi@kousaikan.com>, size=257396, nrcpt=1 (queue active)
Apr 5 17:16:49 mydomain.tld clamsmtpd: 1009A6: accepted connection from: 127.0.0.1
Apr 5 17:16:49 mydomain.tld postfix/smtpd[11829]: connect from localhost[127.0.0.1]
Apr 5 17:16:49 mydomain.tld postfix/smtpd[11829]: 73A553008B0: client=localhost[127.0.0.1], orig_queue_id=36A99300704, orig_client=orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45]
Apr 5 17:16:49 mydomain.tld postfix/smtpd[11659]: disconnect from orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Apr 5 17:16:49 mydomain.tld postfix/cleanup[11826]: 73A553008B0: message-id=<j2w06zpo-msrn-unjm-z17p-4ld3vmq62lf7@mlcp.tzzu>
Apr 5 17:16:49 mydomain.tld postfix/qmgr[11471]: 73A553008B0: from=<seisi@kousaikan.com>, size=257617, nrcpt=1 (queue active)
Apr 5 17:16:49 mydomain.tld postfix/smtp[11827]: 36A99300704: to=<user1@mydomain.tld>, relay=127.0.0.1[127.0.0.1]:10026, delay=2.9, delays=2.3/0.01/0.06/0.51, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 73A553008B0)
Apr 5 17:16:49 mydomain.tld postfix/qmgr[11471]: 36A99300704: removed
Apr 5 17:16:49 mydomain.tld clamsmtpd: 1009A6: from=seisi@kousaikan.com, to=user1@mydomain.tld, status=CLEAN
Apr 5 17:16:49 mydomain.tld postfix/smtpd[11829]: disconnect from localhost[127.0.0.1] ehlo=1 xforward=2 mail=1 rcpt=1 data=1 quit=1 commands=7
Apr 5 17:16:50 mydomain.tld postfix/virtual[11832]: 73A553008B0: to=<user1@mydomain.tld>, relay=virtual, delay=0.58, delays=0.51/0.01/0/0.06, dsn=2.0.0, status=sent (delivered to maildir)
Apr 5 17:16:50 mydomain.tld postfix/qmgr[11471]: 73A553008B0: removed
postfix spam opendkim milter
edited Apr 8 at 18:05
Esa Jokinen
23.7k23359
asked Apr 8 at 14:45
JanisJanis
1
New contributor
Janis is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
-2
Postfix users receive spam pretending to be sent from their accounts.
in main.cf I have put:
smtpd_sender_login_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf,
mysql:/etc/postfix/mysql_virtual_alias_maps.cf
smtpd_sender_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_sender_login_mismatch,
I also have extensive rbl and other spam checks in main.cf which work, but this slips through it anyway (see msg source)
If I test it from my other server
root@othermail:~# mail -s test1 -a "From: user1@mydomain.tld" user1@mydomain.tld < /dev/null
The message gets rejected in log with
NOQUEUE: reject: RCPT from myother.server.tld[192.168.7.229]: 553 5.7.1 <user1@mydomain.tld>: Sender address rejected: not logged in; from=<user1@mydomain.tld> to=<user1@mydomain.tld>
I have DKIM which works and validates. IN main.cf
milter_default_action = accept
milter_protocol = 6
smtpd_milters = local:opendkim/opendkim.sock
non_smtpd_milters = local:opendkim/opendkim.sock
But the spamers somehow trick it by using DKIM? or other means.
Somehow after milter OpenDKIM there are no sender_login_mismatch checks. Should I install amavis? It seems so trivial to block spam which pretend to be sent as a spoofed message from oneself but yet I can't block it. Any suggestions? Thanks.
Message source looks like this:
Return-Path: <seisi@kousaikan.com>
X-Original-To: user1@mydomain.tld
Delivered-To: user1@mydomain.tld
Received: from mail.mydomain.tld (localhost [127.0.0.1])
by mail.mydomain.tld (Postfix) with ESMTP id 73A553008B0
for <user1@mydomain.tld>; Fri, 5 Apr 2019 17:16:49 +0300 (EEST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=mydomain.tld; s=201902;
t=1554473809; bh=MjZrE+ZNsa79fhqHRgjB41LtBj2nZeIT/I8ZyQz4lvI=;
h=Date:Subject:To:From:List-Help:From;
b=ajW/fpbQ9R/wu2ztE6OJecLpcUqvqENooIo6PW1V5GU0oAc/VqhvxuGPIc89t9n49
6pcXOw4knfTpp9lwoaHqUJ8lM2KpesQTSgLHzvfC74u8wi9CB6+cHpS42rT35bW5wx
LvdO7mLT9GEhrPAVeoI21yk2pCAEhBQaXLAFDsmY=
Received: from orange-leopard-671e4d6e5ce74ab6.znlc.jp (orange-leopard-671e4d6e5ce74ab6.znlc.jp [154.34.23.45])
by mail.mydomain.tld (Postfix) with ESMTPS id 36A99300704
for <user1@mydomain.tld>; Fri, 5 Apr 2019 17:16:47 +0300 (EEST)
Received: from [corporativo.static.gvt.net.br] (170.83.215.114-static.host.megalink.net.br [170.83.215.114])
by orange-leopard-671e4d6e5ce74ab6.znlc.jp (Postfix) with ESMTPSA id 1C8A2BDEE
for <user1@mydomain.tld>; Fri, 5 Apr 2019 22:12:20 +0900 (JST)
Date: Fri, 5 Apr 2019 15:12:18 +0200
Abuse-Reports-To: <abuse@mail.kousaikan.com>
X-Complaints-To: abuse@mail.kousaikan.com
Subject: [SPAM] user1
Message-ID: <j2w06zpo-msrn-unjm-z17p-4ld3vmq62lf7@mlcp.tzzu>
To: user1@mydomain.tld
Content-Type: multipart/related;
boundary="--_com.android.email_86436944273605"
MIME-Version: 1.0
X-Mailer: Summer Cart 4.0
From: <user1@mydomain.tld>
User-Agent: Roundcube Webmail/0.6
List-Help:
<http://www.kousaikan.com/lists/?p=preferences&uid=7oivc5xd99g9y6j9mcp0iztxw78pnnhu>
X-Antivirus: Dr.Web (R) for Unix mail servers drweb plugin ver.6.0.2.8
X-Antivirus-Code: 0x100000
X-Drweb-SpamState: yes
X-Drweb-SpamScore: 315
X-DrWeb-SpamReason: gggruggvucftvghtrhhoucdtuddrgeduuddrtdeiucetufdoteggodetrfcurfhrohhfihhlvgemuceonhhonhgvqeenuceurghilhhouhhtmecupfdsteenucgoteeftdduqddtudculdduhedmnegoufhprghmsghotheuvfevqdfggedutddqvdekucdlfedttddm
X-AV-Checked: ClamAV using ClamSMTP
Log file:
Apr 5 17:16:45 mydomain.tld postfix/smtpd[11659]: connect from orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45]
Apr 5 17:16:46 mydomain.tld postfix/smtpd[11659]: Anonymous TLS connection established from orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45]: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
Apr 5 17:16:47 mydomain.tld postfix/smtpd[11659]: 36A99300704: client=orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45]
Apr 5 17:16:47 mydomain.tld postfix/cleanup[11826]: 36A99300704: message-id=<j2w06zpo-msrn-unjm-z17p-4ld3vmq62lf7@mlcp.tzzu>
Apr 5 17:16:49 mydomain.tld opendkim[539]: 36A99300704: orange-leopard-671e4d6e5ce74ab6.znlc.jp [154.34.23.45] not internal
Apr 5 17:16:49 mydomain.tld opendkim[539]: 36A99300704: not authenticated
Apr 5 17:16:49 mydomain.tld opendkim[539]: 36A99300704: no signature data
Apr 5 17:16:49 mydomain.tld postfix/qmgr[11471]: 36A99300704: from=<seisi@kousaikan.com>, size=257396, nrcpt=1 (queue active)
Apr 5 17:16:49 mydomain.tld clamsmtpd: 1009A6: accepted connection from: 127.0.0.1
Apr 5 17:16:49 mydomain.tld postfix/smtpd[11829]: connect from localhost[127.0.0.1]
Apr 5 17:16:49 mydomain.tld postfix/smtpd[11829]: 73A553008B0: client=localhost[127.0.0.1], orig_queue_id=36A99300704, orig_client=orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45]
Apr 5 17:16:49 mydomain.tld postfix/smtpd[11659]: disconnect from orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Apr 5 17:16:49 mydomain.tld postfix/cleanup[11826]: 73A553008B0: message-id=<j2w06zpo-msrn-unjm-z17p-4ld3vmq62lf7@mlcp.tzzu>
Apr 5 17:16:49 mydomain.tld postfix/qmgr[11471]: 73A553008B0: from=<seisi@kousaikan.com>, size=257617, nrcpt=1 (queue active)
Apr 5 17:16:49 mydomain.tld postfix/smtp[11827]: 36A99300704: to=<user1@mydomain.tld>, relay=127.0.0.1[127.0.0.1]:10026, delay=2.9, delays=2.3/0.01/0.06/0.51, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 73A553008B0)
Apr 5 17:16:49 mydomain.tld postfix/qmgr[11471]: 36A99300704: removed
Apr 5 17:16:49 mydomain.tld clamsmtpd: 1009A6: from=seisi@kousaikan.com, to=user1@mydomain.tld, status=CLEAN
Apr 5 17:16:49 mydomain.tld postfix/smtpd[11829]: disconnect from localhost[127.0.0.1] ehlo=1 xforward=2 mail=1 rcpt=1 data=1 quit=1 commands=7
Apr 5 17:16:50 mydomain.tld postfix/virtual[11832]: 73A553008B0: to=<user1@mydomain.tld>, relay=virtual, delay=0.58, delays=0.51/0.01/0/0.06, dsn=2.0.0, status=sent (delivered to maildir)
Apr 5 17:16:50 mydomain.tld postfix/qmgr[11471]: 73A553008B0: removed
postfix spam opendkim milter
edited Apr 8 at 18:05
Esa Jokinen
23.7k23359
asked Apr 8 at 14:45
JanisJanis
1
New contributor
Janis is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
-2
-2
-2
Postfix users receive spam pretending to be sent from their accounts.
in main.cf I have put:
smtpd_sender_login_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf,
mysql:/etc/postfix/mysql_virtual_alias_maps.cf
smtpd_sender_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_sender_login_mismatch,
I also have extensive rbl and other spam checks in main.cf which work, but this slips through it anyway (see msg source)
If I test it from my other server
root@othermail:~# mail -s test1 -a "From: user1@mydomain.tld" user1@mydomain.tld < /dev/null
The message gets rejected in log with
NOQUEUE: reject: RCPT from myother.server.tld[192.168.7.229]: 553 5.7.1 <user1@mydomain.tld>: Sender address rejected: not logged in; from=<user1@mydomain.tld> to=<user1@mydomain.tld>
I have DKIM which works and validates. IN main.cf
milter_default_action = accept
milter_protocol = 6
smtpd_milters = local:opendkim/opendkim.sock
non_smtpd_milters = local:opendkim/opendkim.sock
But the spamers somehow trick it by using DKIM? or other means.
Somehow after milter OpenDKIM there are no sender_login_mismatch checks. Should I install amavis? It seems so trivial to block spam which pretend to be sent as a spoofed message from oneself but yet I can't block it. Any suggestions? Thanks.
Message source looks like this:
Return-Path: <seisi@kousaikan.com>
X-Original-To: user1@mydomain.tld
Delivered-To: user1@mydomain.tld
Received: from mail.mydomain.tld (localhost [127.0.0.1])
by mail.mydomain.tld (Postfix) with ESMTP id 73A553008B0
for <user1@mydomain.tld>; Fri, 5 Apr 2019 17:16:49 +0300 (EEST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=mydomain.tld; s=201902;
t=1554473809; bh=MjZrE+ZNsa79fhqHRgjB41LtBj2nZeIT/I8ZyQz4lvI=;
h=Date:Subject:To:From:List-Help:From;
b=ajW/fpbQ9R/wu2ztE6OJecLpcUqvqENooIo6PW1V5GU0oAc/VqhvxuGPIc89t9n49
6pcXOw4knfTpp9lwoaHqUJ8lM2KpesQTSgLHzvfC74u8wi9CB6+cHpS42rT35bW5wx
LvdO7mLT9GEhrPAVeoI21yk2pCAEhBQaXLAFDsmY=
Received: from orange-leopard-671e4d6e5ce74ab6.znlc.jp (orange-leopard-671e4d6e5ce74ab6.znlc.jp [154.34.23.45])
by mail.mydomain.tld (Postfix) with ESMTPS id 36A99300704
for <user1@mydomain.tld>; Fri, 5 Apr 2019 17:16:47 +0300 (EEST)
Received: from [corporativo.static.gvt.net.br] (170.83.215.114-static.host.megalink.net.br [170.83.215.114])
by orange-leopard-671e4d6e5ce74ab6.znlc.jp (Postfix) with ESMTPSA id 1C8A2BDEE
for <user1@mydomain.tld>; Fri, 5 Apr 2019 22:12:20 +0900 (JST)
Date: Fri, 5 Apr 2019 15:12:18 +0200
Abuse-Reports-To: <abuse@mail.kousaikan.com>
X-Complaints-To: abuse@mail.kousaikan.com
Subject: [SPAM] user1
Message-ID: <j2w06zpo-msrn-unjm-z17p-4ld3vmq62lf7@mlcp.tzzu>
To: user1@mydomain.tld
Content-Type: multipart/related;
boundary="--_com.android.email_86436944273605"
MIME-Version: 1.0
X-Mailer: Summer Cart 4.0
From: <user1@mydomain.tld>
User-Agent: Roundcube Webmail/0.6
List-Help:
<http://www.kousaikan.com/lists/?p=preferences&uid=7oivc5xd99g9y6j9mcp0iztxw78pnnhu>
X-Antivirus: Dr.Web (R) for Unix mail servers drweb plugin ver.6.0.2.8
X-Antivirus-Code: 0x100000
X-Drweb-SpamState: yes
X-Drweb-SpamScore: 315
X-DrWeb-SpamReason: gggruggvucftvghtrhhoucdtuddrgeduuddrtdeiucetufdoteggodetrfcurfhrohhfihhlvgemuceonhhonhgvqeenuceurghilhhouhhtmecupfdsteenucgoteeftdduqddtudculdduhedmnegoufhprghmsghotheuvfevqdfggedutddqvdekucdlfedttddm
X-AV-Checked: ClamAV using ClamSMTP
Log file:
Apr 5 17:16:45 mydomain.tld postfix/smtpd[11659]: connect from orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45]
Apr 5 17:16:46 mydomain.tld postfix/smtpd[11659]: Anonymous TLS connection established from orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45]: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
Apr 5 17:16:47 mydomain.tld postfix/smtpd[11659]: 36A99300704: client=orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45]
Apr 5 17:16:47 mydomain.tld postfix/cleanup[11826]: 36A99300704: message-id=<j2w06zpo-msrn-unjm-z17p-4ld3vmq62lf7@mlcp.tzzu>
Apr 5 17:16:49 mydomain.tld opendkim[539]: 36A99300704: orange-leopard-671e4d6e5ce74ab6.znlc.jp [154.34.23.45] not internal
Apr 5 17:16:49 mydomain.tld opendkim[539]: 36A99300704: not authenticated
Apr 5 17:16:49 mydomain.tld opendkim[539]: 36A99300704: no signature data
Apr 5 17:16:49 mydomain.tld postfix/qmgr[11471]: 36A99300704: from=<seisi@kousaikan.com>, size=257396, nrcpt=1 (queue active)
Apr 5 17:16:49 mydomain.tld clamsmtpd: 1009A6: accepted connection from: 127.0.0.1
Apr 5 17:16:49 mydomain.tld postfix/smtpd[11829]: connect from localhost[127.0.0.1]
Apr 5 17:16:49 mydomain.tld postfix/smtpd[11829]: 73A553008B0: client=localhost[127.0.0.1], orig_queue_id=36A99300704, orig_client=orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45]
Apr 5 17:16:49 mydomain.tld postfix/smtpd[11659]: disconnect from orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Apr 5 17:16:49 mydomain.tld postfix/cleanup[11826]: 73A553008B0: message-id=<j2w06zpo-msrn-unjm-z17p-4ld3vmq62lf7@mlcp.tzzu>
Apr 5 17:16:49 mydomain.tld postfix/qmgr[11471]: 73A553008B0: from=<seisi@kousaikan.com>, size=257617, nrcpt=1 (queue active)
Apr 5 17:16:49 mydomain.tld postfix/smtp[11827]: 36A99300704: to=<user1@mydomain.tld>, relay=127.0.0.1[127.0.0.1]:10026, delay=2.9, delays=2.3/0.01/0.06/0.51, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 73A553008B0)
Apr 5 17:16:49 mydomain.tld postfix/qmgr[11471]: 36A99300704: removed
Apr 5 17:16:49 mydomain.tld clamsmtpd: 1009A6: from=seisi@kousaikan.com, to=user1@mydomain.tld, status=CLEAN
Apr 5 17:16:49 mydomain.tld postfix/smtpd[11829]: disconnect from localhost[127.0.0.1] ehlo=1 xforward=2 mail=1 rcpt=1 data=1 quit=1 commands=7
Apr 5 17:16:50 mydomain.tld postfix/virtual[11832]: 73A553008B0: to=<user1@mydomain.tld>, relay=virtual, delay=0.58, delays=0.51/0.01/0/0.06, dsn=2.0.0, status=sent (delivered to maildir)
Apr 5 17:16:50 mydomain.tld postfix/qmgr[11471]: 73A553008B0: removed
postfix spam opendkim milter
edited Apr 8 at 18:05
Esa Jokinen
23.7k23359
asked Apr 8 at 14:45
JanisJanis
1
New contributor
Janis is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Postfix users receive spam pretending to be sent from their accounts.
in main.cf I have put:
smtpd_sender_login_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf,
mysql:/etc/postfix/mysql_virtual_alias_maps.cf
smtpd_sender_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_sender_login_mismatch,
I also have extensive rbl and other spam checks in main.cf which work, but this slips through it anyway (see msg source)
If I test it from my other server
root@othermail:~# mail -s test1 -a "From: user1@mydomain.tld" user1@mydomain.tld < /dev/null
The message gets rejected in log with
NOQUEUE: reject: RCPT from myother.server.tld[192.168.7.229]: 553 5.7.1 <user1@mydomain.tld>: Sender address rejected: not logged in; from=<user1@mydomain.tld> to=<user1@mydomain.tld>
I have DKIM which works and validates. IN main.cf
milter_default_action = accept
milter_protocol = 6
smtpd_milters = local:opendkim/opendkim.sock
non_smtpd_milters = local:opendkim/opendkim.sock
But the spamers somehow trick it by using DKIM? or other means.
Somehow after milter OpenDKIM there are no sender_login_mismatch checks. Should I install amavis? It seems so trivial to block spam which pretend to be sent as a spoofed message from oneself but yet I can't block it. Any suggestions? Thanks.
Message source looks like this:
Return-Path: <seisi@kousaikan.com>
X-Original-To: user1@mydomain.tld
Delivered-To: user1@mydomain.tld
Received: from mail.mydomain.tld (localhost [127.0.0.1])
by mail.mydomain.tld (Postfix) with ESMTP id 73A553008B0
for <user1@mydomain.tld>; Fri, 5 Apr 2019 17:16:49 +0300 (EEST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=mydomain.tld; s=201902;
t=1554473809; bh=MjZrE+ZNsa79fhqHRgjB41LtBj2nZeIT/I8ZyQz4lvI=;
h=Date:Subject:To:From:List-Help:From;
b=ajW/fpbQ9R/wu2ztE6OJecLpcUqvqENooIo6PW1V5GU0oAc/VqhvxuGPIc89t9n49
6pcXOw4knfTpp9lwoaHqUJ8lM2KpesQTSgLHzvfC74u8wi9CB6+cHpS42rT35bW5wx
LvdO7mLT9GEhrPAVeoI21yk2pCAEhBQaXLAFDsmY=
Received: from orange-leopard-671e4d6e5ce74ab6.znlc.jp (orange-leopard-671e4d6e5ce74ab6.znlc.jp [154.34.23.45])
by mail.mydomain.tld (Postfix) with ESMTPS id 36A99300704
for <user1@mydomain.tld>; Fri, 5 Apr 2019 17:16:47 +0300 (EEST)
Received: from [corporativo.static.gvt.net.br] (170.83.215.114-static.host.megalink.net.br [170.83.215.114])
by orange-leopard-671e4d6e5ce74ab6.znlc.jp (Postfix) with ESMTPSA id 1C8A2BDEE
for <user1@mydomain.tld>; Fri, 5 Apr 2019 22:12:20 +0900 (JST)
Date: Fri, 5 Apr 2019 15:12:18 +0200
Abuse-Reports-To: <abuse@mail.kousaikan.com>
X-Complaints-To: abuse@mail.kousaikan.com
Subject: [SPAM] user1
Message-ID: <j2w06zpo-msrn-unjm-z17p-4ld3vmq62lf7@mlcp.tzzu>
To: user1@mydomain.tld
Content-Type: multipart/related;
boundary="--_com.android.email_86436944273605"
MIME-Version: 1.0
X-Mailer: Summer Cart 4.0
From: <user1@mydomain.tld>
User-Agent: Roundcube Webmail/0.6
List-Help:
<http://www.kousaikan.com/lists/?p=preferences&uid=7oivc5xd99g9y6j9mcp0iztxw78pnnhu>
X-Antivirus: Dr.Web (R) for Unix mail servers drweb plugin ver.6.0.2.8
X-Antivirus-Code: 0x100000
X-Drweb-SpamState: yes
X-Drweb-SpamScore: 315
X-DrWeb-SpamReason: gggruggvucftvghtrhhoucdtuddrgeduuddrtdeiucetufdoteggodetrfcurfhrohhfihhlvgemuceonhhonhgvqeenuceurghilhhouhhtmecupfdsteenucgoteeftdduqddtudculdduhedmnegoufhprghmsghotheuvfevqdfggedutddqvdekucdlfedttddm
X-AV-Checked: ClamAV using ClamSMTP
Log file:
Apr 5 17:16:45 mydomain.tld postfix/smtpd[11659]: connect from orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45]
Apr 5 17:16:46 mydomain.tld postfix/smtpd[11659]: Anonymous TLS connection established from orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45]: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
Apr 5 17:16:47 mydomain.tld postfix/smtpd[11659]: 36A99300704: client=orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45]
Apr 5 17:16:47 mydomain.tld postfix/cleanup[11826]: 36A99300704: message-id=<j2w06zpo-msrn-unjm-z17p-4ld3vmq62lf7@mlcp.tzzu>
Apr 5 17:16:49 mydomain.tld opendkim[539]: 36A99300704: orange-leopard-671e4d6e5ce74ab6.znlc.jp [154.34.23.45] not internal
Apr 5 17:16:49 mydomain.tld opendkim[539]: 36A99300704: not authenticated
Apr 5 17:16:49 mydomain.tld opendkim[539]: 36A99300704: no signature data
Apr 5 17:16:49 mydomain.tld postfix/qmgr[11471]: 36A99300704: from=<seisi@kousaikan.com>, size=257396, nrcpt=1 (queue active)
Apr 5 17:16:49 mydomain.tld clamsmtpd: 1009A6: accepted connection from: 127.0.0.1
Apr 5 17:16:49 mydomain.tld postfix/smtpd[11829]: connect from localhost[127.0.0.1]
Apr 5 17:16:49 mydomain.tld postfix/smtpd[11829]: 73A553008B0: client=localhost[127.0.0.1], orig_queue_id=36A99300704, orig_client=orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45]
Apr 5 17:16:49 mydomain.tld postfix/smtpd[11659]: disconnect from orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Apr 5 17:16:49 mydomain.tld postfix/cleanup[11826]: 73A553008B0: message-id=<j2w06zpo-msrn-unjm-z17p-4ld3vmq62lf7@mlcp.tzzu>
Apr 5 17:16:49 mydomain.tld postfix/qmgr[11471]: 73A553008B0: from=<seisi@kousaikan.com>, size=257617, nrcpt=1 (queue active)
Apr 5 17:16:49 mydomain.tld postfix/smtp[11827]: 36A99300704: to=<user1@mydomain.tld>, relay=127.0.0.1[127.0.0.1]:10026, delay=2.9, delays=2.3/0.01/0.06/0.51, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 73A553008B0)
Apr 5 17:16:49 mydomain.tld postfix/qmgr[11471]: 36A99300704: removed
Apr 5 17:16:49 mydomain.tld clamsmtpd: 1009A6: from=seisi@kousaikan.com, to=user1@mydomain.tld, status=CLEAN
Apr 5 17:16:49 mydomain.tld postfix/smtpd[11829]: disconnect from localhost[127.0.0.1] ehlo=1 xforward=2 mail=1 rcpt=1 data=1 quit=1 commands=7
Apr 5 17:16:50 mydomain.tld postfix/virtual[11832]: 73A553008B0: to=<user1@mydomain.tld>, relay=virtual, delay=0.58, delays=0.51/0.01/0/0.06, dsn=2.0.0, status=sent (delivered to maildir)
Apr 5 17:16:50 mydomain.tld postfix/qmgr[11471]: 73A553008B0: removed
postfix spam opendkim milter
postfix spam opendkim milter
edited Apr 8 at 18:05
Esa Jokinen
23.7k23359
asked Apr 8 at 14:45
JanisJanis
1
New contributor
Janis is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited Apr 8 at 18:05
Esa Jokinen
23.7k23359
asked Apr 8 at 14:45
JanisJanis
1
New contributor
Janis is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited Apr 8 at 18:05
Esa Jokinen
23.7k23359
edited Apr 8 at 18:05
Esa Jokinen
23.7k23359
edited Apr 8 at 18:05
Esa Jokinen
23.7k23359
23.7k23359
asked Apr 8 at 14:45
JanisJanis
1
New contributor
Janis is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked Apr 8 at 14:45
JanisJanis
1
asked Apr 8 at 14:45
JanisJanis
1
1
New contributor
Janis is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Janis is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Janis is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Janis is a new contributor. Be nice, and check out our Code of Conduct.
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f962039%2fpostfix-users-receive-spam-pretending-to-be-sent-from-their-accounts-avoiding-re%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Janis is a new contributor. Be nice, and check out our Code of Conduct.
draft saved
draft discarded
Janis is a new contributor. Be nice, and check out our Code of Conduct.
Janis is a new contributor. Be nice, and check out our Code of Conduct.
Janis is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f962039%2fpostfix-users-receive-spam-pretending-to-be-sent-from-their-accounts-avoiding-re%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
