Postfix users receive spam pretending to be sent from their accounts avoiding reject_sender_login_mismatch The 2019 Stack Overflow Developer Survey Results Are In Unicorn Meta Zoo #1: Why another podcast? Announcing the arrival of Valued Associate #679: Cesar Manara Come Celebrate our 10 Year Anniversary!Multipart messages from postfix go to spam in gmail/hotmailUnable to receive any emails using postfix, dovecot, mysql, and virtual domain/mailboxesLAMP server domain can't send e-mail to Exchange server domain.. Different IP's but both on same networkPostfix: Recipient address rejected: Invalid HELO/EHLOUnexpected failure, please try later (in reply to end of DATA command)Postfix: find out why mail bouncesOutgoing spam from postfix using my domainsSetting up mailserver with relay hostpostfix: Cannot assign requested addressStrange mails from my email server

Multi tool use
Multi tool use

Did the UK government pay "millions and millions of dollars" to try to snag Julian Assange?

Can a flute soloist sit?

Is it ethical to upload a automatically generated paper to a non peer-reviewed site as part of a larger research?

How do I design a circuit to convert a 100 mV and 50 Hz sine wave to a square wave?

Homework question about an engine pulling a train

Deal with toxic manager when you can't quit

How to support a colleague who finds meetings extremely tiring?

Match Roman Numerals

Does Parliament need to approve the new Brexit delay to 31 October 2019?

Is every episode of "Where are my Pants?" identical?

Example of compact Riemannian manifold with only one geodesic.

Identify 80s or 90s comics with ripped creatures (not dwarves)

Can we generate random numbers using irrational numbers like π and e?

Loose spokes after only a few rides

Windows 10: How to Lock (not sleep) laptop on lid close?

Why doesn't a hydraulic lever violate conservation of energy?

How do spell lists change if the party levels up without taking a long rest?

Did the new image of black hole confirm the general theory of relativity?

Sort list of array linked objects by keys and values

How did passengers keep warm on sail ships?

What is the padding with red substance inside of steak packaging?

Is it ok to offer lower paid work as a trial period before negotiating for a full-time job?

Working through the single responsibility principle (SRP) in Python when calls are expensive

Is 'stolen' appropriate word?



Postfix users receive spam pretending to be sent from their accounts avoiding reject_sender_login_mismatch



The 2019 Stack Overflow Developer Survey Results Are In
Unicorn Meta Zoo #1: Why another podcast?
Announcing the arrival of Valued Associate #679: Cesar Manara
Come Celebrate our 10 Year Anniversary!Multipart messages from postfix go to spam in gmail/hotmailUnable to receive any emails using postfix, dovecot, mysql, and virtual domain/mailboxesLAMP server domain can't send e-mail to Exchange server domain.. Different IP's but both on same networkPostfix: Recipient address rejected: Invalid HELO/EHLOUnexpected failure, please try later (in reply to end of DATA command)Postfix: find out why mail bouncesOutgoing spam from postfix using my domainsSetting up mailserver with relay hostpostfix: Cannot assign requested addressStrange mails from my email server



.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








-2















Postfix users receive spam pretending to be sent from their accounts.



in main.cf I have put:



smtpd_sender_login_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf,
 mysql:/etc/postfix/mysql_virtual_alias_maps.cf

smtpd_sender_restrictions = permit_mynetworks,
 permit_sasl_authenticated,
 reject_sender_login_mismatch,


I also have extensive rbl and other spam checks in main.cf which work, but this slips through it anyway (see msg source)
If I test it from my other server 



root@othermail:~# mail -s test1 -a "From: user1@mydomain.tld" user1@mydomain.tld < /dev/null


The message gets rejected in log with



NOQUEUE: reject: RCPT from myother.server.tld[192.168.7.229]: 553 5.7.1 <user1@mydomain.tld>: Sender address rejected: not logged in; from=<user1@mydomain.tld> to=<user1@mydomain.tld>


I have DKIM which works and validates. IN main.cf



milter_default_action = accept
milter_protocol = 6
smtpd_milters = local:opendkim/opendkim.sock
non_smtpd_milters = local:opendkim/opendkim.sock


But the spamers somehow trick it by using DKIM? or other means.
Somehow after milter OpenDKIM there are no sender_login_mismatch checks. Should I install amavis? It seems so trivial to block spam which pretend to be sent as a spoofed message from oneself but yet I can't block it. Any suggestions? Thanks.



Message source looks like this:



Return-Path: <seisi@kousaikan.com>
X-Original-To: user1@mydomain.tld
Delivered-To: user1@mydomain.tld
Received: from mail.mydomain.tld (localhost [127.0.0.1])
 by mail.mydomain.tld (Postfix) with ESMTP id 73A553008B0
 for <user1@mydomain.tld>; Fri, 5 Apr 2019 17:16:49 +0300 (EEST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=mydomain.tld; s=201902;
 t=1554473809; bh=MjZrE+ZNsa79fhqHRgjB41LtBj2nZeIT/I8ZyQz4lvI=;
 h=Date:Subject:To:From:List-Help:From;
 b=ajW/fpbQ9R/wu2ztE6OJecLpcUqvqENooIo6PW1V5GU0oAc/VqhvxuGPIc89t9n49
 6pcXOw4knfTpp9lwoaHqUJ8lM2KpesQTSgLHzvfC74u8wi9CB6+cHpS42rT35bW5wx
 LvdO7mLT9GEhrPAVeoI21yk2pCAEhBQaXLAFDsmY=
Received: from orange-leopard-671e4d6e5ce74ab6.znlc.jp (orange-leopard-671e4d6e5ce74ab6.znlc.jp [154.34.23.45])
 by mail.mydomain.tld (Postfix) with ESMTPS id 36A99300704
 for <user1@mydomain.tld>; Fri, 5 Apr 2019 17:16:47 +0300 (EEST)
Received: from [corporativo.static.gvt.net.br] (170.83.215.114-static.host.megalink.net.br [170.83.215.114])
 by orange-leopard-671e4d6e5ce74ab6.znlc.jp (Postfix) with ESMTPSA id 1C8A2BDEE
 for <user1@mydomain.tld>; Fri, 5 Apr 2019 22:12:20 +0900 (JST)
Date: Fri, 5 Apr 2019 15:12:18 +0200
Abuse-Reports-To: <abuse@mail.kousaikan.com>
X-Complaints-To: abuse@mail.kousaikan.com
Subject: [SPAM] user1
Message-ID: <j2w06zpo-msrn-unjm-z17p-4ld3vmq62lf7@mlcp.tzzu>
To: user1@mydomain.tld
Content-Type: multipart/related;
 boundary="--_com.android.email_86436944273605"
MIME-Version: 1.0
X-Mailer: Summer Cart 4.0
From: <user1@mydomain.tld>
User-Agent: Roundcube Webmail/0.6
List-Help: 
 <http://www.kousaikan.com/lists/?p=preferences&uid=7oivc5xd99g9y6j9mcp0iztxw78pnnhu>
X-Antivirus: Dr.Web (R) for Unix mail servers drweb plugin ver.6.0.2.8
X-Antivirus-Code: 0x100000
X-Drweb-SpamState: yes
X-Drweb-SpamScore: 315
X-DrWeb-SpamReason: gggruggvucftvghtrhhoucdtuddrgeduuddrtdeiucetufdoteggodetrfcurfhrohhfihhlvgemuceonhhonhgvqeenuceurghilhhouhhtmecupfdsteenucgoteeftdduqddtudculdduhedmnegoufhprghmsghotheuvfevqdfggedutddqvdekucdlfedttddm
X-AV-Checked: ClamAV using ClamSMTP


Log file:



Apr 5 17:16:45 mydomain.tld postfix/smtpd[11659]: connect from orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45]
Apr 5 17:16:46 mydomain.tld postfix/smtpd[11659]: Anonymous TLS connection established from orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45]: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
Apr 5 17:16:47 mydomain.tld postfix/smtpd[11659]: 36A99300704: client=orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45]
Apr 5 17:16:47 mydomain.tld postfix/cleanup[11826]: 36A99300704: message-id=<j2w06zpo-msrn-unjm-z17p-4ld3vmq62lf7@mlcp.tzzu>
Apr 5 17:16:49 mydomain.tld opendkim[539]: 36A99300704: orange-leopard-671e4d6e5ce74ab6.znlc.jp [154.34.23.45] not internal
Apr 5 17:16:49 mydomain.tld opendkim[539]: 36A99300704: not authenticated
Apr 5 17:16:49 mydomain.tld opendkim[539]: 36A99300704: no signature data
Apr 5 17:16:49 mydomain.tld postfix/qmgr[11471]: 36A99300704: from=<seisi@kousaikan.com>, size=257396, nrcpt=1 (queue active)
Apr 5 17:16:49 mydomain.tld clamsmtpd: 1009A6: accepted connection from: 127.0.0.1
Apr 5 17:16:49 mydomain.tld postfix/smtpd[11829]: connect from localhost[127.0.0.1]
Apr 5 17:16:49 mydomain.tld postfix/smtpd[11829]: 73A553008B0: client=localhost[127.0.0.1], orig_queue_id=36A99300704, orig_client=orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45]
Apr 5 17:16:49 mydomain.tld postfix/smtpd[11659]: disconnect from orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Apr 5 17:16:49 mydomain.tld postfix/cleanup[11826]: 73A553008B0: message-id=<j2w06zpo-msrn-unjm-z17p-4ld3vmq62lf7@mlcp.tzzu>
Apr 5 17:16:49 mydomain.tld postfix/qmgr[11471]: 73A553008B0: from=<seisi@kousaikan.com>, size=257617, nrcpt=1 (queue active)
Apr 5 17:16:49 mydomain.tld postfix/smtp[11827]: 36A99300704: to=<user1@mydomain.tld>, relay=127.0.0.1[127.0.0.1]:10026, delay=2.9, delays=2.3/0.01/0.06/0.51, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 73A553008B0)
Apr 5 17:16:49 mydomain.tld postfix/qmgr[11471]: 36A99300704: removed
Apr 5 17:16:49 mydomain.tld clamsmtpd: 1009A6: from=seisi@kousaikan.com, to=user1@mydomain.tld, status=CLEAN
Apr 5 17:16:49 mydomain.tld postfix/smtpd[11829]: disconnect from localhost[127.0.0.1] ehlo=1 xforward=2 mail=1 rcpt=1 data=1 quit=1 commands=7
Apr 5 17:16:50 mydomain.tld postfix/virtual[11832]: 73A553008B0: to=<user1@mydomain.tld>, relay=virtual, delay=0.58, delays=0.51/0.01/0/0.06, dsn=2.0.0, status=sent (delivered to maildir)
Apr 5 17:16:50 mydomain.tld postfix/qmgr[11471]: 73A553008B0: removed





postfix spam opendkim milter







share|improve this question









New contributor




Janis is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.


























    -2















    Postfix users receive spam pretending to be sent from their accounts.



    in main.cf I have put:



    smtpd_sender_login_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf,
     mysql:/etc/postfix/mysql_virtual_alias_maps.cf

    smtpd_sender_restrictions = permit_mynetworks,
     permit_sasl_authenticated,
     reject_sender_login_mismatch,


    I also have extensive rbl and other spam checks in main.cf which work, but this slips through it anyway (see msg source)
    If I test it from my other server 



    root@othermail:~# mail -s test1 -a "From: user1@mydomain.tld" user1@mydomain.tld < /dev/null


    The message gets rejected in log with



    NOQUEUE: reject: RCPT from myother.server.tld[192.168.7.229]: 553 5.7.1 <user1@mydomain.tld>: Sender address rejected: not logged in; from=<user1@mydomain.tld> to=<user1@mydomain.tld>


    I have DKIM which works and validates. IN main.cf



    milter_default_action = accept
    milter_protocol = 6
    smtpd_milters = local:opendkim/opendkim.sock
    non_smtpd_milters = local:opendkim/opendkim.sock


    But the spamers somehow trick it by using DKIM? or other means.
    Somehow after milter OpenDKIM there are no sender_login_mismatch checks. Should I install amavis? It seems so trivial to block spam which pretend to be sent as a spoofed message from oneself but yet I can't block it. Any suggestions? Thanks.



    Message source looks like this:



    Return-Path: <seisi@kousaikan.com>
    X-Original-To: user1@mydomain.tld
    Delivered-To: user1@mydomain.tld
    Received: from mail.mydomain.tld (localhost [127.0.0.1])
     by mail.mydomain.tld (Postfix) with ESMTP id 73A553008B0
     for <user1@mydomain.tld>; Fri, 5 Apr 2019 17:16:49 +0300 (EEST)
    DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=mydomain.tld; s=201902;
     t=1554473809; bh=MjZrE+ZNsa79fhqHRgjB41LtBj2nZeIT/I8ZyQz4lvI=;
     h=Date:Subject:To:From:List-Help:From;
     b=ajW/fpbQ9R/wu2ztE6OJecLpcUqvqENooIo6PW1V5GU0oAc/VqhvxuGPIc89t9n49
     6pcXOw4knfTpp9lwoaHqUJ8lM2KpesQTSgLHzvfC74u8wi9CB6+cHpS42rT35bW5wx
     LvdO7mLT9GEhrPAVeoI21yk2pCAEhBQaXLAFDsmY=
    Received: from orange-leopard-671e4d6e5ce74ab6.znlc.jp (orange-leopard-671e4d6e5ce74ab6.znlc.jp [154.34.23.45])
     by mail.mydomain.tld (Postfix) with ESMTPS id 36A99300704
     for <user1@mydomain.tld>; Fri, 5 Apr 2019 17:16:47 +0300 (EEST)
    Received: from [corporativo.static.gvt.net.br] (170.83.215.114-static.host.megalink.net.br [170.83.215.114])
     by orange-leopard-671e4d6e5ce74ab6.znlc.jp (Postfix) with ESMTPSA id 1C8A2BDEE
     for <user1@mydomain.tld>; Fri, 5 Apr 2019 22:12:20 +0900 (JST)
    Date: Fri, 5 Apr 2019 15:12:18 +0200
    Abuse-Reports-To: <abuse@mail.kousaikan.com>
    X-Complaints-To: abuse@mail.kousaikan.com
    Subject: [SPAM] user1
    Message-ID: <j2w06zpo-msrn-unjm-z17p-4ld3vmq62lf7@mlcp.tzzu>
    To: user1@mydomain.tld
    Content-Type: multipart/related;
     boundary="--_com.android.email_86436944273605"
    MIME-Version: 1.0
    X-Mailer: Summer Cart 4.0
    From: <user1@mydomain.tld>
    User-Agent: Roundcube Webmail/0.6
    List-Help: 
     <http://www.kousaikan.com/lists/?p=preferences&uid=7oivc5xd99g9y6j9mcp0iztxw78pnnhu>
    X-Antivirus: Dr.Web (R) for Unix mail servers drweb plugin ver.6.0.2.8
    X-Antivirus-Code: 0x100000
    X-Drweb-SpamState: yes
    X-Drweb-SpamScore: 315
    X-DrWeb-SpamReason: gggruggvucftvghtrhhoucdtuddrgeduuddrtdeiucetufdoteggodetrfcurfhrohhfihhlvgemuceonhhonhgvqeenuceurghilhhouhhtmecupfdsteenucgoteeftdduqddtudculdduhedmnegoufhprghmsghotheuvfevqdfggedutddqvdekucdlfedttddm
    X-AV-Checked: ClamAV using ClamSMTP


    Log file:



    Apr 5 17:16:45 mydomain.tld postfix/smtpd[11659]: connect from orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45]
    Apr 5 17:16:46 mydomain.tld postfix/smtpd[11659]: Anonymous TLS connection established from orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45]: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
    Apr 5 17:16:47 mydomain.tld postfix/smtpd[11659]: 36A99300704: client=orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45]
    Apr 5 17:16:47 mydomain.tld postfix/cleanup[11826]: 36A99300704: message-id=<j2w06zpo-msrn-unjm-z17p-4ld3vmq62lf7@mlcp.tzzu>
    Apr 5 17:16:49 mydomain.tld opendkim[539]: 36A99300704: orange-leopard-671e4d6e5ce74ab6.znlc.jp [154.34.23.45] not internal
    Apr 5 17:16:49 mydomain.tld opendkim[539]: 36A99300704: not authenticated
    Apr 5 17:16:49 mydomain.tld opendkim[539]: 36A99300704: no signature data
    Apr 5 17:16:49 mydomain.tld postfix/qmgr[11471]: 36A99300704: from=<seisi@kousaikan.com>, size=257396, nrcpt=1 (queue active)
    Apr 5 17:16:49 mydomain.tld clamsmtpd: 1009A6: accepted connection from: 127.0.0.1
    Apr 5 17:16:49 mydomain.tld postfix/smtpd[11829]: connect from localhost[127.0.0.1]
    Apr 5 17:16:49 mydomain.tld postfix/smtpd[11829]: 73A553008B0: client=localhost[127.0.0.1], orig_queue_id=36A99300704, orig_client=orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45]
    Apr 5 17:16:49 mydomain.tld postfix/smtpd[11659]: disconnect from orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
    Apr 5 17:16:49 mydomain.tld postfix/cleanup[11826]: 73A553008B0: message-id=<j2w06zpo-msrn-unjm-z17p-4ld3vmq62lf7@mlcp.tzzu>
    Apr 5 17:16:49 mydomain.tld postfix/qmgr[11471]: 73A553008B0: from=<seisi@kousaikan.com>, size=257617, nrcpt=1 (queue active)
    Apr 5 17:16:49 mydomain.tld postfix/smtp[11827]: 36A99300704: to=<user1@mydomain.tld>, relay=127.0.0.1[127.0.0.1]:10026, delay=2.9, delays=2.3/0.01/0.06/0.51, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 73A553008B0)
    Apr 5 17:16:49 mydomain.tld postfix/qmgr[11471]: 36A99300704: removed
    Apr 5 17:16:49 mydomain.tld clamsmtpd: 1009A6: from=seisi@kousaikan.com, to=user1@mydomain.tld, status=CLEAN
    Apr 5 17:16:49 mydomain.tld postfix/smtpd[11829]: disconnect from localhost[127.0.0.1] ehlo=1 xforward=2 mail=1 rcpt=1 data=1 quit=1 commands=7
    Apr 5 17:16:50 mydomain.tld postfix/virtual[11832]: 73A553008B0: to=<user1@mydomain.tld>, relay=virtual, delay=0.58, delays=0.51/0.01/0/0.06, dsn=2.0.0, status=sent (delivered to maildir)
    Apr 5 17:16:50 mydomain.tld postfix/qmgr[11471]: 73A553008B0: removed





    postfix spam opendkim milter







    share|improve this question









    New contributor




    Janis is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.






















      -2












      -2








      -2








      Postfix users receive spam pretending to be sent from their accounts.



      in main.cf I have put:



      smtpd_sender_login_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf,
       mysql:/etc/postfix/mysql_virtual_alias_maps.cf

      smtpd_sender_restrictions = permit_mynetworks,
       permit_sasl_authenticated,
       reject_sender_login_mismatch,


      I also have extensive rbl and other spam checks in main.cf which work, but this slips through it anyway (see msg source)
      If I test it from my other server 



      root@othermail:~# mail -s test1 -a "From: user1@mydomain.tld" user1@mydomain.tld < /dev/null


      The message gets rejected in log with



      NOQUEUE: reject: RCPT from myother.server.tld[192.168.7.229]: 553 5.7.1 <user1@mydomain.tld>: Sender address rejected: not logged in; from=<user1@mydomain.tld> to=<user1@mydomain.tld>


      I have DKIM which works and validates. IN main.cf



      milter_default_action = accept
      milter_protocol = 6
      smtpd_milters = local:opendkim/opendkim.sock
      non_smtpd_milters = local:opendkim/opendkim.sock


      But the spamers somehow trick it by using DKIM? or other means.
      Somehow after milter OpenDKIM there are no sender_login_mismatch checks. Should I install amavis? It seems so trivial to block spam which pretend to be sent as a spoofed message from oneself but yet I can't block it. Any suggestions? Thanks.



      Message source looks like this:



      Return-Path: <seisi@kousaikan.com>
      X-Original-To: user1@mydomain.tld
      Delivered-To: user1@mydomain.tld
      Received: from mail.mydomain.tld (localhost [127.0.0.1])
       by mail.mydomain.tld (Postfix) with ESMTP id 73A553008B0
       for <user1@mydomain.tld>; Fri, 5 Apr 2019 17:16:49 +0300 (EEST)
      DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=mydomain.tld; s=201902;
       t=1554473809; bh=MjZrE+ZNsa79fhqHRgjB41LtBj2nZeIT/I8ZyQz4lvI=;
       h=Date:Subject:To:From:List-Help:From;
       b=ajW/fpbQ9R/wu2ztE6OJecLpcUqvqENooIo6PW1V5GU0oAc/VqhvxuGPIc89t9n49
       6pcXOw4knfTpp9lwoaHqUJ8lM2KpesQTSgLHzvfC74u8wi9CB6+cHpS42rT35bW5wx
       LvdO7mLT9GEhrPAVeoI21yk2pCAEhBQaXLAFDsmY=
      Received: from orange-leopard-671e4d6e5ce74ab6.znlc.jp (orange-leopard-671e4d6e5ce74ab6.znlc.jp [154.34.23.45])
       by mail.mydomain.tld (Postfix) with ESMTPS id 36A99300704
       for <user1@mydomain.tld>; Fri, 5 Apr 2019 17:16:47 +0300 (EEST)
      Received: from [corporativo.static.gvt.net.br] (170.83.215.114-static.host.megalink.net.br [170.83.215.114])
       by orange-leopard-671e4d6e5ce74ab6.znlc.jp (Postfix) with ESMTPSA id 1C8A2BDEE
       for <user1@mydomain.tld>; Fri, 5 Apr 2019 22:12:20 +0900 (JST)
      Date: Fri, 5 Apr 2019 15:12:18 +0200
      Abuse-Reports-To: <abuse@mail.kousaikan.com>
      X-Complaints-To: abuse@mail.kousaikan.com
      Subject: [SPAM] user1
      Message-ID: <j2w06zpo-msrn-unjm-z17p-4ld3vmq62lf7@mlcp.tzzu>
      To: user1@mydomain.tld
      Content-Type: multipart/related;
       boundary="--_com.android.email_86436944273605"
      MIME-Version: 1.0
      X-Mailer: Summer Cart 4.0
      From: <user1@mydomain.tld>
      User-Agent: Roundcube Webmail/0.6
      List-Help: 
       <http://www.kousaikan.com/lists/?p=preferences&uid=7oivc5xd99g9y6j9mcp0iztxw78pnnhu>
      X-Antivirus: Dr.Web (R) for Unix mail servers drweb plugin ver.6.0.2.8
      X-Antivirus-Code: 0x100000
      X-Drweb-SpamState: yes
      X-Drweb-SpamScore: 315
      X-DrWeb-SpamReason: gggruggvucftvghtrhhoucdtuddrgeduuddrtdeiucetufdoteggodetrfcurfhrohhfihhlvgemuceonhhonhgvqeenuceurghilhhouhhtmecupfdsteenucgoteeftdduqddtudculdduhedmnegoufhprghmsghotheuvfevqdfggedutddqvdekucdlfedttddm
      X-AV-Checked: ClamAV using ClamSMTP


      Log file:



      Apr 5 17:16:45 mydomain.tld postfix/smtpd[11659]: connect from orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45]
      Apr 5 17:16:46 mydomain.tld postfix/smtpd[11659]: Anonymous TLS connection established from orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45]: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
      Apr 5 17:16:47 mydomain.tld postfix/smtpd[11659]: 36A99300704: client=orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45]
      Apr 5 17:16:47 mydomain.tld postfix/cleanup[11826]: 36A99300704: message-id=<j2w06zpo-msrn-unjm-z17p-4ld3vmq62lf7@mlcp.tzzu>
      Apr 5 17:16:49 mydomain.tld opendkim[539]: 36A99300704: orange-leopard-671e4d6e5ce74ab6.znlc.jp [154.34.23.45] not internal
      Apr 5 17:16:49 mydomain.tld opendkim[539]: 36A99300704: not authenticated
      Apr 5 17:16:49 mydomain.tld opendkim[539]: 36A99300704: no signature data
      Apr 5 17:16:49 mydomain.tld postfix/qmgr[11471]: 36A99300704: from=<seisi@kousaikan.com>, size=257396, nrcpt=1 (queue active)
      Apr 5 17:16:49 mydomain.tld clamsmtpd: 1009A6: accepted connection from: 127.0.0.1
      Apr 5 17:16:49 mydomain.tld postfix/smtpd[11829]: connect from localhost[127.0.0.1]
      Apr 5 17:16:49 mydomain.tld postfix/smtpd[11829]: 73A553008B0: client=localhost[127.0.0.1], orig_queue_id=36A99300704, orig_client=orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45]
      Apr 5 17:16:49 mydomain.tld postfix/smtpd[11659]: disconnect from orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
      Apr 5 17:16:49 mydomain.tld postfix/cleanup[11826]: 73A553008B0: message-id=<j2w06zpo-msrn-unjm-z17p-4ld3vmq62lf7@mlcp.tzzu>
      Apr 5 17:16:49 mydomain.tld postfix/qmgr[11471]: 73A553008B0: from=<seisi@kousaikan.com>, size=257617, nrcpt=1 (queue active)
      Apr 5 17:16:49 mydomain.tld postfix/smtp[11827]: 36A99300704: to=<user1@mydomain.tld>, relay=127.0.0.1[127.0.0.1]:10026, delay=2.9, delays=2.3/0.01/0.06/0.51, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 73A553008B0)
      Apr 5 17:16:49 mydomain.tld postfix/qmgr[11471]: 36A99300704: removed
      Apr 5 17:16:49 mydomain.tld clamsmtpd: 1009A6: from=seisi@kousaikan.com, to=user1@mydomain.tld, status=CLEAN
      Apr 5 17:16:49 mydomain.tld postfix/smtpd[11829]: disconnect from localhost[127.0.0.1] ehlo=1 xforward=2 mail=1 rcpt=1 data=1 quit=1 commands=7
      Apr 5 17:16:50 mydomain.tld postfix/virtual[11832]: 73A553008B0: to=<user1@mydomain.tld>, relay=virtual, delay=0.58, delays=0.51/0.01/0/0.06, dsn=2.0.0, status=sent (delivered to maildir)
      Apr 5 17:16:50 mydomain.tld postfix/qmgr[11471]: 73A553008B0: removed





      postfix spam opendkim milter







      share|improve this question









      New contributor




      Janis is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.












      Postfix users receive spam pretending to be sent from their accounts.



      in main.cf I have put:



      smtpd_sender_login_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf,
       mysql:/etc/postfix/mysql_virtual_alias_maps.cf

      smtpd_sender_restrictions = permit_mynetworks,
       permit_sasl_authenticated,
       reject_sender_login_mismatch,


      I also have extensive rbl and other spam checks in main.cf which work, but this slips through it anyway (see msg source)
      If I test it from my other server 



      root@othermail:~# mail -s test1 -a "From: user1@mydomain.tld" user1@mydomain.tld < /dev/null


      The message gets rejected in log with



      NOQUEUE: reject: RCPT from myother.server.tld[192.168.7.229]: 553 5.7.1 <user1@mydomain.tld>: Sender address rejected: not logged in; from=<user1@mydomain.tld> to=<user1@mydomain.tld>


      I have DKIM which works and validates. IN main.cf



      milter_default_action = accept
      milter_protocol = 6
      smtpd_milters = local:opendkim/opendkim.sock
      non_smtpd_milters = local:opendkim/opendkim.sock


      But the spamers somehow trick it by using DKIM? or other means.
      Somehow after milter OpenDKIM there are no sender_login_mismatch checks. Should I install amavis? It seems so trivial to block spam which pretend to be sent as a spoofed message from oneself but yet I can't block it. Any suggestions? Thanks.



      Message source looks like this:



      Return-Path: <seisi@kousaikan.com>
      X-Original-To: user1@mydomain.tld
      Delivered-To: user1@mydomain.tld
      Received: from mail.mydomain.tld (localhost [127.0.0.1])
       by mail.mydomain.tld (Postfix) with ESMTP id 73A553008B0
       for <user1@mydomain.tld>; Fri, 5 Apr 2019 17:16:49 +0300 (EEST)
      DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=mydomain.tld; s=201902;
       t=1554473809; bh=MjZrE+ZNsa79fhqHRgjB41LtBj2nZeIT/I8ZyQz4lvI=;
       h=Date:Subject:To:From:List-Help:From;
       b=ajW/fpbQ9R/wu2ztE6OJecLpcUqvqENooIo6PW1V5GU0oAc/VqhvxuGPIc89t9n49
       6pcXOw4knfTpp9lwoaHqUJ8lM2KpesQTSgLHzvfC74u8wi9CB6+cHpS42rT35bW5wx
       LvdO7mLT9GEhrPAVeoI21yk2pCAEhBQaXLAFDsmY=
      Received: from orange-leopard-671e4d6e5ce74ab6.znlc.jp (orange-leopard-671e4d6e5ce74ab6.znlc.jp [154.34.23.45])
       by mail.mydomain.tld (Postfix) with ESMTPS id 36A99300704
       for <user1@mydomain.tld>; Fri, 5 Apr 2019 17:16:47 +0300 (EEST)
      Received: from [corporativo.static.gvt.net.br] (170.83.215.114-static.host.megalink.net.br [170.83.215.114])
       by orange-leopard-671e4d6e5ce74ab6.znlc.jp (Postfix) with ESMTPSA id 1C8A2BDEE
       for <user1@mydomain.tld>; Fri, 5 Apr 2019 22:12:20 +0900 (JST)
      Date: Fri, 5 Apr 2019 15:12:18 +0200
      Abuse-Reports-To: <abuse@mail.kousaikan.com>
      X-Complaints-To: abuse@mail.kousaikan.com
      Subject: [SPAM] user1
      Message-ID: <j2w06zpo-msrn-unjm-z17p-4ld3vmq62lf7@mlcp.tzzu>
      To: user1@mydomain.tld
      Content-Type: multipart/related;
       boundary="--_com.android.email_86436944273605"
      MIME-Version: 1.0
      X-Mailer: Summer Cart 4.0
      From: <user1@mydomain.tld>
      User-Agent: Roundcube Webmail/0.6
      List-Help: 
       <http://www.kousaikan.com/lists/?p=preferences&uid=7oivc5xd99g9y6j9mcp0iztxw78pnnhu>
      X-Antivirus: Dr.Web (R) for Unix mail servers drweb plugin ver.6.0.2.8
      X-Antivirus-Code: 0x100000
      X-Drweb-SpamState: yes
      X-Drweb-SpamScore: 315
      X-DrWeb-SpamReason: gggruggvucftvghtrhhoucdtuddrgeduuddrtdeiucetufdoteggodetrfcurfhrohhfihhlvgemuceonhhonhgvqeenuceurghilhhouhhtmecupfdsteenucgoteeftdduqddtudculdduhedmnegoufhprghmsghotheuvfevqdfggedutddqvdekucdlfedttddm
      X-AV-Checked: ClamAV using ClamSMTP


      Log file:



      Apr 5 17:16:45 mydomain.tld postfix/smtpd[11659]: connect from orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45]
      Apr 5 17:16:46 mydomain.tld postfix/smtpd[11659]: Anonymous TLS connection established from orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45]: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
      Apr 5 17:16:47 mydomain.tld postfix/smtpd[11659]: 36A99300704: client=orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45]
      Apr 5 17:16:47 mydomain.tld postfix/cleanup[11826]: 36A99300704: message-id=<j2w06zpo-msrn-unjm-z17p-4ld3vmq62lf7@mlcp.tzzu>
      Apr 5 17:16:49 mydomain.tld opendkim[539]: 36A99300704: orange-leopard-671e4d6e5ce74ab6.znlc.jp [154.34.23.45] not internal
      Apr 5 17:16:49 mydomain.tld opendkim[539]: 36A99300704: not authenticated
      Apr 5 17:16:49 mydomain.tld opendkim[539]: 36A99300704: no signature data
      Apr 5 17:16:49 mydomain.tld postfix/qmgr[11471]: 36A99300704: from=<seisi@kousaikan.com>, size=257396, nrcpt=1 (queue active)
      Apr 5 17:16:49 mydomain.tld clamsmtpd: 1009A6: accepted connection from: 127.0.0.1
      Apr 5 17:16:49 mydomain.tld postfix/smtpd[11829]: connect from localhost[127.0.0.1]
      Apr 5 17:16:49 mydomain.tld postfix/smtpd[11829]: 73A553008B0: client=localhost[127.0.0.1], orig_queue_id=36A99300704, orig_client=orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45]
      Apr 5 17:16:49 mydomain.tld postfix/smtpd[11659]: disconnect from orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
      Apr 5 17:16:49 mydomain.tld postfix/cleanup[11826]: 73A553008B0: message-id=<j2w06zpo-msrn-unjm-z17p-4ld3vmq62lf7@mlcp.tzzu>
      Apr 5 17:16:49 mydomain.tld postfix/qmgr[11471]: 73A553008B0: from=<seisi@kousaikan.com>, size=257617, nrcpt=1 (queue active)
      Apr 5 17:16:49 mydomain.tld postfix/smtp[11827]: 36A99300704: to=<user1@mydomain.tld>, relay=127.0.0.1[127.0.0.1]:10026, delay=2.9, delays=2.3/0.01/0.06/0.51, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 73A553008B0)
      Apr 5 17:16:49 mydomain.tld postfix/qmgr[11471]: 36A99300704: removed
      Apr 5 17:16:49 mydomain.tld clamsmtpd: 1009A6: from=seisi@kousaikan.com, to=user1@mydomain.tld, status=CLEAN
      Apr 5 17:16:49 mydomain.tld postfix/smtpd[11829]: disconnect from localhost[127.0.0.1] ehlo=1 xforward=2 mail=1 rcpt=1 data=1 quit=1 commands=7
      Apr 5 17:16:50 mydomain.tld postfix/virtual[11832]: 73A553008B0: to=<user1@mydomain.tld>, relay=virtual, delay=0.58, delays=0.51/0.01/0/0.06, dsn=2.0.0, status=sent (delivered to maildir)
      Apr 5 17:16:50 mydomain.tld postfix/qmgr[11471]: 73A553008B0: removed





      postfix spam opendkim milter




      postfix spam opendkim milter






      share|improve this question









      New contributor




      Janis is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      share|improve this question









      New contributor




      Janis is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this question




      share|improve this question








      edited Apr 8 at 18:05









      Esa Jokinen

      23.7k23359




      23.7k23359






      New contributor




      Janis is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked Apr 8 at 14:45









      JanisJanis

      1




      1




      New contributor




      Janis is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      Janis is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      Janis is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.




















          0






          active

          oldest

          votes












          Your Answer








          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "2"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );






          Janis is a new contributor. Be nice, and check out our Code of Conduct.









          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f962039%2fpostfix-users-receive-spam-pretending-to-be-sent-from-their-accounts-avoiding-re%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          0






          active

          oldest

          votes








          0






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          Janis is a new contributor. Be nice, and check out our Code of Conduct.









          draft saved

          draft discarded


















          Janis is a new contributor. Be nice, and check out our Code of Conduct.












          Janis is a new contributor. Be nice, and check out our Code of Conduct.











          Janis is a new contributor. Be nice, and check out our Code of Conduct.














          Thanks for contributing an answer to Server Fault!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f962039%2fpostfix-users-receive-spam-pretending-to-be-sent-from-their-accounts-avoiding-re%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          YSAHHz,2QqJYR unWiQykATgk MH3HRNIbs7M
          -
          O G,tSfrygv87hnct4txxx907hpVvIHF tFl939,g0NZ,YmnfPg2wuFUBeUUh

          Popular posts from this blog

          RemoteApp sporadic failureWindows 2008 RemoteAPP client disconnects within a matter of minutesWhat is the minimum version of RDP supported by Server 2012 RDS?How to configure a Remoteapp server to increase stabilityMicrosoft RemoteApp Active SessionRDWeb TS connection broken for some users post RemoteApp certificate changeRemote Desktop Licensing, RemoteAPPRDS 2012 R2 some users are not able to logon after changed date and time on Connection BrokersWhat happens during Remote Desktop logon, and is there any logging?After installing RDS on WinServer 2016 I still can only connect with two users?RD Connection via RDGW to Session host is not connecting

          Image
          Can I use my laptop, which says 100-240V, in the USA? Definition of Newton's first law Why did the ICC decide not to probe alleged US atrocities in Afghanistan? Is there ever any indication in the MCU as to how Spider-Man got his powers? Should pressure only be applied at the top of a pastry bag? How did Thanos not realise this had happened at the end of Endgame? On studying Computer Science vs. Software Engineering to become a proficient coder Why does the Earth follow an elliptical trajectory rather than a parabolic one? What's the word for the soldier salute? Why not just directly invest in the holdings of an ETF? Can a tourist shoot a gun in the USA? Why in a Ethernet LAN, a packet sniffer can obtain all packets sent over the LAN? What is Plautus’s pun about frustum and frustrum? Extrude the faces of a cube symmetrically along XYZ Why does my circuit work on a breadboard, but not on a perfboard? I am new to soldering How do I tell my supervisor...
          Read more

          Vilaño, A Laracha Índice Patrimonio | Lugares e parroquias | Véxase tamén | Menú de navegación43°14′52″N 8°36′03″O / 43.24775, -8.60070

          Image
          Parroquias da LarachaParroquias de Galicia baixo a advocación de Santiago o Maior coruñésLarachacomarca de BergantiñosIGE20131999castro de Montesclarospoboado castrexoidade de ferroromanización de Galiciamiliariopazo de Montesclarosséculo XIXAmboadeA AreosaA BarreiraBos AiresA BoticaAs Brañas da ViñaAs BrañasBusteloOs CanedosFerreirosAs FervenzasA Fonte da CanleO FormigueiroFornelosA FragaFragundeGravidoA LamelaMarfuloOs MeánsMontes ClarosA PanelaO PazoQuintánsRibelaSamiroO SeixoA TelleiraVilañoVilanovaA ViñaVista AlegreCabovilaño (San Román)Caión (Santa María do Socorro)Coiro (San Xián)Erboedo (Santa María)Golmar (San Bieito)Lemaio (Santa Mariña)Lendo (San Xián)Lestón (San Martiño)Montemaior (Santa María Madanela)Soandres (San Pedro)Soutullo (Santa María)Torás (Santa María)Vilaño (Santiago) Vilaño, A Laracha Na Galipedia, a Wi...
          Read more

          Cegueira Índice Epidemioloxía | Deficiencia visual | Tipos de cegueira | Principais causas de cegueira | Tratamento | Técnicas de adaptación e axudas | Vida dos cegos | Primeiros auxilios | Crenzas respecto das persoas cegas | Crenzas das persoas cegas | O neno deficiente visual | Aspectos psicolóxicos da cegueira | Notas | Véxase tamén | Menú de navegación54.054.154.436928256blindnessDicionario da Real Academia GalegaPortal das Palabras"International Standards: Visual Standards — Aspects and Ranges of Vision Loss with Emphasis on Population Surveys.""Visual impairment and blindness""Presentan un plan para previr a cegueira"o orixinalACCDV Associació Catalana de Cecs i Disminuïts Visuals - PMFTrachoma"Effect of gene therapy on visual function in Leber's congenital amaurosis"1844137110.1056/NEJMoa0802268Cans guía - os mellores amigos dos cegosArquivadoEscola de cans guía para cegos en Mortágua, PortugalArquivado"Tecnología para ciegos y deficientes visuales. Recopilación de recursos gratuitos en la Red""Colorino""‘COL.diesis’, escuchar los sonidos del color""COL.diesis: Transforming Colour into Melody and Implementing the Result in a Colour Sensor Device"o orixinal"Sistema de desarrollo de sinestesia color-sonido para invidentes utilizando un protocolo de audio""Enseñanza táctil - geometría y color. Juegos didácticos para niños ciegos y videntes""Sistema Constanz"L'ocupació laboral dels cecs a l'Estat espanyol està pràcticament equiparada a la de les persones amb visió, entrevista amb Pedro ZuritaONCE (Organización Nacional de Cegos de España)Prevención da cegueiraDescrición de deficiencias visuais (Disc@pnet)Braillín, un boneco atractivo para calquera neno, con ou sen discapacidade, que permite familiarizarse co sistema de escritura e lectura brailleAxudas Técnicas36838ID00897494007150-90057129528256DOID:1432HP:0000618D001766C10.597.751.941.162C97109C0155020

          Image
          OftalmoloxíaDiscapacidade sentidovistaNorteaméricaEuropaollopaíses en vías de desenvolvementopaíses desenvolvidos2014Organización Mundial da SaúdeGaliciaretinopatía diabéticaglaucomaresto visualagudeza visualcampo visualterapia xénicaretinavirus do arrefriado comúncanadestradoséculo XIXLouis Brailleteclado brailleescáneresrecoñecemento óptico de caractereslectores de pantallacorsinestesiafrauta doceamareloclarineteazultamboresvermellopianoverdeSistema Constanzsemáforocans guíaBrailletactosoftwaretactoeuroAvuiséculo XXUnión SoviéticaFranciaItaliaInglaterraNataciónatletismociclismojudoesquífútbol salamontañismoxadrezgoalballsociedademúsicosindixentesprofetassabiosoídotactomúsicarisatactooídolinguaxePiaget (function()var node=document.getElementById("mw-dismissablenotice-anonplace");if(node)node.outerHTML="u003Cdiv class="mw-dismissable-notice"u0...
          Read more