Postfix、Dovecot の問題、不明な IP からのルート ログイン

Postfix、Dovecot の問題、不明な IP からのルート ログイン

Postfix、Dovecot、またはその両方の設定に問題があります。
すべて正常に動作しますが、ログを見ると、複数の異なるIPがルートアカウントを使用してメールを送信していることがわかりました。[メールアドレス][メールアドレス]
は Debian 9 を使用していますが、次のコマンドでルート ログインを削除しました:

sudo パスワード -d ルート

そしてアカウントを無効にしました:

sudo パスワード -l ルート

サーバーにはもう 1 つのアカウントがあり、そのアカウントにもアクセスされていることに気付きました。auth.log をチェックしたところ、ブルート フォース攻撃はありませんでした。キーを使用して別のポートで ssh を実行しており、そのポートにはヒット カウント付きの iptables が設定されています。

私のPostfixのバージョンは3.1.12、Dovecotは2.2.27です。mail.log
からのサンプルログ

Jan 20 18:37:50 vps22525 postfix/submission/smtpd[5026]: connect from unknown[122.228.19.79]
Jan 20 18:37:50 vps22525 postfix/submission/smtpd[5029]: connect from unknown[122.228.19.79]
Jan 20 18:37:50 vps22525 postfix/submission/smtpd[5026]: lost connection after CONNECT from unknown[122.228.19.79]
Jan 20 18:37:50 vps22525 postfix/submission/smtpd[5026]: disconnect from unknown[122.228.19.79] commands=0/0
Jan 20 18:37:51 vps22525 postfix/submission/smtpd[5029]: lost connection after UNKNOWN from unknown[122.228.19.79]
Jan 20 18:37:51 vps22525 postfix/submission/smtpd[5029]: disconnect from unknown[122.228.19.79] ehlo=1 unknown=0/1 commands=1/2
Jan 20 18:41:11 vps22525 postfix/anvil[5028]: statistics: max connection rate 2/60s for (submission:122.228.19.79) at Jan 20 18:37:50
Jan 20 18:41:11 vps22525 postfix/anvil[5028]: statistics: max connection count 2 for (submission:122.228.19.79) at Jan 20 18:37:50
Jan 20 18:41:11 vps22525 postfix/anvil[5028]: statistics: max cache size 1 at Jan 20 18:37:50
Jan 20 19:54:48 vps22525 postfix/smtpd[5172]: warning: hostname ip-38-56.ZervDNS does not resolve to address 92.118.38.56: Name or service not known
Jan 20 19:54:48 vps22525 postfix/smtpd[5172]: connect from unknown[92.118.38.56]
Jan 20 19:54:52 vps22525 postfix/smtpd[5172]: disconnect from unknown[92.118.38.56] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Jan 20 19:58:12 vps22525 postfix/anvil[5174]: statistics: max connection rate 1/60s for (smtp:92.118.38.56) at Jan 20 19:54:48
Jan 20 19:58:12 vps22525 postfix/anvil[5174]: statistics: max connection count 1 for (smtp:92.118.38.56) at Jan 20 19:54:48
Jan 20 19:58:12 vps22525 postfix/anvil[5174]: statistics: max cache size 1 at Jan 20 19:54:48
Jan 20 21:24:32 vps22525 postfix/submission/smtpd[5303]: warning: hostname ip-178-112-68-164.static.contabo.net does not resolve to address 164.68.112.178: Name or service not known
Jan 20 21:24:32 vps22525 postfix/submission/smtpd[5303]: connect from unknown[164.68.112.178]
Jan 20 21:24:33 vps22525 postfix/submission/smtpd[5303]: SSL_accept error from unknown[164.68.112.178]: lost connection
Jan 20 21:24:33 vps22525 postfix/submission/smtpd[5303]: lost connection after STARTTLS from unknown[164.68.112.178]
Jan 20 21:24:33 vps22525 postfix/submission/smtpd[5303]: disconnect from unknown[164.68.112.178] ehlo=1 starttls=0/1 commands=1/2
Jan 20 21:25:08 vps22525 dovecot: imap-login: Aborted login (no auth attempts in 1 secs): user=<>, rip=122.228.19.79, lip=127.127.127.127, TLS, session=<NdzXP5ech3d65BNP>
Jan 20 21:27:53 vps22525 postfix/anvil[5305]: statistics: max connection rate 1/60s for (submission:164.68.112.178) at Jan 20 21:24:32
Jan 20 21:27:53 vps22525 postfix/anvil[5305]: statistics: max connection count 1 for (submission:164.68.112.178) at Jan 20 21:24:32
Jan 20 21:27:53 vps22525 postfix/anvil[5305]: statistics: max cache size 1 at Jan 20 21:24:32
Jan 21 00:00:03 vps22525 postfix/pickup[5421]: 2771B209A0: uid=0 from=<root>
Jan 21 00:00:03 vps22525 postfix/cleanup[5533]: 2771B209A0: message-id=<[email protected]>
Jan 21 00:00:03 vps22525 postfix/qmgr[1453]: 2771B209A0: from=<[email protected]>, size=1906, nrcpt=1 (queue active)
Jan 21 00:00:03 vps22525 postfix/local[5535]: 2771B209A0: to=<[email protected]>, orig_to=<root>, relay=local, delay=0.04, delays=0.02/0.01/0/0.01, dsn=5.2.0, status=bounced (maildir delivery failed: create maildir file /root/Mail$
Jan 21 00:00:03 vps22525 postfix/cleanup[5533]: 2DED5209A5: message-id=<[email protected]>
Jan 21 00:00:03 vps22525 postfix/qmgr[1453]: 2DED5209A5: from=<>, size=4037, nrcpt=1 (queue active)
Jan 21 00:00:03 vps22525 postfix/bounce[5536]: 2771B209A0: sender non-delivery notification: 2DED5209A5
Jan 21 00:00:03 vps22525 postfix/qmgr[1453]: 2771B209A0: removed
Jan 21 00:00:03 vps22525 postfix/local[5535]: 2DED5209A5: to=<[email protected]>, relay=local, delay=0, delays=0/0/0/0, dsn=5.2.0, status=bounced (maildir delivery failed: create maildir file /root/Maildir/tmp/1579557603.P5535.vps$
Jan 21 00:00:03 vps22525 postfix/qmgr[1453]: 2DED5209A5: removed
Jan 21 00:33:07 vps22525 postfix/submission/smtpd[5582]: warning: hostname zg-0911b-52.stretchoid.com does not resolve to address 159.203.193.36: Name or service not known
Jan 21 00:33:07 vps22525 postfix/submission/smtpd[5582]: connect from unknown[159.203.193.36]
Jan 21 00:33:07 vps22525 postfix/submission/smtpd[5582]: disconnect from unknown[159.203.193.36] ehlo=1 quit=1 commands=2
Jan 21 00:36:27 vps22525 postfix/anvil[5584]: statistics: max connection rate 1/60s for (submission:159.203.193.36) at Jan 21 00:33:07
Jan 21 00:36:27 vps22525 postfix/anvil[5584]: statistics: max connection count 1 for (submission:159.203.193.36) at Jan 21 00:33:07
Jan 21 00:36:27 vps22525 postfix/anvil[5584]: statistics: max cache size 1 at Jan 21 00:33:07
Jan 21 03:09:01 vps22525 postfix/pickup[5713]: 557E6201DE: uid=0 from=<root>
Jan 21 03:09:01 vps22525 postfix/cleanup[5847]: 557E6201DE: message-id=<[email protected]>
Jan 21 03:09:01 vps22525 postfix/qmgr[1453]: 557E6201DE: from=<[email protected]>, size=1048, nrcpt=1 (queue active)
Jan 21 03:09:01 vps22525 postfix/local[5849]: 557E6201DE: to=<[email protected]>, orig_to=<root>, relay=local, delay=0.05, delays=0.02/0.01/0/0.02, dsn=5.2.0, status=bounced (maildir delivery failed: create maildir file /root/Mail$
Jan 21 03:09:01 vps22525 postfix/cleanup[5847]: 5F945209B4: message-id=<[email protected]>
Jan 21 03:09:01 vps22525 postfix/qmgr[1453]: 5F945209B4: from=<>, size=3179, nrcpt=1 (queue active)
Jan 21 03:09:01 vps22525 postfix/bounce[5850]: 557E6201DE: sender non-delivery notification: 5F945209B4
Jan 21 03:09:01 vps22525 postfix/qmgr[1453]: 557E6201DE: removed
Jan 21 03:09:01 vps22525 postfix/local[5849]: 5F945209B4: to=<[email protected]>, relay=local, delay=0, delays=0/0/0/0, dsn=5.2.0, status=bounced (maildir delivery failed: create maildir file /root/Maildir/tmp/1579568941.P5849.vps$
Jan 21 03:09:01 vps22525 postfix/qmgr[1453]: 5F945209B4: removed

Postfix メイン.cf

# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2

# TLS parameters
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.mydomain.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.mydomain.com/privkey.pem
smtpd_use_tls=yes
smtpd_tls_auth_only=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = mail.mydomain.com
mydomain = mydomain.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = $mydomain
masquerade_domains = $mydomain
mydestination = localhost.$mydomain, localhost, $mydomain
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
#mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
home_mailbox = Maildir/
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = check_recipient_access  hash:/etc/postfix/recipient_access reject_unknown_recipient_domain permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,reject_invalid_hostname,reject_non_fqdn_hostname,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_sender_domain,reject_rbl_client sbl.spamhaus.org,reject_rbl_client cbl.abuseat.org
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
virtual_alias_maps = hash:/etc/postfix/virtual
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_non_fqdn_helo_hostname,reject_invalid_helo_hostname,reject_unknown_helo_hostname
disable_vrfy_command = yes
smtpd_delay_reject = yes
smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 5
smtpd_hard_error_limit = 10
smtpd_restriction_classes = mua_sender_restrictions,
    mua_client_restrictions,
    mua_helo_restrictions
mua_sender_restrictions = permit_sasl_authenticated, reject
mua_client_restrictions = permit_sasl_authenticated, reject
mua_helo_restrictions = permit_mynetworks,
    reject_non_fqdn_hostname,
    reject_invalid_hostname,
    permit

これを防ぐにはどうしたらいいでしょうか?設定で何が欠けていたのでしょうか?

編集

皆さんのご協力に感謝します。@Piotr P. Karwasz が述べているように、これは cron デーモンでした...

答え1

メール システム経由でメールを送信しようとしています。しかし、提供されたログから判断すると、メールは送信されていません。これは良いことです。
通常、他のドメインのメールを中継することは望ましくありません。これは主にスパマーによって使用され、メール サーバーがブラックリストに登録されるからです。https://en.wikipedia.org/wiki/Open_mail_relay詳細については。

結局のところ、これを無視することができます。または、本当に必要な場合は、ブロックすることもできます。詳細については、Google を参照してください。

答え2

これらのメッセージは、次のように実行されているプロセスによってローカルに生成されます。:

Jan 21 00:00:03 vps22525 postfix/pickup[5421]: 2771B209A0: uid=0 from=<root>
Jan 21 00:00:03 vps22525 postfix/cleanup[5533]: 2771B209A0: message-id=<[email protected]>
Jan 21 00:00:03 vps22525 postfix/qmgr[1453]: 2771B209A0: from=<[email protected]>, size=1906, nrcpt=1 (queue active)
Jan 21 00:00:03 vps22525 postfix/local[5535]: 2771B209A0: to=<[email protected]>, orig_to=<root>, relay=local, delay=0.04, delays=0.02/0.01/0/0.01, dsn=5.2.0, status=bounced (maildir delivery failed: create maildir file /root/Mail$
Jan 21 00:00:03 vps22525 postfix/cleanup[5533]: 2DED5209A5: message-id=<[email protected]>
Jan 21 00:00:03 vps22525 postfix/qmgr[1453]: 2DED5209A5: from=<>, size=4037, nrcpt=1 (queue active)
Jan 21 00:00:03 vps22525 postfix/bounce[5536]: 2771B209A0: sender non-delivery notification: 2DED5209A5
Jan 21 00:00:03 vps22525 postfix/qmgr[1453]: 2771B209A0: removed
Jan 21 00:00:03 vps22525 postfix/local[5535]: 2DED5209A5: to=<[email protected]>, relay=local, delay=0, delays=0/0/0/0, dsn=5.2.0, status=bounced (maildir delivery failed: create maildir file /root/Maildir/tmp/1579557603.P5535.vps$
Jan 21 00:00:03 vps22525 postfix/qmgr[1453]: 2DED5209A5: removed

おそらくデーモンですCRON。メッセージとバウンスメッセージは配信されません。メールボックスがありません。エイリアス/etc/aliasesこれらの電子メールを受信できるようにするには、ルートからアカウントに権限を付与する必要があります。

関連情報