Tengo un gran problema con mi instalación de Debian Stretch. De la nada, la dirección de correo electrónico de un cliente comenzó a enviar una gran cantidad de spam.
Mi servidor usa una configuración estándar. Lo instalé con ISPConfig, Postfix, Dovecot, Amavisd, SpamAssassin y ClamAV, usé'Servidor perfecto'tutorial dehttps://www.howtoforge.com/tutorial/perfect-server-debian-9-stretch-apache-bind-dovecot-ispconfig-3-1/.
Alojo muchos dominios de correo electrónico, buzones de correo y muchos sitios web, y la mayoría de ellos me veo obligado a ejecutar versiones antiguas de PHP (5.3.3 es la más antigua). Todo el spam se envía desde una sola dirección y, por lo que puedo ver, se origina en mi servidor local. Inmediatamente cambié la contraseña de la cuenta y desactivé SMTP, pero envía spam como si nada hubiera pasado.
Probé recursivomaldetescanear para/, detectó algunos scripts PHP potencialmente maliciosos en /var/www, pero después de eliminarlos se sigue enviando spam, por lo que no ayudó.
Basta de hablar, aquí están los registros y la configuración.
/etc/postfix/main.cf
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
readme_directory = /usr/share/doc/postfix
compatibility_level = 2
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = nibbler.manena.cz
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
myorigin = /etc/mailname
mydestination = nibbler.manena.cz, localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
html_directory = /usr/share/doc/postfix/html
virtual_alias_domains =
virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtu$
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /var/vmail
virtual_uid_maps = mysql:/etc/postfix/mysql-virtual_uids.cf
virtual_gid_maps = mysql:/etc/postfix/mysql-virtual_gids.cf
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_restriction_classes = greylisting
greylisting = check_policy_service inet:127.0.0.1:10023
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, check_recipient_$
smtpd_tls_security_level = may
transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_do$
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, reject_invalid_hostname, reject_n$
smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/tag_as_originating.re , permit_mynetworks, permit_sasl_authenticated, check_sender_acces$
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
smtpd_client_message_rate_limit = 10
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
virtual_transport = dovecot
header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = regexp:/etc/postfix/mime_header_checks
nested_header_checks = regexp:/etc/postfix/nested_header_checks
body_checks = regexp:/etc/postfix/body_checks
owner_request_special = no
smtp_tls_security_level = may
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_exclude_ciphers = RC4, aNULL
smtp_tls_exclude_ciphers = RC4, aNULL
dovecot_destination_recipient_limit = 1
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
content_filter = amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings
message_size_limit = 0
smtpd_helo_required = yes
strict_rfc821_envelopes = yes
disable_vrfy_command = yes
unknown_address_reject_code = 554
unknown_hostname_reject_code = 554
unknown_client_reject_code = 554
/var/log/mail.info|grep [uno de los ID de correo SPAM]
Mar 14 06:26:38 nibbler postfix/smtpd[4982]: 23D6036D28F: client=localhost[127.0.0.1]
Mar 14 06:26:38 nibbler postfix/cleanup[9381]: 23D6036D28F: message-id=<[email protected]>
Mar 14 06:26:38 nibbler postfix/qmgr[25904]: 23D6036D28F: from=<[email protected]>, size=1958, nrcpt=23 (queue active)
Mar 14 06:26:38 nibbler amavis[9276]: (09276-16) Passed CLEAN {RelayedOutbound}, ORIGINATING LOCAL [178.156.44.57]:3446 [178.156.44.57] <[email protected]> -> <[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>, Queue-ID: BB16D36D28E, Message-ID: <[email protected]>, mail_id: I8YkwYIYG_PS, Hits: -0.999, size: 908, queued_as: 23D6036D28F, dkim_new=default:client.com, 370 ms
Mar 14 06:26:38 nibbler postfix/smtp[8926]: BB16D36D28E: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10026, delay=5.6, delays=5.2/0/0/0.37, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10027): 250 2.0.0 Ok: queued as 23D6036D28F)
Mar 14 06:26:38 nibbler postfix/smtp[8926]: BB16D36D28E: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10026, delay=5.6, delays=5.2/0/0/0.37, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10027): 250 2.0.0 Ok: queued as 23D6036D28F)
(...)
¿Tienes alguna idea de qué hacer ahora? Cualquier sugerencia es muy apreciada.