Tengo un problema con la configuración de Postfix, Dovecot o ambas.
Todo funciona como debería, pero en los registros noté que varias direcciones IP diferentes envían correos usando la cuenta raíz, están intentando enviar desde[correo electrónico protegido]a[correo electrónico protegido].
Estoy en Debian 9, eliminé mi inicio de sesión de root con:
sudo contraseña -d raíz
Y deshabilité la cuenta:
sudo contraseña -l raíz
¡Hay una cuenta más en el servidor y noté que también se accedió a ella! Cuando revisé auth.log no hubo intentos de fuerza bruta. Estoy ejecutando ssh en un puerto diferente, usando claves, además iptables está configurado en ese puerto con hitcount.
Mi versión de Postfix es: 3.1.12, Dovecot: 2.2.27
Registro de muestra de mail.log
Jan 20 18:37:50 vps22525 postfix/submission/smtpd[5026]: connect from unknown[122.228.19.79]
Jan 20 18:37:50 vps22525 postfix/submission/smtpd[5029]: connect from unknown[122.228.19.79]
Jan 20 18:37:50 vps22525 postfix/submission/smtpd[5026]: lost connection after CONNECT from unknown[122.228.19.79]
Jan 20 18:37:50 vps22525 postfix/submission/smtpd[5026]: disconnect from unknown[122.228.19.79] commands=0/0
Jan 20 18:37:51 vps22525 postfix/submission/smtpd[5029]: lost connection after UNKNOWN from unknown[122.228.19.79]
Jan 20 18:37:51 vps22525 postfix/submission/smtpd[5029]: disconnect from unknown[122.228.19.79] ehlo=1 unknown=0/1 commands=1/2
Jan 20 18:41:11 vps22525 postfix/anvil[5028]: statistics: max connection rate 2/60s for (submission:122.228.19.79) at Jan 20 18:37:50
Jan 20 18:41:11 vps22525 postfix/anvil[5028]: statistics: max connection count 2 for (submission:122.228.19.79) at Jan 20 18:37:50
Jan 20 18:41:11 vps22525 postfix/anvil[5028]: statistics: max cache size 1 at Jan 20 18:37:50
Jan 20 19:54:48 vps22525 postfix/smtpd[5172]: warning: hostname ip-38-56.ZervDNS does not resolve to address 92.118.38.56: Name or service not known
Jan 20 19:54:48 vps22525 postfix/smtpd[5172]: connect from unknown[92.118.38.56]
Jan 20 19:54:52 vps22525 postfix/smtpd[5172]: disconnect from unknown[92.118.38.56] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Jan 20 19:58:12 vps22525 postfix/anvil[5174]: statistics: max connection rate 1/60s for (smtp:92.118.38.56) at Jan 20 19:54:48
Jan 20 19:58:12 vps22525 postfix/anvil[5174]: statistics: max connection count 1 for (smtp:92.118.38.56) at Jan 20 19:54:48
Jan 20 19:58:12 vps22525 postfix/anvil[5174]: statistics: max cache size 1 at Jan 20 19:54:48
Jan 20 21:24:32 vps22525 postfix/submission/smtpd[5303]: warning: hostname ip-178-112-68-164.static.contabo.net does not resolve to address 164.68.112.178: Name or service not known
Jan 20 21:24:32 vps22525 postfix/submission/smtpd[5303]: connect from unknown[164.68.112.178]
Jan 20 21:24:33 vps22525 postfix/submission/smtpd[5303]: SSL_accept error from unknown[164.68.112.178]: lost connection
Jan 20 21:24:33 vps22525 postfix/submission/smtpd[5303]: lost connection after STARTTLS from unknown[164.68.112.178]
Jan 20 21:24:33 vps22525 postfix/submission/smtpd[5303]: disconnect from unknown[164.68.112.178] ehlo=1 starttls=0/1 commands=1/2
Jan 20 21:25:08 vps22525 dovecot: imap-login: Aborted login (no auth attempts in 1 secs): user=<>, rip=122.228.19.79, lip=127.127.127.127, TLS, session=<NdzXP5ech3d65BNP>
Jan 20 21:27:53 vps22525 postfix/anvil[5305]: statistics: max connection rate 1/60s for (submission:164.68.112.178) at Jan 20 21:24:32
Jan 20 21:27:53 vps22525 postfix/anvil[5305]: statistics: max connection count 1 for (submission:164.68.112.178) at Jan 20 21:24:32
Jan 20 21:27:53 vps22525 postfix/anvil[5305]: statistics: max cache size 1 at Jan 20 21:24:32
Jan 21 00:00:03 vps22525 postfix/pickup[5421]: 2771B209A0: uid=0 from=<root>
Jan 21 00:00:03 vps22525 postfix/cleanup[5533]: 2771B209A0: message-id=<[email protected]>
Jan 21 00:00:03 vps22525 postfix/qmgr[1453]: 2771B209A0: from=<[email protected]>, size=1906, nrcpt=1 (queue active)
Jan 21 00:00:03 vps22525 postfix/local[5535]: 2771B209A0: to=<[email protected]>, orig_to=<root>, relay=local, delay=0.04, delays=0.02/0.01/0/0.01, dsn=5.2.0, status=bounced (maildir delivery failed: create maildir file /root/Mail$
Jan 21 00:00:03 vps22525 postfix/cleanup[5533]: 2DED5209A5: message-id=<[email protected]>
Jan 21 00:00:03 vps22525 postfix/qmgr[1453]: 2DED5209A5: from=<>, size=4037, nrcpt=1 (queue active)
Jan 21 00:00:03 vps22525 postfix/bounce[5536]: 2771B209A0: sender non-delivery notification: 2DED5209A5
Jan 21 00:00:03 vps22525 postfix/qmgr[1453]: 2771B209A0: removed
Jan 21 00:00:03 vps22525 postfix/local[5535]: 2DED5209A5: to=<[email protected]>, relay=local, delay=0, delays=0/0/0/0, dsn=5.2.0, status=bounced (maildir delivery failed: create maildir file /root/Maildir/tmp/1579557603.P5535.vps$
Jan 21 00:00:03 vps22525 postfix/qmgr[1453]: 2DED5209A5: removed
Jan 21 00:33:07 vps22525 postfix/submission/smtpd[5582]: warning: hostname zg-0911b-52.stretchoid.com does not resolve to address 159.203.193.36: Name or service not known
Jan 21 00:33:07 vps22525 postfix/submission/smtpd[5582]: connect from unknown[159.203.193.36]
Jan 21 00:33:07 vps22525 postfix/submission/smtpd[5582]: disconnect from unknown[159.203.193.36] ehlo=1 quit=1 commands=2
Jan 21 00:36:27 vps22525 postfix/anvil[5584]: statistics: max connection rate 1/60s for (submission:159.203.193.36) at Jan 21 00:33:07
Jan 21 00:36:27 vps22525 postfix/anvil[5584]: statistics: max connection count 1 for (submission:159.203.193.36) at Jan 21 00:33:07
Jan 21 00:36:27 vps22525 postfix/anvil[5584]: statistics: max cache size 1 at Jan 21 00:33:07
Jan 21 03:09:01 vps22525 postfix/pickup[5713]: 557E6201DE: uid=0 from=<root>
Jan 21 03:09:01 vps22525 postfix/cleanup[5847]: 557E6201DE: message-id=<[email protected]>
Jan 21 03:09:01 vps22525 postfix/qmgr[1453]: 557E6201DE: from=<[email protected]>, size=1048, nrcpt=1 (queue active)
Jan 21 03:09:01 vps22525 postfix/local[5849]: 557E6201DE: to=<[email protected]>, orig_to=<root>, relay=local, delay=0.05, delays=0.02/0.01/0/0.02, dsn=5.2.0, status=bounced (maildir delivery failed: create maildir file /root/Mail$
Jan 21 03:09:01 vps22525 postfix/cleanup[5847]: 5F945209B4: message-id=<[email protected]>
Jan 21 03:09:01 vps22525 postfix/qmgr[1453]: 5F945209B4: from=<>, size=3179, nrcpt=1 (queue active)
Jan 21 03:09:01 vps22525 postfix/bounce[5850]: 557E6201DE: sender non-delivery notification: 5F945209B4
Jan 21 03:09:01 vps22525 postfix/qmgr[1453]: 557E6201DE: removed
Jan 21 03:09:01 vps22525 postfix/local[5849]: 5F945209B4: to=<[email protected]>, relay=local, delay=0, delays=0/0/0/0, dsn=5.2.0, status=bounced (maildir delivery failed: create maildir file /root/Maildir/tmp/1579568941.P5849.vps$
Jan 21 03:09:01 vps22525 postfix/qmgr[1453]: 5F945209B4: removed
Sufijo principal.cf
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2
# TLS parameters
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.mydomain.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.mydomain.com/privkey.pem
smtpd_use_tls=yes
smtpd_tls_auth_only=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = mail.mydomain.com
mydomain = mydomain.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = $mydomain
masquerade_domains = $mydomain
mydestination = localhost.$mydomain, localhost, $mydomain
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
#mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
home_mailbox = Maildir/
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/recipient_access reject_unknown_recipient_domain permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,reject_invalid_hostname,reject_non_fqdn_hostname,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_sender_domain,reject_rbl_client sbl.spamhaus.org,reject_rbl_client cbl.abuseat.org
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
virtual_alias_maps = hash:/etc/postfix/virtual
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_non_fqdn_helo_hostname,reject_invalid_helo_hostname,reject_unknown_helo_hostname
disable_vrfy_command = yes
smtpd_delay_reject = yes
smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 5
smtpd_hard_error_limit = 10
smtpd_restriction_classes = mua_sender_restrictions,
mua_client_restrictions,
mua_helo_restrictions
mua_sender_restrictions = permit_sasl_authenticated, reject
mua_client_restrictions = permit_sasl_authenticated, reject
mua_helo_restrictions = permit_mynetworks,
reject_non_fqdn_hostname,
reject_invalid_hostname,
permit
¿Cómo evito que esto suceda? ¿Qué me perdí en mi configuración?
EDITAR
Gracias a todos por la ayuda. Como @Piotr P. Karwasz menciona, era un demonio cron...
Respuesta1
Están intentando enviar correo a través de su sistema de correo. Pero a juzgar por los registros proporcionados, el correo no llega. ¡Lo que es algo bueno!
Por lo general, no desea retransmitir correo para otros dominios, ya que los spammers lo utilizan principalmente y, por lo general, su servidor de correo estará en la lista negra. Verhttps://en.wikipedia.org/wiki/Open_mail_relaypara más información.
Considerándolo todo, puedes ignorar esto. O si realmente quieres, puedes bloquearlos. Consulte Google para obtener más información al respecto.
Respuesta2
Estos mensajes son generados localmente por un proceso que se ejecuta comoraíz:
Jan 21 00:00:03 vps22525 postfix/pickup[5421]: 2771B209A0: uid=0 from=<root>
Jan 21 00:00:03 vps22525 postfix/cleanup[5533]: 2771B209A0: message-id=<[email protected]>
Jan 21 00:00:03 vps22525 postfix/qmgr[1453]: 2771B209A0: from=<[email protected]>, size=1906, nrcpt=1 (queue active)
Jan 21 00:00:03 vps22525 postfix/local[5535]: 2771B209A0: to=<[email protected]>, orig_to=<root>, relay=local, delay=0.04, delays=0.02/0.01/0/0.01, dsn=5.2.0, status=bounced (maildir delivery failed: create maildir file /root/Mail$
Jan 21 00:00:03 vps22525 postfix/cleanup[5533]: 2DED5209A5: message-id=<[email protected]>
Jan 21 00:00:03 vps22525 postfix/qmgr[1453]: 2DED5209A5: from=<>, size=4037, nrcpt=1 (queue active)
Jan 21 00:00:03 vps22525 postfix/bounce[5536]: 2771B209A0: sender non-delivery notification: 2DED5209A5
Jan 21 00:00:03 vps22525 postfix/qmgr[1453]: 2771B209A0: removed
Jan 21 00:00:03 vps22525 postfix/local[5535]: 2DED5209A5: to=<[email protected]>, relay=local, delay=0, delays=0/0/0/0, dsn=5.2.0, status=bounced (maildir delivery failed: create maildir file /root/Maildir/tmp/1579557603.P5535.vps$
Jan 21 00:00:03 vps22525 postfix/qmgr[1453]: 2DED5209A5: removed
Probablemente sea el CRONdemonio. El mensaje y el mensaje devuelto no se entregan porqueraízno tiene buzón. Añadir unaliasdesde root a su cuenta para /etc/aliasespoder recibir estos correos electrónicos.