Postfix, проблемы Dovecot, вход в систему root с неизвестных IP-адресов

Postfix, проблемы Dovecot, вход в систему root с неизвестных IP-адресов

У меня проблема с конфигурацией Postfix, Dovecot или обоих.
Все работает как надо, но в логах я заметил, что несколько разных ip-адресов отправляют почту с учетной записью root, они пытаются отправить с[email protected]к[email protected].
Я использую Debian 9, удалил свой вход в систему как root с помощью:

sudo passwd -d root

И отключил аккаунт:

sudo passwd -l root

На сервере есть еще одна учетная запись, и я заметил, что к ней тоже был доступ! Когда я проверил auth.log, попыток перебора не было. Я запускаю ssh на другом порту, использую ключи, плюс iptables настроен на этот порт с hitcount.

Моя версия Postfix: 3.1.12, Dovecot: 2.2.27
Пример журнала из mail.log

Jan 20 18:37:50 vps22525 postfix/submission/smtpd[5026]: connect from unknown[122.228.19.79]
Jan 20 18:37:50 vps22525 postfix/submission/smtpd[5029]: connect from unknown[122.228.19.79]
Jan 20 18:37:50 vps22525 postfix/submission/smtpd[5026]: lost connection after CONNECT from unknown[122.228.19.79]
Jan 20 18:37:50 vps22525 postfix/submission/smtpd[5026]: disconnect from unknown[122.228.19.79] commands=0/0
Jan 20 18:37:51 vps22525 postfix/submission/smtpd[5029]: lost connection after UNKNOWN from unknown[122.228.19.79]
Jan 20 18:37:51 vps22525 postfix/submission/smtpd[5029]: disconnect from unknown[122.228.19.79] ehlo=1 unknown=0/1 commands=1/2
Jan 20 18:41:11 vps22525 postfix/anvil[5028]: statistics: max connection rate 2/60s for (submission:122.228.19.79) at Jan 20 18:37:50
Jan 20 18:41:11 vps22525 postfix/anvil[5028]: statistics: max connection count 2 for (submission:122.228.19.79) at Jan 20 18:37:50
Jan 20 18:41:11 vps22525 postfix/anvil[5028]: statistics: max cache size 1 at Jan 20 18:37:50
Jan 20 19:54:48 vps22525 postfix/smtpd[5172]: warning: hostname ip-38-56.ZervDNS does not resolve to address 92.118.38.56: Name or service not known
Jan 20 19:54:48 vps22525 postfix/smtpd[5172]: connect from unknown[92.118.38.56]
Jan 20 19:54:52 vps22525 postfix/smtpd[5172]: disconnect from unknown[92.118.38.56] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Jan 20 19:58:12 vps22525 postfix/anvil[5174]: statistics: max connection rate 1/60s for (smtp:92.118.38.56) at Jan 20 19:54:48
Jan 20 19:58:12 vps22525 postfix/anvil[5174]: statistics: max connection count 1 for (smtp:92.118.38.56) at Jan 20 19:54:48
Jan 20 19:58:12 vps22525 postfix/anvil[5174]: statistics: max cache size 1 at Jan 20 19:54:48
Jan 20 21:24:32 vps22525 postfix/submission/smtpd[5303]: warning: hostname ip-178-112-68-164.static.contabo.net does not resolve to address 164.68.112.178: Name or service not known
Jan 20 21:24:32 vps22525 postfix/submission/smtpd[5303]: connect from unknown[164.68.112.178]
Jan 20 21:24:33 vps22525 postfix/submission/smtpd[5303]: SSL_accept error from unknown[164.68.112.178]: lost connection
Jan 20 21:24:33 vps22525 postfix/submission/smtpd[5303]: lost connection after STARTTLS from unknown[164.68.112.178]
Jan 20 21:24:33 vps22525 postfix/submission/smtpd[5303]: disconnect from unknown[164.68.112.178] ehlo=1 starttls=0/1 commands=1/2
Jan 20 21:25:08 vps22525 dovecot: imap-login: Aborted login (no auth attempts in 1 secs): user=<>, rip=122.228.19.79, lip=127.127.127.127, TLS, session=<NdzXP5ech3d65BNP>
Jan 20 21:27:53 vps22525 postfix/anvil[5305]: statistics: max connection rate 1/60s for (submission:164.68.112.178) at Jan 20 21:24:32
Jan 20 21:27:53 vps22525 postfix/anvil[5305]: statistics: max connection count 1 for (submission:164.68.112.178) at Jan 20 21:24:32
Jan 20 21:27:53 vps22525 postfix/anvil[5305]: statistics: max cache size 1 at Jan 20 21:24:32
Jan 21 00:00:03 vps22525 postfix/pickup[5421]: 2771B209A0: uid=0 from=<root>
Jan 21 00:00:03 vps22525 postfix/cleanup[5533]: 2771B209A0: message-id=<[email protected]>
Jan 21 00:00:03 vps22525 postfix/qmgr[1453]: 2771B209A0: from=<[email protected]>, size=1906, nrcpt=1 (queue active)
Jan 21 00:00:03 vps22525 postfix/local[5535]: 2771B209A0: to=<[email protected]>, orig_to=<root>, relay=local, delay=0.04, delays=0.02/0.01/0/0.01, dsn=5.2.0, status=bounced (maildir delivery failed: create maildir file /root/Mail$
Jan 21 00:00:03 vps22525 postfix/cleanup[5533]: 2DED5209A5: message-id=<[email protected]>
Jan 21 00:00:03 vps22525 postfix/qmgr[1453]: 2DED5209A5: from=<>, size=4037, nrcpt=1 (queue active)
Jan 21 00:00:03 vps22525 postfix/bounce[5536]: 2771B209A0: sender non-delivery notification: 2DED5209A5
Jan 21 00:00:03 vps22525 postfix/qmgr[1453]: 2771B209A0: removed
Jan 21 00:00:03 vps22525 postfix/local[5535]: 2DED5209A5: to=<[email protected]>, relay=local, delay=0, delays=0/0/0/0, dsn=5.2.0, status=bounced (maildir delivery failed: create maildir file /root/Maildir/tmp/1579557603.P5535.vps$
Jan 21 00:00:03 vps22525 postfix/qmgr[1453]: 2DED5209A5: removed
Jan 21 00:33:07 vps22525 postfix/submission/smtpd[5582]: warning: hostname zg-0911b-52.stretchoid.com does not resolve to address 159.203.193.36: Name or service not known
Jan 21 00:33:07 vps22525 postfix/submission/smtpd[5582]: connect from unknown[159.203.193.36]
Jan 21 00:33:07 vps22525 postfix/submission/smtpd[5582]: disconnect from unknown[159.203.193.36] ehlo=1 quit=1 commands=2
Jan 21 00:36:27 vps22525 postfix/anvil[5584]: statistics: max connection rate 1/60s for (submission:159.203.193.36) at Jan 21 00:33:07
Jan 21 00:36:27 vps22525 postfix/anvil[5584]: statistics: max connection count 1 for (submission:159.203.193.36) at Jan 21 00:33:07
Jan 21 00:36:27 vps22525 postfix/anvil[5584]: statistics: max cache size 1 at Jan 21 00:33:07
Jan 21 03:09:01 vps22525 postfix/pickup[5713]: 557E6201DE: uid=0 from=<root>
Jan 21 03:09:01 vps22525 postfix/cleanup[5847]: 557E6201DE: message-id=<[email protected]>
Jan 21 03:09:01 vps22525 postfix/qmgr[1453]: 557E6201DE: from=<[email protected]>, size=1048, nrcpt=1 (queue active)
Jan 21 03:09:01 vps22525 postfix/local[5849]: 557E6201DE: to=<[email protected]>, orig_to=<root>, relay=local, delay=0.05, delays=0.02/0.01/0/0.02, dsn=5.2.0, status=bounced (maildir delivery failed: create maildir file /root/Mail$
Jan 21 03:09:01 vps22525 postfix/cleanup[5847]: 5F945209B4: message-id=<[email protected]>
Jan 21 03:09:01 vps22525 postfix/qmgr[1453]: 5F945209B4: from=<>, size=3179, nrcpt=1 (queue active)
Jan 21 03:09:01 vps22525 postfix/bounce[5850]: 557E6201DE: sender non-delivery notification: 5F945209B4
Jan 21 03:09:01 vps22525 postfix/qmgr[1453]: 557E6201DE: removed
Jan 21 03:09:01 vps22525 postfix/local[5849]: 5F945209B4: to=<[email protected]>, relay=local, delay=0, delays=0/0/0/0, dsn=5.2.0, status=bounced (maildir delivery failed: create maildir file /root/Maildir/tmp/1579568941.P5849.vps$
Jan 21 03:09:01 vps22525 postfix/qmgr[1453]: 5F945209B4: removed

Постфикс main.cf

# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2

# TLS parameters
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.mydomain.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.mydomain.com/privkey.pem
smtpd_use_tls=yes
smtpd_tls_auth_only=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = mail.mydomain.com
mydomain = mydomain.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = $mydomain
masquerade_domains = $mydomain
mydestination = localhost.$mydomain, localhost, $mydomain
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
#mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
home_mailbox = Maildir/
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = check_recipient_access  hash:/etc/postfix/recipient_access reject_unknown_recipient_domain permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,reject_invalid_hostname,reject_non_fqdn_hostname,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_sender_domain,reject_rbl_client sbl.spamhaus.org,reject_rbl_client cbl.abuseat.org
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
virtual_alias_maps = hash:/etc/postfix/virtual
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_non_fqdn_helo_hostname,reject_invalid_helo_hostname,reject_unknown_helo_hostname
disable_vrfy_command = yes
smtpd_delay_reject = yes
smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 5
smtpd_hard_error_limit = 10
smtpd_restriction_classes = mua_sender_restrictions,
    mua_client_restrictions,
    mua_helo_restrictions
mua_sender_restrictions = permit_sasl_authenticated, reject
mua_client_restrictions = permit_sasl_authenticated, reject
mua_helo_restrictions = permit_mynetworks,
    reject_non_fqdn_hostname,
    reject_invalid_hostname,
    permit

Как мне предотвратить это? Что я упустил в своей конфигурации?

РЕДАКТИРОВАТЬ

Спасибо всем за помощь. Как сказал @Piotr P. Karwasz, это был демон cron...

решение1

Они пытаются отправить почту через вашу почтовую систему. Но судя по предоставленным журналам, почта не проходит. И это хорошо!
Обычно вы не хотите ретранслировать почту для других доменов, так как они используются в основном спамерами, и это, как правило, приведет к попаданию вашего почтового сервера в черный список. Смотритеhttps://en.wikipedia.org/wiki/Open_mail_relayдля получения дополнительной информации.

В общем, вы можете это игнорировать. Или, если вы действительно хотите, вы можете заблокировать их. Обратитесь к Google за дополнительной информацией по этому вопросу.

решение2

Эти сообщения генерируются локально процессом, работающим каккорень:

Jan 21 00:00:03 vps22525 postfix/pickup[5421]: 2771B209A0: uid=0 from=<root>
Jan 21 00:00:03 vps22525 postfix/cleanup[5533]: 2771B209A0: message-id=<[email protected]>
Jan 21 00:00:03 vps22525 postfix/qmgr[1453]: 2771B209A0: from=<[email protected]>, size=1906, nrcpt=1 (queue active)
Jan 21 00:00:03 vps22525 postfix/local[5535]: 2771B209A0: to=<[email protected]>, orig_to=<root>, relay=local, delay=0.04, delays=0.02/0.01/0/0.01, dsn=5.2.0, status=bounced (maildir delivery failed: create maildir file /root/Mail$
Jan 21 00:00:03 vps22525 postfix/cleanup[5533]: 2DED5209A5: message-id=<[email protected]>
Jan 21 00:00:03 vps22525 postfix/qmgr[1453]: 2DED5209A5: from=<>, size=4037, nrcpt=1 (queue active)
Jan 21 00:00:03 vps22525 postfix/bounce[5536]: 2771B209A0: sender non-delivery notification: 2DED5209A5
Jan 21 00:00:03 vps22525 postfix/qmgr[1453]: 2771B209A0: removed
Jan 21 00:00:03 vps22525 postfix/local[5535]: 2DED5209A5: to=<[email protected]>, relay=local, delay=0, delays=0/0/0/0, dsn=5.2.0, status=bounced (maildir delivery failed: create maildir file /root/Maildir/tmp/1579557603.P5535.vps$
Jan 21 00:00:03 vps22525 postfix/qmgr[1453]: 2DED5209A5: removed

Вероятно, это CRONдемон. Сообщение и сообщение об отказе не доставляются, потому чтокореньнет почтового ящика. Добавитьпсевдонимот root к вашей учетной записи, чтобы /etc/aliasesиметь возможность получать эти электронные письма.

Связанный контент