9 Replies Latest reply: Aug 19, 2013 2:06 PM by energo
Ricardo Luz Level 1 Level 1 (15 points)

I have recently migrated a server from 10.6.8 to 10.8.2.

 

Previously the mail server had been running smoothly without any spam being sent or anything like that. I remember there being a setting that disallowed smtp relay for all connection but those listed and as such i promptly put in my subnet and another exception, i also required authentication and only accepted one type of authentication.  This seemed to do the trick for the better part of 2 years.

 

However after the upgrade, there was no longer a setting for the smtp relay (i assumed apple just set it to no relay which i thought was default in a postfix server anyway) and i set the authentication to open directory users only, and i only have the mail service allowed for the users that need it. About a two months after the upgrade it started sending spam.

 

Some users had very weak passwords for accounts that were listed on the company website, so i also implimented 16 character randomly generated passwords for the users.  This seemed to be the end of the spam, i wasn't sure if this was a coincidence or if someones account had actually been compromised.

 

Yesterday the spam started again.  I wanted to test if the smtp relay was on but wasn't so sure how to do that, so i tried sending mail from home through the server without authentication, it didn't work, good i thought, but if i turn on outgoing mail server authentication and type in a username WITHOUT a password, the mail server sends happily.  So this is potentially what is happening.

 

I have two questions, where and what do i look for to see if smtp relay is on? How do i make sure that the email server will only send fully authenticated emails


Mac Pro, OS X Server
  • 1. Re: 10.8 Server Sending Spam, how to force authentication
    philippergo Level 1 Level 1 (5 points)

    I always use

     

    http://mxtoolbox.com/

     

    to check our mail server.

     

    There you can check if your server is an open relay or not.

  • 2. Re: 10.8 Server Sending Spam, how to force authentication
    Ricardo Luz Level 1 Level 1 (15 points)

    thanks phillip,

     

    so at least i know it's not an open relay, so either a user account has been compromised or the server is not correctly locked down to send only fully authenticated requests.

     

    So now i just need someone to help me lock it down completely

  • 3. Re: 10.8 Server Sending Spam, how to force authentication
    philippergo Level 1 Level 1 (5 points)

    If you execute:

     

    serveradmin settings mail

     

    does it look like:

     

    .

    .

    .

    mail:postfix:mynetworks:_array_index:0 = "127.0.0.0/8"

    .

    .

    .

     

    This makes sure your Postfix only accepts mail that comes from the server itself!

     

    Please check this.

  • 4. Re: 10.8 Server Sending Spam, how to force authentication
    Ricardo Luz Level 1 Level 1 (15 points)

    Here is the result of that command with the domain etc taken out:

     

    mail:postfix:smtpd_pw_server_security_options:_array_index:0 = "cram-md5"

    mail:postfix:smtpd_pw_server_security_options:_array_index:1 = "digest-md5"

    mail:postfix:smtpd_pw_server_security_options:_array_index:2 = "gssapi"

    mail:postfix:spam_quarantine = "junk-quarantine@example.com"

    mail:postfix:smtp_reject_list_enabled = no

    mail:postfix:bayes_path = "/Library/Server/Mail/Data/scanner/amavis/.spamassassin/bayes"

    mail:postfix:smtp_sasl_auth_enable = no

    mail:postfix:whitelist_from = _empty_array

    mail:postfix:submit_cred:<mydomain>:username = "submit"

    mail:postfix:submit_cred:<mydomain>:password = "BJd3CcFFAVGpyMmgE7Jz3x"

    mail:postfix:smtp_auth_relay_dict:smtp_auth_relay_userid = ""

    mail:postfix:smtp_auth_relay_dict:smtp_auth_relay_pwd = ""

    mail:postfix:smtp_auth_relay_dict:smtp_auth_relay_host = "000.000.000.000"

    mail:postfix:client_permit_mynetworks = yes

    mail:postfix:smtpd_tls_cert_file = "/etc/certificates/xserver.piccolo.net.au.13B6821CEC7E404DFFE23E9D53617CA5712EA 4BD.cert.pem"

    mail:postfix:maps_rbl_domains_enabled = yes

    mail:postfix:spam_subject_tag = "***JUNK MAIL*** "

    mail:postfix:smtpd_tls_CAfile = "/etc/certificates/xserver.piccolo.net.au.13B6821CEC7E404DFFE23E9D53617CA5712EA 4BD.chain.pem"

    mail:postfix:message_size_limit_enabled = yes

    mail:postfix:virus_db_last_update = "2013-03-27 17:30:01 +0000"

    mail:postfix:mail_enabled_groups = _empty_array

    mail:postfix:add_whitelist_domain:_array_index:0 = "<mydomain>"

    mail:postfix:add_whitelist_domain:_array_index:1 = "<mydomain>"

    mail:postfix:virus_scan_enabled = yes

    mail:postfix:spam_ok_locales = "en"

    mail:postfix:spam_notify_admin_email = "junk-admin@example.com"

    mail:postfix:black_hole_domains:_array_index:0 = "zen.spamhaus.org"

    mail:postfix:virus_db_log_level = "info"

    mail:postfix:spam_scan_enabled = no

    mail:postfix:virus_quarantine = "virus-quarantine@example.com"

    mail:postfix:reject_unauth_piplining_enabled = no

    mail:postfix:blacklist_from = _empty_array

    mail:postfix:spam_rewrite_subject = yes

    mail:postfix:message_size_limit = 68485760

    mail:postfix:greylist_disable = no

    mail:postfix:mynetworks:_array_index:0 = "127.0.0.0/8"

    mail:postfix:mynetworks:_array_index:1 = "192.168.4.0/24"

    mail:postfix:mynetworks:_array_index:2 = "192.168.1.0/24"

    mail:postfix:virus_log_level = "info"

    mail:postfix:host_whitelist:_array_index:0 = "<mydomain>"

    mail:postfix:host_whitelist:_array_index:1 = "<mydomain>"

    mail:postfix:host_whitelist:_array_index:2 = "<mydomain>"

    mail:postfix:rbl_override_list = _empty_array

    mail:postfix:group_expansion:start_interval = 10

    mail:postfix:group_expansion:enable_group_expansion = no

    mail:postfix:virus_notify_recipients = no

    mail:postfix:luser_relay_enabled = no

    mail:postfix:mydomain = "piccolo.net.au"

    mail:postfix:mydestination:_array_index:0 = "localhost"

    mail:postfix:mydestination:_array_index:1 = "<mydomain>"

    mail:postfix:mydestination:_array_index:2 = "<mydomain>"

    mail:postfix:mydestination:_array_index:3 = "$mydomain"

    mail:postfix:virus_notify_admin_email = "virus-admin@example.com"

    mail:postfix:enable_virtual_domains = no

    mail:postfix:spam_notify_admin = no

    mail:postfix:required_hits = 40

    mail:postfix:add_whitelist_host:_array_index:0 = "<mydomain>"

    mail:postfix:add_whitelist_host:_array_index:1 = "<mydomain>"

    mail:postfix:add_whitelist_host:_array_index:2 = "<mydomain>"

    mail:postfix:always_bcc_enabled = no

    mail:postfix:enable_var_mail = no

    mail:postfix:junk_mail_userid = "junkmail"

    mail:postfix:smtpd_tls_key_file = "/etc/certificates/xserver.piccolo.net.au.13B6821CEC7E404DFFE23E9D53617CA5712EA 4BD.key.pem"

    mail:postfix:enable_smtp = yes

    mail:postfix:relayhost = "mail.internode.on.net"

    mail:postfix:not_junk_mail_userid = "notjunkmail"

    mail:postfix:mynetworks_enabled = yes

    mail:postfix:spam_ok_languages = "en fr de ja"

    mail:postfix:virtual_domains = _empty_array

    mail:postfix:rbl_override_enabled = no

    mail:postfix:log_rolling_days = 1

    mail:postfix:enable_smtp_in = yes

    mail:postfix:tls_server_options = "use"

    mail:postfix:spam_action = "deliver"

    mail:postfix:log_rolling_days_enabled = yes

    mail:postfix:spam_log_level = "info"

    mail:postfix:smtp_uce_controlls = 0

    mail:postfix:relayhost_enabled = yes

    mail:postfix:virus_action = "delete"

    mail:postfix:virus_db_update_days = 12

    mail:postfix:virus_notify_admin = no

    mail:postfix:domain_whitelist:_array_index:0 = "<mydomain>"

    mail:postfix:domain_whitelist:_array_index:1 = "<mydomain>"

    mail:postfix:enable_smtp_out = yes

    mail:postfix:text_only_attachments = no

    mail:postfix:reject_unknown_client_enabled = no

    mail:postfix:log_level = "info"

    mail:postfix:myhostname = "<mydomain>"

    mail:global:auto_auth = no

    mail:global:service_data_path = "/Library/Server/Mail"

    mail:imap:imap_auth_cram_md5 = yes

    mail:imap:srvtab = "/etc/srvtab"

    mail:imap:imap_auth_clear = no

    mail:imap:loginuseacl = no

    mail:imap:popexpiretime = 0

    mail:imap:notifysocket = "/var/imap/socket/notify"

    mail:imap:timeout = 30

    mail:imap:max_imap_connections = 1000

    mail:imap:sieve_maxscripts = 5

    mail:imap:logtimestamps = no

    mail:imap:quota_enforce_restrictions = no

    mail:imap:tls_imap_key_file = ""

    mail:imap:mupdate_authname = ""

    mail:imap:newsprefix = ""

    mail:imap:proxyservers = _empty_array

    mail:imap:junk_mail_userid = ""

    mail:imap:singleinstancestore = yes

    mail:imap:mupdate_password = ""

    mail:imap:imap_auth_digest_md5 = yes

    mail:imap:tls_cert_file = "/etc/certificates/<mydomain>.13B6821CEC7E404DFFE23E9D53617CA5712EA4BD.cert.pem "

    mail:imap:lmtp_admins = _empty_array

    mail:imap:poptimeout = 10

    mail:imap:postuser = ""

    mail:imap:imap_auth_plain = no

    mail:imap:quota_custom_error = _empty_dictionary

    mail:imap:tls_imap_cert_file = ""

    mail:imap:aps_topic = " "

    mail:imap:sieve_proxyservers = _empty_array

    mail:imap:request_enable_webmail = no

    mail:imap:lmtp_luser_relay_enabled = no

    mail:imap:unixhierarchysep = no

    mail:imap:urlauth_hostport = ""

    mail:imap:imap_auth_gssapi = yes

    mail:imap:partition-default = "/Library/Server/Mail/Data/mail"

    mail:imap:allowanonymouslogin = no

    mail:imap:quota_custom_warning_message_path = ""

    mail:imap:imapidlepoll = 60

    mail:imap:quota_custom_error_message_path = ""

    mail:imap:enable_pop = yes

    mail:imap:tls_session_timeout = 1440

    mail:imap:mupdate_server = ""

    mail:imap:mupdate_realm = ""

    mail:imap:auth_gssapi_hostname = "&quot;$ALL&quot;"

    mail:imap:enable_sieve = yes

    mail:imap:lmtpsocket = "/var/imap/socket/lmtp"

    mail:imap:enable_quota_warnings = no

    mail:imap:mupdate_port = ""

    mail:imap:postmaster = "postmaster"

    mail:imap:pop_auth_gssapi = yes

    mail:imap:pop_auth_apop = no

    mail:imap:deleteright = "c"

    mail:imap:proxyd_allow_status_referral = no

    mail:imap:sharedprefix = "Shared Folders"

    mail:imap:sasl_auto_transition = no

    mail:imap:tls_ca_file = "/etc/certificates/<mydomain>.13B6821CEC7E404DFFE23E9D53617CA5712EA4BD.chain.pe m"

    mail:imap:sasl_minimum_layer = 0

    mail:imap:sievedir = ""

    mail:imap:debug_command = ""

    mail:imap:duplicatesuppression = yes

    mail:imap:tls_lmtp_key_file = ""

    mail:imap:servername = "<mydomain>"

    mail:imap:quota_full_tempfail = yes

    mail:imap:partitions = _empty_array

    mail:imap:tls_imap_require_cert = no

    mail:imap:sieve_admins = _empty_array

    mail:imap:global_quota = 0

    mail:imap:mupdate_retry_delay = 20

    mail:imap:not_junk_mail_userid = ""

    mail:imap:quota_custom_warning = _empty_dictionary

    mail:imap:enable_imap = yes

    mail:imap:popminpoll = 0

    mail:imap:tls_pop3_key_file = ""

    mail:imap:sendmail = "/usr/lib/sendmail"

    mail:imap:tls_lmtp_cert_file = ""

    mail:imap:tls_require_cert = no

    mail:imap:notification_server_enabled = no

    mail:imap:tls_sieve_require_cert = no

    mail:imap:defaultpartition = "default"

    mail:imap:pop_auth_clear = no

    mail:imap:allowallsubscribe = no

    mail:imap:sasl_pwcheck_method = "auxprop"

    mail:imap:sieve_maxscriptsize = 32

    mail:imap:tls_sieve_key_file = ""

    mail:imap:tls_ca_path = ""

    mail:imap:defaultacl = "anyone lrs"

    mail:imap:reject8bit = no

    mail:imap:tls_key_file = "/etc/certificates/<mydomain>.13B6821CEC7E404DFFE23E9D53617CA5712EA4BD.key.pem"

    mail:imap:tls_pop3_require_cert = no

    mail:imap:sasl_maximum_layer = 256

    mail:imap:autocreatequota = 0

    mail:imap:tls_sieve_cert_file = ""

    mail:imap:userprefix = "Other Users"

    mail:imap:mupdate_admins = _empty_array

    mail:imap:postmaster_address = "postmaster@<mydomain>"

    mail:imap:mupdate_username = ""

    mail:imap:quota_warn_frequency_days = 0

    mail:imap:tls_pop3_cert_file = ""

    mail:imap:aps_topic_enabled = no

    mail:imap:quotawarn = 80

    mail:imap:plaintextloginpause = 0

    mail:imap:enforce_quotas = no

    mail:imap:tls_server_options = "use"

    mail:imap:allowplaintext = yes

    mail:imap:loginrealms = _empty_array

    mail:imap:lmtp_luser_relay = ""

    mail:imap:imapidresponse = yes

    mail:imap:tls_cipher_list:_array_index:0 = "DEFAULT"

    mail:imap:imap_auth_login = no

    mail:imap:admins = _empty_array

    mail:imap:altnamespace = no

    mail:imap:sieveusehomedir = no

    mail:imap:tls_lmtp_require_cert = no

    mail:imap:log_level = "info"

    mail:imap:umask = "077"

    mail:imap:hashimapspool = no

    mail:imap:imap_proxyservers = _empty_array

     

    Of note, i did notice this

     

    mail:postfix:smtp_sasl_auth_enable = no

     

    as well as there being a setting for authorised relay id and password which are blank but this doesnt matter as only internal relays are accepted.

     

    I would be happy enough to go to the configre file and change things around but i am not certain about the syntax for more settings and whether it might break anything. 

     

    I am also aware of a "smtpd_recipient_restrictions" setting that can be added but i am not sure what restrictions i should be including and if they require any other settings tinkering to work properly

  • 5. Re: 10.8 Server Sending Spam, how to force authentication
    philippergo Level 1 Level 1 (5 points)

    mail:postfix:mynetworks:_array_index:0 = "127.0.0.0/8"

    mail:postfix:mynetworks:_array_index:1 = "192.168.4.0/24"

    mail:postfix:mynetworks:_array_index:2 = "192.168.1.0/24"

     

    It accepts mail from other networks, which it shouldn´t.

     

    Did you upgrade from a previous Server version? In 10.8. Apple cut  a lot of options from the GUI. You got to use the terminal to delete the two 192.168.*.* networks:

     

    serveradmin stop mail

     

    sudo serveradmin settings mail:postfix:mynetworks:_array_index:1 = "delete"

    sudo serveradmin settings mail:postfix:mynetworks:_array_index:2 = "delete"

     

    serveradmin start mail

     

    Please try this!

  • 6. Re: 10.8 Server Sending Spam, how to force authentication
    philippergo Level 1 Level 1 (5 points)

    Of note, i did notice this

     

    mail:postfix:smtp_sasl_auth_enable = no

     


     

    This is correct. "Yes" would enforce SMTP connections using ssl with other servers, but not all SMTP servers do support this. This would make it impossible to send mails to your server for a lot people.

  • 7. Re: 10.8 Server Sending Spam, how to force authentication
    Ricardo Luz Level 1 Level 1 (15 points)

    yes i did upgrade from 10.6.8

     

    I will delete those entries (which i was going to do anyway) but they shouldn't really be what is wrong as they will only send from those subnets which is what is used internally and the person was sending from an ip address which started with 21.x.x.x

     

    the thing thats concerning me is that after testing this vigorously, it won't let anyone send without authentication but to authenticate the ONLY need a valid username and they are able to leave the password blank and it will send.  I have never seen this before.  I am not sure if this means the problem is with the mail config of if its an open directory issue (i have mail set to only accept open directory users and not local users)

     

    I will make a backup of the mail configurations files as they stand now and change some settings that i think should be different and delete some that have clearly been carried forward from the migration that i know are not needed.

     

    But like i said above, i need to fix the fact it allows external users to send with only a username and a blank password.

     

    my guess is that i would need to include these settings:

     

    smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

     

    and

     

    smtpd_tls_auth_only = yes

    smtpd_sender_restrictions = reject_unknown_sender_domain

    smtpd_tls_auth_only = yes

     

    but before adding these settings, i want to make sure that i don't need to make sure i have any other settings turned on or configured to get these to work.

  • 8. Re: 10.8 Server Sending Spam, how to force authentication
    Ricardo Luz Level 1 Level 1 (15 points)

    philippergo wrote:

     

    mail:postfix:mynetworks:_array_index:0 = "127.0.0.0/8"

    mail:postfix:mynetworks:_array_index:1 = "192.168.4.0/24"

    mail:postfix:mynetworks:_array_index:2 = "192.168.1.0/24"

     

    It accepts mail from other networks, which it shouldn´t.

     

    Did you upgrade from a previous Server version? In 10.8. Apple cut  a lot of options from the GUI. You got to use the terminal to delete the two 192.168.*.* networks:

     

    serveradmin stop mail

     

    sudo serveradmin settings mail:postfix:mynetworks:_array_index:1 = "delete"

    sudo serveradmin settings mail:postfix:mynetworks:_array_index:2 = "delete"

     

    serveradmin start mail

     

    Please try this!

     

    when i try to run the commands to delete the relay entries, i get this error

     

    Invalid index "1", must specifiy array elements in order

    Index = 1, count = 0, currentArray = (

    )

    for key: "mail:postfix:mynetworks:_array_index:1"

  • 9. Re: 10.8 Server Sending Spam, how to force authentication
    energo Level 1 Level 1 (0 points)

    I have the same problem - i cannot delete these items:

    mail:postfix:host_whitelist:_array_index:4 = "{"

    mail:postfix:host_whitelist:_array_index:5 = "127.0.0.1"

    mail:postfix:host_whitelist:_array_index:6 = "delete"

     

    root# serveradmin settings mail:postfix:host_whitelist:_array_index:6 = delete

    Invalid index "6", must specifiy array elements in order

    Index = 6, count = 0, currentArray = (

    )

    for key: "mail:postfix:host_whitelist:_array_index:6"

     

    How to do it ? What I did wrong?