-
All replies
-
Helpful answers
-
Jan 29, 2016 4:10 PM in response to Chakravarthy Cuddapahby ephraimephraim,I have a similar situation though I'm running El Capitan (10.11.3). My guess is that somebody's found a way around the mail relay restrictions, though I don't know how. What I'd like to do is restrict outgoing mail to known accounts. The spam all has made-up usernames.
-
by pterobyte,Feb 5, 2016 2:46 AM in response to Chakravarthy Cuddapah
pterobyte
Feb 5, 2016 2:46 AM
in response to Chakravarthy Cuddapah
Level 6 (11,101 points)
Servers EnterpriseUsually (most of the time), this is due to a compromised user rather than an actually compromised server.
Make sure your logging level for SMTP is at least at "info", if not set it first:
sudo serveradmin settings mail:postfix:log_level = "info"Then, wait for a while for the mail log to populate. Might take some time if the rogue sender only sends during certain timeframes. Next, issue:
grep -i "sasl_username=" /var/log/mail.logIf you see the same username over and over again in short succession, you have the culprit and can change the user's password. If in doubt about your password policy in general, change all user's passwords and make sure only strong passwords are allowed.
HTH,
Alex
-
Feb 5, 2016 4:35 AM in response to pterobyteby ephraimephraim,Pterobyte, I think that's good advice. My case included mail going out under a variety of made-up names. Once I restricted the mail settings to allow outbound mail only from real account names, the remaining spam was from a single account. That one happened to exist only for forwarding. I replaced the forwarding with a rule in /etc/postfix/virtual, deleted the entire account, and the spamming stopped.
-
Feb 5, 2016 7:18 PM in response to pterobyteby Chakravarthy Cuddapah,Thanks for your response. I tried these commands and grep -i "sasl_username=" /var/log/mail.log outputs nothing.
These are the entries for mail.log:
Feb 5 22:07:18 mmls01.mydomain.net postfix/postscreen[64334]: CONNECT from [68.17.50.219]:20392 to [my_server_IP_Address]:25
Feb 5 22:07:18 mmls01.mydomain.net postfix/postscreen[64334]: PASS OLD [68.17.50.219]:20392
Feb 5 22:07:18 mmls01.mydomain.net postfix/smtpd[64511]: connect from srhs-mail-mbx4.mysrhs.com[68.17.50.219]
Feb 5 22:07:18 mmls01.mydomain.net postfix/smtpd[64511]: NOQUEUE: reject: RCPT from srhs-mail-mbx4.mysrhs.com[68.17.50.219]: 454 4.7.1 <mildred_reyes@mydomain1.net>: Relay access denied; from=<> to=<mildred_reyes@mydomain1.net> proto=ESMTP helo=<EXCHANGE.MYSRHS.COM>
I don't understand how it can be from=<>. Also the domain/website server is hosting doesn't have any email addresses and I didn't setup MX record either.
Another set of entries from mail.log:
Feb 5 17:48:40 mmls01.mydomain.net postfix/postscreen[13203]: CONNECT from [127.0.0.1]:56890 to [127.0.0.1]:25
Feb 5 17:48:40 mmls01.mydomain.net postfix/postscreen[13203]: WHITELISTED [127.0.0.1]:56890
Feb 5 17:48:40 mmls01.mydomain.net postfix/smtpd[52383]: connect from localhost[127.0.0.1]
Feb 5 17:48:40 mmls01.mydomain.net postfix/smtpd[52383]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 554 5.7.1 <print@pitstopprint.com>: Relay access denied; from=<opal_murray@mydomain1.net> to=<print@pitstopprint.com> proto=ESMTP helo=<mydomain1.net>
Feb 5 17:48:40 mmls01.mydomain.net postfix/smtpd[52383]: disconnect from localhost[127.0.0.1]
I disabled webmail. So I don't understand how 127.0.0.1 can attempt to send out email from a non-existing email address @ mydomain1. net
I couldn't find manual for Server Admin command line commands like (sudo serveradmin settings mail:postfix). Can you please give me a link to where I can find the manual. I tried man serveradmin which didn't list options that can be used for mail.
Appreciate your help.
-
Feb 5, 2016 7:57 PM in response to Chakravarthy Cuddapahby UptimeJeff,HI Chakravarthy Cuddapah
You should have sasl entries in your mail.log even when not having a spammer issue.
DId you adjust the postfix log level as Pterobyte suggested?
sudo serveradmin settings mail:postfix:log_level = "info"
What do you get with this command:
mailq
The output of mailq looks something like this
-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
3C496225B169 14533 Fri Feb 5 16:50:17 spammer@mydomain.com
If you have alot of mysterious messages listed, lets gather the details on a few.
Each message has a Queue ID, run the following command on a few of the suspicious messages.
# assuming a Queue ID of: 3C496225B169
/Applications/Server.app//Contents/ServerRoot/usr/sbin/postcat -q 3C496225B169
The output should reveal clues.
Jeff
-
Feb 6, 2016 5:27 AM in response to UptimeJeffby Chakravarthy Cuddapah,Hi Jeff,
Here's what I did:
bash-3.2# sudo serveradmin settings mail:postfix:log_level = "info"
mail:postfix:log_level = "info"
bash-3.2# /Applications/Server.app/Contents/ServerRoot/usr/sbin//postfix reload
postfix/postfix-script: refreshing the Postfix mail system
bash-3.2# mailq
Mail queue is empty
I guess since the queue is empty now, we can do much to debug. I will leave log_level at info and check again. I noticed that emails start going out from localhost in the evening. I will post back here.
BTW, Apple's support section for manuals doesn't have command line manual anymore. Can you please point me to where I can find manual for command line administration. Thanks !