Verwirrung beim SMTP mit ISPConfig

DrSheep

New Member
Nabend,

hoffe jemand hat einen Tipp, vielleicht ist es eine Kleinigkeit. Aber seit einiger Zeit werden meine Mailserver missbraucht.
Habe soweit in den letzten Wochen alles was im Netz vorhanden war an Anti-Spam-Maßnahmen nachgerüstet, jedoch fällt mir auf, dass täglich Mails von einer unbekannten TLD gesendet werden(?).

Habe mal einen Screenshot angehängt. Oder sehe ich das falsch?
Bin langsam nervlich Matsch, ich verstehe es irgendwie nicht. Habe einige ISP Server, aber sowas hatte ich noch nicht.

Hat jemand eine Idee?

Hier mal die main.cf:
Code:
smtpd_client_auth_rate_limit = 400
smtpd_client_connection_count_limit = 400
smtpd_client_connection_rate_limit = 400
smtpd_client_message_rate_limit = 4
anvil_rate_time_unit = 60s
smtpd_client_recipient_rate_limit = 15
default_destination_recipient_limit = 15
smtp_destination_recipient_limit = 15
maximal_queue_lifetime = 1d
bounce_queue_lifetime = 1d
max_use = 250
max_idle = 50
queue_run_delay = 120
minimal_backoff_time = 180
maximal_backoff_time = 3600
#reject_rhsbl_helo = dbl.spamhaus.org
#reject_rhsbl_reverse_client = dbl.spamhaus.org
#reject_rhsbl_sender = dbl.spamhaus.org
#reject_rbl_client = zen.spamhaus.org,cbl.abuseat.org,sbl-xbl.spamhaus.org,bl.spamcop.net

smtpd_tls_ciphers = medium

smtpd_banner = XXXXXXXXX (removed)
biff = no

append_dot_mydomain = no
#delay_warning_time = 4h
readme_directory = /usr/share/doc/postfix

compatibility_level = 2

#smtp_send_xforward_command = yes
#smtpd_authorized_xforward_hosts = 127.0.0.0/8 [::1]/128

smtpd_tls_chain_files = XXXXXXXXX (removed)
tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map

smtpd_tls_security_level = may

smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_sasl_tls_security_options=noanonymous


smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
myhostname = XXXXXXXXX (removed)
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
myorigin = /etc/mailname
mydestination = XXXXXXXXX (removed), localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
html_directory = /usr/share/doc/postfix/html
virtual_alias_domains = proxy:mysql:/etc/postfix/mysql-virtual_alias_domains.cf
virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_alias_maps.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /var/vmail
virtual_uid_maps = proxy:mysql:/etc/postfix/mysql-virtual_uids.cf
virtual_gid_maps = proxy:mysql:/etc/postfix/mysql-virtual_gids.cf
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_restriction_classes = greylisting
greylisting = check_policy_service inet:127.0.0.1:10023
smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unlisted_recipient, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf, check_policy_service unix:private/quota-status, check_policy_service inet:127.0.0.1:10023, reject_rhsbl_helo dbl.spamhaus.org, reject_rhsbl_reverse_client dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org, reject_rbl_client zen.spamhaus.org
smtpd_use_tls = yes
transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
relay_domains = proxy:mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps = proxy:mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $virtual_uid_maps $virtual_gid_maps $smtpd_client_restrictions $smtpd_sender_restrictions $smtpd_recipient_restrictions $smtp_sasl_password_maps $sender_dependent_relayhost_maps
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo, reject_unknown_helo_hostname, permit
smtpd_sender_restrictions = permit_mynetworks, check_sender_access proxy:mysql:/etc/postfix/mysql-virtual_sender.cf, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unlisted_sender, reject_unknown_reverse_client_hostname, reject_unknown_sender_domain
smtpd_reject_unlisted_sender = no
smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, reject_unauth_pipelining, permit
smtpd_etrn_restrictions = permit_mynetworks, reject
smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
virtual_transport = lmtp:unix:private/dovecot-lmtp
header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = regexp:/etc/postfix/mime_header_checks
nested_header_checks = regexp:/etc/postfix/nested_header_checks
body_checks = regexp:/etc/postfix/body_checks
owner_request_special = no
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_exclude_ciphers = RC4, aNULL
smtp_tls_exclude_ciphers = RC4, aNULL
smtpd_tls_mandatory_ciphers = medium
tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
tls_preempt_cipherlist = yes
address_verify_negative_refresh_time = 60s
enable_original_recipient = no
sender_dependent_relayhost_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender-relayhost.cf
smtp_sasl_password_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender-relayauth.cf, texthash:/etc/postfix/sasl_passwd
smtp_sender_dependent_authentication = yes
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
authorized_flush_users =
authorized_mailq_users = nagios, icinga
smtpd_forbidden_commands = CONNECT,GET,POST,USER,PASS
address_verify_sender_ttl = 15686s
smtp_dns_support_level = dnssec
dovecot_destination_recipient_limit = 1
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_milters = inet:localhost:11332
non_smtpd_milters = inet:localhost:11332
milter_protocol = 6
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_default_action = accept
message_size_limit = 15360000
Sehe ich das richtig, dass man von einer "nicht im ISP eingetragenen Domain" senden kann bzw. versucht wird?
Es sind 2 Domains eingetragen und nur darüber könnten Mails versendet werden.
Ein httpd Service ist nicht vorhanden, sodass kein glitch/bypass via sendmail missbraucht werden kann.

Hab hier einen Thread gesehen, was SENDING Spam verhindern kann, bin aber echt blutig was Mailserver und dessen Configs angeht. Das versuche ich noch, behandelt aber irgendwie diese "Problematik" nicht und so konkret spuckt Google auch nur die o.g. Config aus. Oder ich bin zu blöd.

Achso, hier noch einige Details:
System: Ubuntu 20.04, rspam, postfix/dovecot - Installation vor 2 Monaten mit dem Autoinstaller.

Vielen Dank im Voraus!

Gruß
 

Anhänge

Till

Administrator
Poste mal die mail header einer dieser emails, geht mit:

postcat -q ID

wobei ID diese alphanumerische ID ist, die Du in der queue liste siehst.
 

DrSheep

New Member
Hi,

sorry für die späte Rückmeldung. Hatte soweit alles geblockt, sodass die postqueue quasi immer leer ist, aber in den Logs ist mir aufgefallen...
Code:
mx postfix/smtpd[2384790]: NOQUEUE: reject: RCPT from unknown[196.75.150.176]: 554 5.7.1 Service unavailable; Client host [196.75.150.176] blocked using zen.spamhaus.org; https://www.spamhaus.org/sbl/query/SBLCSS / https://www.spamhaus.org/query/ip/196.75.150.176; from=<xxxxx@xxxx.de> to=<xxxxx@xxxx.de> proto=ESMTP helo=<[196.75.150.176]>

Jan 11 04:08:34 mx postfix/smtpd[2384771]: NOQUEUE: reject: RCPT from unknown[189.55.106.218]: 554 5.7.1 Service unavailable; Client host [189.55.106.218] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/189.55.106.218; from=<h.xxxxx@xxxx.de> to=<h.xxxxx@xxxx.de> proto=ESMTP helo=<bd376ada.virtua.com.br>

Jan 11 04:25:14 mx postfix/smtpd[2386148]: NOQUEUE: reject: RCPT from unknown[175.176.7.165]: 554 5.7.1 Service unavailable; Client host [175.176.7.165] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/175.176.7.165 / https://www.spamhaus.org/sbl/query/SBLCSS; from=<xxxxx@xxxx.de> to=<xxxxx@xxxx.de> proto=ESMTP helo=<[175.176.7.165]>

Jan 11 04:28:37 mx postfix/smtpd[2386143]: NOQUEUE: reject: RCPT from e234-50.smtp-out.ap-northeast-1.amazonses.com[23.251.234.50]: 450 4.2.0 <xxxxx@xxxx.de>: Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/xxxxx.de.html; from=<010601859edf53a4-f929ae24-05c5-406f-9e53-2a36e46c4943-000000@ses.support.lbank.info> to=<xxxxx@xxxx.de> proto=ESMTP helo=<e234-50.smtp-out.ap-northeast-1.amazonses.com>

Jan 11 04:34:31 mx postfix/submission/smtpd[2387668]: connect from unknown[189.162.18.80]
Jan 11 04:34:31 mx postfix/smtpd[2387546]: disconnect from unknown[46.148.40.89] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Jan 11 04:34:31 mx postfix/submission/smtpd[2387668]: lost connection after EHLO from unknown[189.162.18.80]
Jan 11 04:34:31 mx postfix/submission/smtpd[2387668]: disconnect from unknown[189.162.18.80] ehlo=1 mail=0/1 commands=1/2
Jan 11 04:34:31 mx postfix/submission/smtpd[2387668]: warning: hostname dsl-189-162-18-80-dyn.prod-infinitum.com.mx does not resolve to address 189.162.18.80: Name or service not known
Jan 11 04:34:31 mx postfix/submission/smtpd[2387668]: connect from unknown[189.162.18.80]
Jan 11 04:34:32 mx postfix/submission/smtpd[2387668]: lost connection after EHLO from unknown[189.162.18.80]
Jan 11 04:34:32 mx postfix/submission/smtpd[2387668]: disconnect from unknown[189.162.18.80] ehlo=1 mail=0/1 commands=1/2
Jan 11 04:34:32 mx postfix/submission/smtpd[2387668]: warning: hostname dsl-189-162-18-80-dyn.prod-infinitum.com.mx does not resolve to address 189.162.18.80: Name or service not known
Jan 11 04:34:32 mx postfix/submission/smtpd[2387668]: connect from unknown[189.162.18.80]
Jan 11 04:34:32 mx dovecot: auth: Warning: auth client 0 disconnected with 1 pending requests: Connection reset by peer
Jan 11 04:34:33 mx postfix/submission/smtpd[2387668]: lost connection after EHLO from unknown[189.162.18.80]
Jan 11 04:34:33 mx postfix/submission/smtpd[2387668]: disconnect from unknown[189.162.18.80] ehlo=1 mail=0/1 commands=1/2
Jan 11 04:34:34 mx postfix/smtpd[2387621]: warning: connect #8 to subsystem /var/spool/postfix/private/proxymap: Permission denied
Jan 11 04:34:36 mx postfix/submission/smtpd[2387668]: warning: hostname dsl-189-162-18-80-dyn.prod-infinitum.com.mx does not resolve to address 189.162.18.80: Name or service not known
Jan 11 04:34:36 mx postfix/submission/smtpd[2387668]: connect from unknown[189.162.18.80]
Jan 11 04:34:36 mx postfix/submission/smtpd[2387668]: lost connection after EHLO from unknown[189.162.18.80]
Jan 11 04:34:36 mx postfix/submission/smtpd[2387668]: disconnect from unknown[189.162.18.80] ehlo=1 mail=0/1 commands=1/2
Jan 11 04:34:37 mx postfix/submission/smtpd[2387668]: warning: hostname dsl-189-162-18-80-dyn.prod-infinitum.com.mx does not resolve to address 189.162.18.80: Name or service not known
Jan 11 04:34:37 mx postfix/submission/smtpd[2387668]: connect from unknown[189.162.18.80]
Jan 11 04:34:37 mx postfix/submission/smtpd[2387668]: lost connection after EHLO from unknown[189.162.18.80]
Jan 11 04:34:37 mx postfix/submission/smtpd[2387668]: disconnect from unknown[189.162.18.80] ehlo=1 mail=0/1 commands=1/2
Jan 11 04:34:37 mx postfix/submission/smtpd[2387668]: warning: hostname dsl-189-162-18-80-dyn.prod-infinitum.com.mx does not resolve to address 189.162.18.80: Name or service not known
Jan 11 04:34:37 mx postfix/submission/smtpd[2387668]: connect from unknown[189.162.18.80]
Jan 11 04:34:38 mx postfix/submission/smtpd[2387668]: lost connection after EHLO from unknown[189.162.18.80]
Jan 11 04:34:38 mx postfix/submission/smtpd[2387668]: disconnect from unknown[189.162.18.80] ehlo=1 mail=0/1 commands=1/2
Jan 11 04:34:38 mx postfix/submission/smtpd[2387668]: warning: hostname dsl-189-162-18-80-dyn.prod-infinitum.com.mx does not resolve to address 189.162.18.80: Name or service not known
Jan 11 04:34:38 mx postfix/submission/smtpd[2387668]: connect from unknown[189.162.18.80]
Jan 11 04:34:39 mx postfix/submission/smtpd[2387668]: lost connection after EHLO from unknown[189.162.18.80]
Jan 11 04:34:39 mx postfix/submission/smtpd[2387668]: disconnect from unknown[189.162.18.80] ehlo=1 mail=0/1 commands=1/2
Jan 11 04:34:39 mx postfix/submission/smtpd[2387668]: warning: hostname dsl-189-162-18-80-dyn.prod-infinitum.com.mx does not resolve to address 189.162.18.80: Name or service not known
Es werden jetzt E-Mails von User1@domain.tld zu User1@domain.tld gesendet (also quasi an sich selber), die IP jedoch vom Spamhaus blockiert. In dieser Zeit ist die postqueue auch leer...

Und bei Google ist ein Senden von Mails seit 2 Wochen nicht mehr möglich:
Code:
 host gmail-smtp-in.l.google.com[74.125.133.27]
    said: 550-5.7.1 [178.254.53.4      12] Our system has detected that this
    message is 550-5.7.1 likely unsolicited mail. To reduce the amount of spam
    sent to Gmail, 550-5.7.1 this message has been blocked. Please visit
    550-5.7.1  https://support.google.com/mail/?p=UnsolicitedMessageError 550
    5.7.1  for more information.
    f4-20020a7bcd04000000b003d00d861dbfsi9396651wmj.214 - gsmtp (in reply to
    end of DATA command)
Habe noch nicht rausgefunden, wie ich mich da austrage, laut Google dauert es einige Lichtjahre, bis es wieder gehen soll.
Habe täglich durchgehend die Logs im Auge, es werden fast keine Mails mehr versendet, da ich auch das sending_rate_limit auf 5/h reduziert habe. Kann zwar bei "normalen" Kunden nerven, wenn erhöhtes Aufkommen da ist, aber ich würde erst gerne dieses "Spam-Problem" hinbekommen. Und irgendwie kommen trotz Limit diese "an sich selbst sendenden Mails", wobei viele davon nicht einmal angelegt sind (also nicht existent).
Bin echt am Ende mit meinem Latein. :/

Vielleicht hat jemand ja eine Idee, hab gefühlt das halbe Internet durch an Versuchen.
 

Werbung

Top