Forum Linux.debian/ubuntu Serveur Postfix envoi du spam

Posté par . Licence CC by-sa
Tags : aucun
2
16
sept.
2015

Bonjour,

Ca fait plusieurs jours que mon serveur de mail postfix est considéré comme envoyant du spam.
En effet quand je fais un pflogsumm /var/log/mail.log il y a eu un gros envoie de mail.
De 19h00 à 20h00 48483 mail envoyé

J'ai vérifié si je n'étais pas en open-relay et je ne le suis pas.
D’après le site mxtoolbox (SMTP Open Relay OK - Not an open relay.)
J'utilise postfix/dovecot/saslauth.

Ma configuration de postfix

#====================================
#         generic parameters
#====================================
#Texte qui suit le code de statut 220 dans la banniere d'accueil (ajout d'info)
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)

#Ce service envoie des notifications "nouveau message" aux utilisateurs qui ont demande (ici no pour perf)
biff = no

#On ne rajoute pas le domaine car c'est le boulot du client mail
append_dot_mydomain = no

#Permet d'envoyer un email a l'emetteur si son mail n'est pas parti au bout d'un certain temps
#delay_warning_time = 4h

#L'emplacement des fichiers README 
readme_directory = no

#============================================
#              TLS parameters
#============================================
#L'endroit ou se trouve les certificats
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

#SMTPD annonce le support STARTTLS aux clients SMTP mais n'exige pas que les clients l'utilisent
smtpd_use_tls=yes

#Fichier contenant le cache optionnel des sessions TLS du serveur SMTP de Postfix
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

#Cache TLS pour le client SMTP de Postfix
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

#Le serveur informe du support startls au client
smtpd_tls_security_level = may

#Requiere que postfix produise une en-tete avec les info du protocole et du chiffrement utilise
smtpd_tls_received_header = yes
#=======================================
#            General parameters
#=======================================
#Le nom de machine Internet de ce systeme de messagerie
myhostname = nom de mon serveur de messagerie+nom de domaine

#Le nom de domaine des mails (ce qu'il y a apres le @)
mydomain = mon domaine

#Le domaine par defaut utilise pour les messages postes localement
myorigin = $mydomain

#Definit la liste des adresses valides du domaine (ajout 14/09/2015)
relay_domains = $mydomain

#Liste des domaines livre par le transporteur de messages
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, mail.$mydomain

#La machine par defaut ou livrer le courrier exterieur (si vide pas de relais, mail parte directement)
relayhost =

#La liste des clients SMTP "internes" qui ont plus de privileges que les etrangers (accepte d'acheminer les mails)
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 mon-adresse-reseau-public/24 

#La taille maximale des fichiers boites-aux-lettres locaux ou zero (pas de limite)
mailbox_size_limit = 0

#Taille maximale d'un message en octets, y compris les informations de l'enveloppe
message_size_limit = 56000000

#Le separateur entre noms d'utilisateurs et extensions d'adresse
recipient_delimiter = +

#Les adresses reseau par lesquelles le systeme de messagerie recoit les messages
inet_interfaces = all

#Le nom d'un transporteur du courrier qui filtre les messages apres mise en file d'attente
content_filter = amavisfeed:[127.0.0.1]:10024

#Le depot des emails dans les boites aux lettres est confie a procmail (cas du format mbox)
mailbox_command = /usr/bin/procmail -a "$EXTENSION"

#Code numerique de reponse du serveur SMTP lorsque les adresse sont local mais pas trouver dans la table de correspondance
unknown_local_recipient_reject_code = 450

#======================================
#       Tables parameters
#======================================
#La map et la base des alias 
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases

#Tables optionnelle de correspondance des adresses pour les en-tetes de message et les enveloppes
canonical_maps = hash:/etc/postfix/revaliases.map

#Liste optionnelle de domaines dont la structure des sous-domaines sera masque dans les adresses
masquerade_domains = $my_domain

#Temps au dela duquel l'expediteur recoit les en-tete d'un message toujours en file d'attente
delay_warning_time = 2h

#Le code numerique de reponse du serveur SMTP de Postfix lorsqu'une requete d'un client SMTP distant est bloque par une restriction
maps_rbl_reject_code = 454

# Tables de correspondances, indexe par adresses IP des clients SMTP exterieurs, contenant une liste insensible a la casse des mots-clefs EHLO (pipelining, starttls, auth, etc.) que le serveur SMTP n'enverra pas dans les reponses EHLO aux clients SMTP distants
smtpd_discard_ehlo_keyword_address_maps = hash:/etc/postfix/discard_ehlo

#=============================================
#            Restriction
#=============================================
#Restrictions d'acce que le serveur SMTP de Postfix applique dans le contexte d'une commande RCPT TO (reception)
smtpd_recipient_restrictions =  permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination,
    check_policy_service unix:private/policy-spf,
    check_client_access hash:/etc/postfix/client_homologue.map,
    check_recipient_access hash:/etc/postfix/insiders_only.map,
    check_client_access hash:/etc/postfix/client_accepted.map,
    check_client_access regexp:/etc/postfix/client_rejected.exp,
    reject_unknown_sender_domain,
    check_client_access hash:/etc/postfix/client_accepted_despite_sorbs.map,
    reject_rbl_client zen.spamhaus.org,
    check_policy_service inet:127.0.0.1:10023

#Restrictions que le serveur SMTP de Postfix applique dans le contexte des commandes MAIL FROM (envoi)
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access hash:/etc/postfix/client_accepted.map,
reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_destination, check_sender_access hash:/etc/postfix/sender_access

#Restrictions d'acce optionelles du serveur SMTP pour les requete de connexion au service SMTP
smtpd_client_restrictions = permit_mynetworks, check_client_access hash:/etc/postfix/client_accepted.map,
        reject_non_fqdn_sender, reject_unknown_sender_domain

#Bloquer les clients qui parlent trop tot
smtpd_data_restrictions = reject_unauth_pipelining

#Restrictions optionnelles que le serveur SMTP de Postfix applique dans le contexte de la commande SMTP HELO
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, reject_unknown_hostname

#==========================================
#            sasl parameters
#==========================================
#Active l'authentification SASL
smtpd_sasl_auth_enable = yes

#Options de securite SASL (Interdit l'authentification anonyme )
smtpd_sasl_security_options = noanonymous

#Nom de domaine d'authentification SASL local
smtpd_sasl_local_domain = $myhostname

#Postfix indique le support de AUTH de maniere non-standard pour windows
broken_sasl_auth_clients = yes

# Le plug-in dont se sert postfix pour l'authetification SASL
smtpd_sasl_type = dovecot

#Endroit du fichier de configuration de sasl
smtpd_sasl_path = /var/run/dovecot/auth

#Clients SMTP pour lesquels Postfix ne proposera pas le support AUTH.
smtpd_sasl_exceptions_networks = ip/24

#================================================
# Pour tester et pour eviter les probleme
#================================================

#Si probleme
# soft_bounce = yes
# defer_transports = local

#Tables de correspondances optionnelles contenant la politique d'emploi de TLS pour le client SMTP 
smtp_tls_per_site = hash:/etc/postfix/hosts_no_tls.map

#Active l'enregistrement additionnel de l'activite TLS du serveur SMTP de Postfix (selon niv 0-1-2 oui 3 mode debug 4 trop)
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1

#Valeur d'increment du niveau de verbiage des logs
debug_peer_level = 2

#==========================================
#            test spam
#==========================================

#Nombre maximum de livraisons paralles via le transport local au meme destinataire
local_destination_concurrency_limit = 2

#Le nombre maximal par defaut de livraisons paralleles vers la meme destination
default_destination_concurrency_limit = 10

# Attend la commande RCPT TO avant d'evaluer (smtpd_client_restriction...) a yes autorise a enregistrer l'adresse de destination lors d'un rejet, facilitant ainsi l'analyse
smtpd_delay_reject = yes

#Max de mail envoye par minute
smtpd_client_message_rate_limit = 50

#Delais a partir duquel les taux de connexion client sont calcule
anvil_rate_time_unit = 60s

# Frequence de verification du statu de anvil
anvil_status_update_time = 600s

#Ajout de la fonction SPF (Sender Policy Framework) norme contre spammer, alonge le delai de la politique de SPF 
policy-spf_time_limit = 3600s

Ma configuration de dovecot

#==============================================================================
#                                GENERAL
#==============================================================================
# Les Protocols lancé par dovecot: imap imaps pop3 pop3s 

protocols = imap imaps pop3 pop3s

# Permet la connection avec mots de passe en clair sans ssl (compatiblité Msoft)
disable_plaintext_auth = no


# Format du timestamp des logs
log_timestamp = "%Y-%m-%d %H:%M:%S "

# Donne la permition à dovecot de créer des fichier dotlock dans le repertoire 
mail_privileged_group = mail

# Permet de conserver l'index des fichiers stockés dans NFS
mmap_disable = yes

# Don't use fsync() or fdatasync() calls. This makes the performance better
# at the cost of potential data loss if the server (or the file server)
# goes down.
fsync_disable = no

# Mail storage exists in NFS. Set this to yes to make Dovecot flush NFS caches
# whenever needed. If you're using only a single mail server this isn't needed.
mail_nfs_storage = yes
# Mail index files also exist in NFS. Setting this to yes requires
# mmap_disable=yes and fsync_disable=no.
mail_nfs_index = yes

# Connection des utilisateurs a partir de cette uid (evite les connections par demons)
first_valid_uid = 100

#Log lors de l'identification
auth_debug_passwords = yes
#========================================================================
#                                 PROTOCOL
#========================================================================

##
## IMAP specific settings
##

protocol imap {
  # Maximum number of IMAP connections allowed for a user from each IP address.
  # NOTE: The username is compared case-sensitively.
  mail_max_userip_connections = 20
}

##
## POP3 specific settings
##

protocol pop3 {
  #%08Xv analyse en base 10 converti en hexa IMAP Mail UID
  #%08Xu analyse en base 10 converti en hexa UIDVALIDITY IMAP de boîtes aux lettres 
  pop3_uidl_format = %08Xu%08Xv
}

##
## ManageSieve specific settings
##

protocol managesieve {
}

##
## LDA specific settings
##

protocol lda {
# adresse lors de rejet  
postmaster_address = liebgott@cpt.univ-mrs.fr
}

##
## Authentication processes
##

auth default {
  # NOTE: See also disable_plaintext_auth setting.
  mechanisms = plain login 
  passdb pam {
  }
  userdb passwd {
  }
  user = root
 socket listen { 
  client {
       # Assuming the default Postfix $queue_directory setting
       path = /var/spool/postfix/var/run/dovecot/auth
       mode = 0660
       # Assuming the default Postfix user and group
       user = postfix
       group = postfix
      }
    }
}

dict {
}

##
## Plugin settings
##

plugin {
}

# Config files can also be included. deliver doesn't support them currently.
#!include /etc/dovecot/conf.d/*.conf
# Optional configurations, don't give an error if it's not found:
#!include_try /etc/dovecot/extra.conf

Je poste une partie du fichier de mail.log (commençant à 19h)

Sep 15 19:00:01 mail postfix/smtpd[11451]: connect from mail.ncaor.gov.in[14.139.119.20]
Sep 15 19:00:01 mail postfix/smtpd[11451]: setting up TLS connection from mail.ncaor.gov.in[14.139.119.20]
Sep 15 19:00:01 mail postfix/smtpd[11451]: Anonymous TLS connection established from mail.ncaor.gov.in[14.139.119.20]: TLSv1 with cipher AES128-SHA (128/128 bits)
Sep 15 19:00:02 mail postfix/smtpd[11451]: NOQUEUE: reject: RCPT from mail.ncaor.gov.in[14.139.119.20]: 450 4.7.1 <mailserver2.ictdncaor.net>: Helo command rejected: Host not found; from=<anish@ncaor.gov.in> to=<dyn98@cpt.univ-mrs.fr> proto=ESMTP helo=<mailserver2.ictdncaor.net>
Sep 15 19:00:02 mail postfix/smtpd[11451]: disconnect from mail.ncaor.gov.in[14.139.119.20]
Sep 15 19:00:07 mail postfix/smtpd[14000]: connect from unusoctonovem.mu.eccluster.com[91.192.42.189]
Sep 15 19:00:07 mail policyd-spf[9180]: Pass; identity=helo; client-ip=91.192.42.189; helo=unusoctonovem.mu.eccluster.com; envelope-from=g-2523162240-2597-1300885139-1442336407352@bounce.emailing.vilage-conseil.com; receiver=richard.guerrier@cpt.univ-mrs.fr 
Sep 15 19:00:07 mail policyd-spf[9180]: Pass; identity=mailfrom; client-ip=91.192.42.189; helo=unusoctonovem.mu.eccluster.com; envelope-from=g-2523162240-2597-1300885139-1442336407352@bounce.emailing.vilage-conseil.com; receiver=richard.guerrier@cpt.univ-mrs.fr 
Sep 15 19:00:07 mail postgrey[1086]: action=pass, reason=triplet found, client_name=unusoctonovem.mu.eccluster.com, client_address=91.192.42.189, sender=g-2523162240-2597-1300885139-1442336407352@bounce.emailing.vilage-conseil.com, recipient=richard.guerrier@cpt.univ-mrs.fr
Sep 15 19:00:07 mail postfix/smtpd[14000]: C9F791BF37B: client=unusoctonovem.mu.eccluster.com[91.192.42.189]
Sep 15 19:00:07 mail postfix/cleanup[11028]: C9F791BF37B: message-id=<fslp8d.ielluuk8o317ebt@emailing.vilage-conseil.com>
Sep 15 19:00:07 mail postfix/qmgr[2793]: C9F791BF37B: from=<g-2523162240-2597-1300885139-1442336407352@bounce.emailing.vilage-conseil.com>, size=14333, nrcpt=1 (queue active)
Sep 15 19:00:07 mail postfix/smtpd[19564]: connect from localhost[127.0.0.1]
Sep 15 19:00:07 mail postfix/smtpd[19564]: F158D1BF478: client=localhost[127.0.0.1]
Sep 15 19:00:07 mail postfix/cleanup[11032]: F158D1BF478: message-id=<fslp8d.ielluuk8o317ebt@emailing.vilage-conseil.com>
Sep 15 19:00:08 mail postfix/smtpd[19564]: disconnect from localhost[127.0.0.1]
Sep 15 19:00:08 mail postfix/qmgr[2793]: F158D1BF478: from=<g-2523162240-2597-1300885139-1442336407352@bounce.emailing.vilage-conseil.com>, size=14819, nrcpt=1 (queue active)
Sep 15 19:00:08 mail amavis[31980]: (31980-03) Passed CLEAN, [91.192.42.189] [91.192.42.189] <g-2523162240-2597-1300885139-1442336407352@bounce.emailing.vilage-conseil.com> -> <richard.guerrier@cpt.univ-mrs.fr>, Message-ID: <fslp8d.ielluuk8o317ebt@emailing.vilage-conseil.com>, mail_id: wthISa3MJIIb, Hits: -, size: 14331, queued_as: F158D1BF478, 118 ms
Sep 15 19:00:08 mail postfix/smtp[15654]: C9F791BF37B: to=<richard.guerrier@cpt.univ-mrs.fr>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.49, delays=0.37/0/0/0.12, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=31980-03, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as F158D1BF478)
Sep 15 19:00:08 mail postfix/qmgr[2793]: C9F791BF37B: removed
Sep 15 19:00:08 mail postfix/local[15692]: F158D1BF478: to=<guerrier@cpt.univ-mrs.fr>, orig_to=<richard.guerrier@cpt.univ-mrs.fr>, relay=local, delay=0.09, delays=0.02/0/0/0.06, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail -a "$EXTENSION")
Sep 15 19:00:08 mail postfix/qmgr[2793]: F158D1BF478: removed
Sep 15 19:00:11 mail postfix/smtpd[14000]: disconnect from unusoctonovem.mu.eccluster.com[91.192.42.189]
Sep 15 19:00:12 mail postfix/smtpd[10412]: connect from mail.ncaor.gov.in[14.139.119.21]
Sep 15 19:00:13 mail postfix/smtpd[10412]: setting up TLS connection from mail.ncaor.gov.in[14.139.119.21]
Sep 15 19:00:13 mail postfix/smtpd[10412]: Anonymous TLS connection established from mail.ncaor.gov.in[14.139.119.21]: TLSv1 with cipher AES128-SHA (128/128 bits)
Sep 15 19:00:13 mail postfix/smtpd[10412]: NOQUEUE: reject: RCPT from mail.ncaor.gov.in[14.139.119.21]: 450 4.7.1 <mailserver1.ictdncaor.net>: Helo command rejected: Host not found; from=<anish@ncaor.gov.in> to=<jacques.soffer@cpt.univ-mrs.fr> proto=ESMTP helo=<mailserver1.ictdncaor.net>
Sep 15 19:00:13 mail postfix/smtpd[10584]: connect from server11.club-des-deals.com[104.130.231.201]
Sep 15 19:00:13 mail postfix/smtpd[10412]: disconnect from mail.ncaor.gov.in[14.139.119.21]
Sep 15 19:00:14 mail postfix/smtpd[10440]: connect from s15434454.onlinehome-server.com[74.208.72.135]
Sep 15 19:00:14 mail policyd-spf[19402]: None; identity=helo; client-ip=104.130.231.201; helo=server11.club-des-deals.com; envelope-from=bounce@client.club-des-deals.com; receiver=rossignol@cpt.univ-mrs.fr 
Sep 15 19:00:14 mail policyd-spf[19402]: Permerror; identity=mailfrom; client-ip=104.130.231.201; helo=server11.club-des-deals.com; envelope-from=bounce@client.club-des-deals.com; receiver=rossignol@cpt.univ-mrs.fr 
Sep 15 19:00:14 mail postgrey[1086]: action=pass, reason=triplet found, client_name=server11.club-des-deals.com, client_address=104.130.231.201, sender=bounce@client.club-des-deals.com, recipient=rossignol@cpt.univ-mrs.fr
Sep 15 19:00:14 mail postfix/smtpd[10584]: NOQUEUE: reject: RCPT from server11.club-des-deals.com[104.130.231.201]: 450 4.1.1 <rossignol@cpt.univ-mrs.fr>: Recipient address rejected: User unknown in local recipient table; from=<bounce@client.club-des-deals.com> to=<rossignol@cpt.univ-mrs.fr> proto=ESMTP helo=<server11.club-des-deals.com>
Sep 15 19:00:14 mail policyd-spf[19402]: None; identity=helo; client-ip=104.130.231.201; helo=server11.club-des-deals.com; envelope-from=bounce@client.club-des-deals.com; receiver=bacry@cpt.univ-mrs.fr
Sep 15 19:00:14 mail postgrey[1086]: action=pass, reason=triplet found, client_name=server11.club-des-deals.com, client_address=104.130.231.201, sender=bounce@client.club-des-deals.com, recipient=rossignol@cpt.univ-mrs.fr
Sep 15 19:00:14 mail postfix/smtpd[10584]: NOQUEUE: reject: RCPT from server11.club-des-deals.com[104.130.231.201]: 450 4.1.1 <rossignol@cpt.univ-mrs.fr>: Recipient address rejected: User unknown in local recipient table; from=<bounce@client.club-des-deals.com> to=<rossignol@cpt.univ-mrs.fr> proto=ESMTP helo=<server11.club-des-deals.com>
Sep 15 19:00:14 mail policyd-spf[19402]: None; identity=helo; client-ip=104.130.231.201; helo=server11.club-des-deals.com; envelope-from=bounce@client.club-des-deals.com; receiver=bacry@cpt.univ-mrs.fr 
Sep 15 19:00:14 mail policyd-spf[19402]: Permerror; identity=mailfrom; client-ip=104.130.231.201; helo=server11.club-des-deals.com; envelope-from=bounce@client.club-des-deals.com; receiver=bacry@cpt.univ-mrs.fr 
Sep 15 19:00:14 mail postgrey[1086]: action=pass, reason=triplet found, client_name=server11.club-des-deals.com, client_address=104.130.231.201, sender=bounce@client.club-des-deals.com, recipient=bacry@cpt.univ-mrs.fr
Sep 15 19:00:14 mail postfix/smtpd[10584]: NOQUEUE: reject: RCPT from server11.club-des-deals.com[104.130.231.201]: 450 4.1.1 <bacry@cpt.univ-mrs.fr>: Recipient address rejected: User unknown in local recipient table; from=<bounce@client.club-des-deals.com> to=<bacry@cpt.univ-mrs.fr> proto=ESMTP helo=<server11.club-des-deals.com>
Sep 15 19:00:14 mail postfix/smtpd[10584]: disconnect from server11.club-des-deals.com[104.130.231.201]
Sep 15 19:00:18 mail postfix/smtpd[13643]: warning: 98.126.23.126: hostname 98.126.23.126.static.krypt.com verification failed: Name or service not known
Sep 15 19:00:18 mail postfix/smtpd[13643]: connect from unknown[98.126.23.126]
Sep 15 19:00:18 mail policyd-spf[13287]: None; identity=helo; client-ip=98.126.23.126; helo=scioa.org; envelope-from=dr.k.mark@sciarticles.org; receiver=tassi.emanuele@cpt.univ-mrs.fr 
Sep 15 19:00:18 mail policyd-spf[13287]: None; identity=mailfrom; client-ip=98.126.23.126; helo=scioa.org; envelope-from=dr.k.mark@sciarticles.org; receiver=tassi.emanuele@cpt.univ-mrs.fr 
Sep 15 19:00:18 mail postgrey[1086]: action=pass, reason=client AWL, client_name=unknown, client_address=98.126.23.126, sender=Dr.K.Mark@sciarticles.org, recipient=tassi.emanuele@cpt.univ-mrs.fr
Sep 15 19:00:18 mail postfix/smtpd[13643]: NOQUEUE: reject: RCPT from unknown[98.126.23.126]: 450 4.1.1 <tassi.emanuele@cpt.univ-mrs.fr>: Recipient address rejected: User unknown in local recipient table; from=<Dr.K.Mark@sciarticles.org> to=<tassi.emanuele@cpt.univ-mrs.fr> proto=ESMTP helo=<scioa.org>
Sep 15 19:00:18 mail postfix/smtpd[13643]: disconnect from unknown[98.126.23.126]
Sep 15 19:00:19 mail postfix/smtpd[10440]: warning: s15434454.onlinehome-server.com[74.208.72.135]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 19:00:19 mail postfix/smtpd[10440]: lost connection after AUTH from s15434454.onlinehome-server.com[74.208.72.135]
Sep 15 19:00:19 mail postfix/smtpd[10440]: disconnect from s15434454.onlinehome-server.com[74.208.72.135]
Sep 15 19:00:20 mail postfix/smtpd[10584]: connect from smtp5.bouygues-telecom.fr[62.201.139.77]
Sep 15 19:00:20 mail postfix/smtpd[10584]: setting up TLS connection from smtp5.bouygues-telecom.fr[62.201.139.77]
Sep 15 19:00:20 mail postfix/smtpd[10584]: Anonymous TLS connection established from smtp5.bouygues-telecom.fr[62.201.139.77]: TLSv1 with cipher AES128-SHA (128/128 bits)
Sep 15 19:00:20 mail postfix/smtpd[10584]: NOQUEUE: reject: RCPT from smtp5.bouygues-telecom.fr[62.201.139.77]: 450 4.7.1 <BT1SHKII.prod.service.bouygues-telecom.fr>: Helo command rejected: Host not found; from=<espaceclient@bouyguestelecom.fr> to=<catherine.levet@cpt.univ-mrs.fr> proto=ESMTP helo=<BT1SHKII.prod.service.bouygues-telecom.fr>
Sep 15 19:00:20 mail postfix/smtpd[10584]: disconnect from smtp5.bouygues-telecom.fr[62.201.139.77]
Sep 15 19:00:25 mail postfix/smtpd[10556]: connect from mail-io0-f178.google.com[209.85.223.178]
Sep 15 19:00:25 mail postfix/smtpd[1470]: connect from smtp5.bouygues-telecom.fr[62.201.139.77]
Sep 15 19:00:25 mail postfix/smtpd[1470]: setting up TLS connection from smtp5.bouygues-telecom.fr[62.201.139.77]
Sep 15 19:00:25 mail postfix/smtpd[1470]: Anonymous TLS connection established from smtp5.bouygues-telecom.fr[62.201.139.77]: TLSv1 with cipher AES128-SHA (128/128 bits)
Sep 15 19:00:25 mail postfix/smtpd[1470]: NOQUEUE: reject: RCPT from smtp5.bouygues-telecom.fr[62.201.139.77]: 450 4.7.1 <BT1SHKII.prod.service.bouygues-telecom.fr>: Helo command rejected: Host not found; from=<espaceclient@bouyguestelecom.fr> to=<catherine.levet@cpt.univ-mrs.fr> proto=ESMTP helo=<BT1SHKII.prod.service.bouygues-telecom.fr>
Sep 15 19:00:25 mail postfix/smtpd[1470]: disconnect from smtp5.bouygues-telecom.fr[62.201.139.77]
Sep 15 19:00:25 mail postfix/smtpd[10556]: setting up TLS connection from mail-io0-f178.google.com[209.85.223.178]
Sep 15 19:00:25 mail postfix/smtpd[10556]: Anonymous TLS connection established from mail-io0-f178.google.com[209.85.223.178]: TLSv1 with cipher RC4-SHA (128/128 bits)
Sep 15 19:00:26 mail policyd-spf[16101]: None; identity=helo; client-ip=209.85.223.178; helo=mail-io0-f178.google.com; envelope-from=laurent.lellouch@gmail.com; receiver=christian.torrero@cpt.univ-mrs.fr 
Sep 15 19:00:26 mail postgrey[1086]: action=pass, reason=client whitelist, client_name=mail-io0-f178.google.com, client_address=209.85.223.178, sender=laurent.lellouch@gmail.com, recipient=christian.torrero@cpt.univ-mrs.fr
Sep 15 19:00:26 mail postfix/smtpd[10556]: 494B31BF37B: client=mail-io0-f178.google.com[209.85.223.178]
Sep 15 19:00:26 mail postfix/cleanup[11102]: 494B31BF37B: message-id=<CAGoM=f55WdDKdLmUYZvxXXBrrb9ud8HJ6DbmHHHRnrrEZyWx9A@mail.gmail.com>
Sep 15 19:00:26 mail postfix/qmgr[2793]: 494B31BF37B: from=<laurent.lellouch@gmail.com>, size=13866, nrcpt=1 (queue active)
Sep 15 19:00:26 mail postfix/smtpd[19564]: connect from localhost[127.0.0.1]
Sep 15 19:00:26 mail postfix/smtpd[19564]: 9D07B1BF478: client=localhost[127.0.0.1]
Sep 15 19:00:26 mail postfix/cleanup[11052]: 9D07B1BF478: message-id=<CAGoM=f55WdDKdLmUYZvxXXBrrb9ud8HJ6DbmHHHRnrrEZyWx9A@mail.gmail.com>
Sep 15 19:00:26 mail postfix/smtpd[10556]: disconnect from mail-io0-f178.google.com[209.85.223.178]
Sep 15 19:00:26 mail postfix/qmgr[2793]: 9D07B1BF478: from=<laurent.lellouch@gmail.com>, size=14354, nrcpt=1 (queue active)
Sep 15 19:00:26 mail postfix/smtpd[19564]: disconnect from localhost[127.0.0.1]
Sep 15 19:00:26 mail amavis[10455]: (10455-20) Passed CLEAN, [209.85.223.178] [209.85.223.178] <laurent.lellouch@gmail.com> -> <christian.torrero@cpt.univ-mrs.fr>, Message-ID: <CAGoM=f55WdDKdLmUYZvxXXBrrb9ud8HJ6DbmHHHRnrrEZyWx9A@mail.gmail.com>, mail_id: 4HCeb9JxAOsp, Hits: -, size: 13865, queued_as: 9D07B1BF478, 128 ms
Sep 15 19:00:26 mail postfix/smtp[15654]: 494B31BF37B: to=<christian.torrero@cpt.univ-mrs.fr>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.51, delays=0.38/0/0/0.13, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=10455-20, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 9D07B1BF478)
Sep 15 19:00:26 mail postfix/qmgr[2793]: 494B31BF37B: removed
Sep 15 19:00:26 mail postfix/local[15692]: 9D07B1BF478: to=<torrero@cpt.univ-mrs.fr>, orig_to=<christian.torrero@cpt.univ-mrs.fr>, relay=local, delay=0.16, delays=0.02/0/0/0.14, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail -a "$EXTENSION")
Sep 15 19:00:26 mail postfix/qmgr[2793]: 9D07B1BF478: removed
Sep 15 19:00:36 mail postfix/smtpd[10567]: warning: 98.126.23.126: hostname 98.126.23.126.static.krypt.com verification failed: Name or service not known
Sep 15 19:00:36 mail postfix/smtpd[10567]: connect from unknown[98.126.23.126]
Sep 15 19:00:36 mail policyd-spf[19473]: None; identity=helo; client-ip=98.126.23.126; helo=scioa.org; envelope-from=dr.k.mark@sciarticles.org; receiver=tassi.emanuele@cpt.univ-mrs.fr 
Sep 15 19:00:36 mail policyd-spf[19473]: None; identity=mailfrom; client-ip=98.126.23.126; helo=scioa.org; envelope-from=dr.k.mark@sciarticles.org; receiver=tassi.emanuele@cpt.univ-mrs.fr 
Sep 15 19:00:36 mail postgrey[1086]: action=pass, reason=client AWL, client_name=unknown, client_address=98.126.23.126, sender=Dr.K.Mark@sciarticles.org, recipient=tassi.emanuele@cpt.univ-mrs.fr
Sep 15 19:00:36 mail postfix/smtpd[10567]: NOQUEUE: reject: RCPT from unknown[98.126.23.126]: 450 4.1.1 <tassi.emanuele@cpt.univ-mrs.fr>: Recipient address rejected: User unknown in local recipient table; from=<Dr.K.Mark@sciarticles.org> to=<tassi.emanuele@cpt.univ-mrs.fr> proto=ESMTP helo=<scioa.org>
Sep 15 19:00:36 mail postfix/smtpd[10567]: disconnect from unknown[98.126.23.126]
Sep 15 19:00:41 mail postfix/smtpd[26781]: connect from bon13-1-82-232-113-124.fbx.proxad.net[82.232.113.124]
Sep 15 19:00:42 mail postfix/smtpd[26781]: setting up TLS connection from bon13-1-82-232-113-124.fbx.proxad.net[82.232.113.124]
Sep 15 19:00:42 mail postfix/smtpd[26781]: Anonymous TLS connection established from bon13-1-82-232-113-124.fbx.proxad.net[82.232.113.124]: TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)
Sep 15 19:00:42 mail postfix/smtpd[26781]: NOQUEUE: reject: RCPT from bon13-1-82-232-113-124.fbx.proxad.net[82.232.113.124]: 450 4.7.1 <MacBook-Pro-de-Jose-Beltran.local>: Helo command rejected: Host not found; from=<Jose.Beltran@cpt.univ-mrs.fr> to=<oretatim@gmail.com> proto=ESMTP helo=<MacBook-Pro-de-Jose-Beltran.local>
Sep 15 19:00:46 mail dovecot: imap-login: Disconnected (no auth attempts): rip=86.193.59.178, lip=139.124.7.122, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
Sep 15 19:00:48 mail dovecot: imap-login: Login: user=<beltran>, method=PLAIN, rip=82.232.113.124, lip=139.124.7.122, TLS
Sep 15 19:00:50 mail postfix/smtpd[14000]: warning: 54.225.238.79: address not listed for hostname mail.novo-biotech.com
Sep 15 19:00:50 mail postfix/smtpd[14000]: connect from unknown[54.225.238.79]
Sep 15 19:00:50 mail policyd-spf[9180]: None; identity=helo; client-ip=54.225.238.79; helo=novo-biotech.com; envelope-from=test@novo-biotech.com; receiver=shlosman@cpt.univ-mrs.fr 
Sep 15 19:00:50 mail policyd-spf[9180]: None; identity=mailfrom; client-ip=54.225.238.79; helo=novo-biotech.com; envelope-from=test@novo-biotech.com; receiver=shlosman@cpt.univ-mrs.fr 
Sep 15 19:00:50 mail postfix/smtpd[14000]: NOQUEUE: reject: RCPT from unknown[54.225.238.79]: 454 4.7.1 Service unavailable; Client host [54.225.238.79] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=54.225.238.79; from=<test@novo-biotech.com> to=<shlosman@cpt.univ-mrs.fr> proto=SMTP helo=<novo-biotech.com>
Sep 15 19:00:50 mail postfix/smtpd[14000]: lost connection after RCPT from unknown[54.225.238.79]
Sep 15 19:00:50 mail postfix/smtpd[14000]: disconnect from unknown[54.225.238.79]
Sep 15 19:00:51 mail postfix/smtpd[26781]: disconnect from bon13-1-82-232-113-124.fbx.proxad.net[82.232.113.124]
Sep 15 19:01:05 mail postfix/smtpd[21381]: connect from 120.info-pros.com[178.33.155.120]
Sep 15 19:01:05 mail postfix/smtpd[21381]: disconnect from 120.info-pros.com[178.33.155.120]
Sep 15 19:01:13 mail postfix/smtpd[10412]: connect from mail.ncaor.gov.in[14.139.119.20]
Sep 15 19:01:13 mail postfix/smtpd[10412]: setting up TLS connection from mail.ncaor.gov.in[14.139.119.20]
Sep 15 19:01:13 mail postfix/smtpd[10412]: Anonymous TLS connection established from mail.ncaor.gov.in[14.139.119.20]: TLSv1 with cipher AES128-SHA (128/128 bits)
Sep 15 19:01:14 mail postfix/smtpd[10412]: NOQUEUE: reject: RCPT from mail.ncaor.gov.in[14.139.119.20]: 450 4.7.1 <mailserver2.ictdncaor.net>: Helo command rejected: Host not found; from=<anish@ncaor.gov.in> to=<dyn98@cpt.univ-mrs.fr> proto=ESMTP helo=<mailserver2.ictdncaor.net>
Sep 15 19:01:14 mail postfix/smtpd[10412]: disconnect from mail.ncaor.gov.in[14.139.119.20]
Sep 15 19:01:15 mail postfix/smtpd[13394]: warning: 98.126.23.126: hostname 98.126.23.126.static.krypt.com verification failed: Name or service not known
Sep 15 19:01:15 mail postfix/smtpd[13394]: connect from unknown[98.126.23.126]
Sep 15 19:01:15 mail policyd-spf[13630]: None; identity=helo; client-ip=98.126.23.126; helo=scioa.org; envelope-from=dr.k.mark@sciarticles.org; receiver=tassi.emanuele@cpt.univ-mrs.fr 
Sep 15 19:01:15 mail policyd-spf[13630]: None; identity=mailfrom; client-ip=98.126.23.126; helo=scioa.org; envelope-from=dr.k.mark@sciarticles.org; receiver=tassi.emanuele@cpt.univ-mrs.fr 
Sep 15 19:01:15 mail postgrey[1086]: action=pass, reason=client AWL, client_name=unknown, client_address=98.126.23.126, sender=Dr.K.Mark@sciarticles.org, recipient=tassi.emanuele@cpt.univ-mrs.fr
Sep 15 19:01:15 mail postfix/smtpd[13394]: NOQUEUE: reject: RCPT from unknown[98.126.23.126]: 450 4.1.1 <tassi.emanuele@cpt.univ-mrs.fr>: Recipient address rejected: User unknown in local recipient table; from=<Dr.K.Mark@sciarticles.org> to=<tassi.emanuele@cpt.univ-mrs.fr> proto=ESMTP helo=<scioa.org>
Sep 15 19:01:16 mail postfix/smtpd[13394]: disconnect from unknown[98.126.23.126]
Sep 15 19:01:16 mail postfix/smtpd[14000]: connect from mail.ncaor.gov.in[14.139.119.21]
Sep 15 19:01:16 mail postfix/smtpd[14000]: setting up TLS connection from mail.ncaor.gov.in[14.139.119.21]
Sep 15 19:01:17 mail postfix/smtpd[14000]: Anonymous TLS connection established from mail.ncaor.gov.in[14.139.119.21]: TLSv1 with cipher AES128-SHA (128/128 bits)
Sep 15 19:01:17 mail postfix/smtpd[14000]: NOQUEUE: reject: RCPT from mail.ncaor.gov.in[14.139.119.21]: 450 4.7.1 <mailserver1.ictdncaor.net>: Helo command rejected: Host not found; from=<anish@ncaor.gov.in> to=<jacques.soffer@cpt.univ-mrs.fr> proto=ESMTP helo=<mailserver1.ictdncaor.net>
Sep 15 19:01:17 mail postfix/smtpd[14000]: disconnect from mail.ncaor.gov.in[14.139.119.21]
Sep 15 19:01:19 mail dovecot: imap-login: Login: user=<bharucha>, method=PLAIN, rip=185.13.106.76, lip=139.124.7.122, TLS
Sep 15 19:01:20 mail postfix/smtpd[10517]: connect from smtp5.bouygues-telecom.fr[62.201.139.77]
Sep 15 19:01:20 mail postfix/smtpd[10517]: setting up TLS connection from smtp5.bouygues-telecom.fr[62.201.139.77]
Sep 15 19:01:20 mail postfix/smtpd[10517]: Anonymous TLS connection established from smtp5.bouygues-telecom.fr[62.201.139.77]: TLSv1 with cipher AES128-SHA (128/128 bits)
Sep 15 19:01:20 mail postfix/smtpd[10517]: NOQUEUE: reject: RCPT from smtp5.bouygues-telecom.fr[62.201.139.77]: 450 4.7.1 <BT1SHKII.prod.service.bouygues-telecom.fr>: Helo command rejected: Host not found; from=<espaceclient@bouyguestelecom.fr> to=<catherine.levet@cpt.univ-mrs.fr> proto=ESMTP helo=<BT1SHKII.prod.service.bouygues-telecom.fr>
Sep 15 19:01:20 mail postfix/smtpd[10517]: disconnect from smtp5.bouygues-telecom.fr[62.201.139.77]
Sep 15 19:01:25 mail postfix/smtpd[11451]: connect from smtp5.bouygues-telecom.fr[62.201.139.77]
Sep 15 19:01:25 mail postfix/smtpd[11451]: setting up TLS connection from smtp5.bouygues-telecom.fr[62.201.139.77]
Sep 15 19:01:25 mail postfix/smtpd[11451]: Anonymous TLS connection established from smtp5.bouygues-telecom.fr[62.201.139.77]: TLSv1 with cipher AES128-SHA (128/128 bits)
Sep 15 19:01:25 mail postfix/smtpd[11451]: NOQUEUE: reject: RCPT from smtp5.bouygues-telecom.fr[62.201.139.77]: 450 4.7.1 <BT1SHKII.prod.service.bouygues-telecom.fr>: Helo command rejected: Host not found; from=<espaceclient@bouyguestelecom.fr> to=<catherine.levet@cpt.univ-mrs.fr> proto=ESMTP helo=<BT1SHKII.prod.service.bouygues-telecom.fr>
Sep 15 19:01:26 mail postfix/smtpd[11451]: disconnect from smtp5.bouygues-telecom.fr[62.201.139.77]
Sep 15 19:01:28 mail postfix/smtpd[21381]: connect from server2.enetgroup.org[92.48.88.254]
Sep 15 19:01:28 mail policyd-spf[4875]: Pass; identity=helo; client-ip=92.48.88.254; helo=server2.enetgroup.org; envelope-from=bounce+ikpres@server2.enetgroup.org; receiver=soccorsi@cpt.univ-mrs.fr 
Sep 15 19:01:28 mail policyd-spf[4875]: Pass; identity=mailfrom; client-ip=92.48.88.254; helo=server2.enetgroup.org; envelope-from=bounce+ikpres@server2.enetgroup.org; receiver=soccorsi@cpt.univ-mrs.fr 
Sep 15 19:01:28 mail postfix/smtpd[21381]: NOQUEUE: reject: RCPT from server2.enetgroup.org[92.48.88.254]: 454 4.7.1 Service unavailable; Client host [92.48.88.254] blocked using zen.spamhaus.org; http://www.spamhaus.org/sbl/query/SBLCSS; from=<bounce+ikpres@server2.enetgroup.org> to=<soccorsi@cpt.univ-mrs.fr> proto=ESMTP helo=<server2.enetgroup.org>

Pour l'instant je fais des pflogsumm, netstat, mailq et autre pour regarder mon serveur et empêcher cela.
J'ai installé rkhunter que j'ai lancé (je donne les warnings)

Warning: Found passwordless account in passwd file: +
Warning: The SSH and rkhunter configuration options should be the same:
         SSH configuration option 'PermitRootLogin': yes
         Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no
Warning: Syslog configuration file allows remote logging: *.*                           @log
Warning: Hidden directory found: /dev/.udev
Warning: Hidden directory found: /dev/.initramfs

Je ne sais pas si ça suffit ou si cela aidera. (S'il faut plus je peux donner plus d'info)
je suis en train de regarder pour mettre en place un filtre iptable.

#!/bin/sh
echo - Initialisation du firewall :

# Vider les tables actuelles
iptables -t filter -F

# Vider les regles personnelles
iptables -t filter -X

# Interdire toute connexion entrante et sortante
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP

# ---

# Ne pas casser les connexions etablies
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Autoriser loopback
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT

# ICMP (Ping)
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT

# NFS (Manque une partie)
iptables -t filter -A INPUT -p tcp 111 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp 111 -j ACCEPT
# SSH In
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT

# SSH Out
iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT

# DNS In/Out
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT

# NTP Out
iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT

# Mail SMTP:25
iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT

# Mail SMTPS:587
iptables -t filter -A INPUT -p tcp --dport 587 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 587 -j ACCEPT

# Mail POP3:110
iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT

# Mail IMAP:143
iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT

# Mail POP3S:995
iptables -t filter -A INPUT -p tcp --dport 995 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 995 -j ACCEPT

J'ai cherché sur plusieurs site, mais je ne vois pas de solution:
--> Certain dise que cela peut venir d'un script PHP mais la je ne le voie pas
--> Qu'un compte est compromi mais du coup je ne sais pas comment le voir
--> un robot ou un connexion d'un haker, mais pareil je ne sais pas trop comment le detecté.

Si quelqu'un pouvait m'aider et me dire ce que je peux faire pour empêcher que cela arrive encore je lui en serai extrémement reconnaissant.

Cordialement
Merrow

  • # sûr ?

    Posté par (page perso) . Évalué à 4.

    Salut,

    Ca fait plusieurs jours que mon serveur de mail postfix est considéré comme envoyant du spam.

    Comment constates-tu cela ?

    En effet quand je fais un pflogsumm /var/log/mail.log il y a eu un gros envoie de mail.

    En es-tu sûr ? Dans l'extrait que tu montres, je ne vois aucun mail sortant.
    Il y a 2 mails qui ont bel et bien "traversé" ton serveur SMTP (status=sent), mais même là il s'agit en fait de mails transmis à Procmail (donc des e-mails entrants).
    Le reste part en "NOQUEUE".

    Concernant ta config, en la survolant rapidement elle me semble ok.

    Pourrais-tu montrer un extrait où on a en effet des mails sortants non souhaités ?

    https://www.domotego.com/ | https://www.maccagnoni.eu/ | https://www.smm-informatique.fr/

  • # logs

    Posté par (page perso) . Évalué à 6.

    de apache si envoi de mail en php

    Le parefeu parait trop efficace rien ne passera. ( pas d'état NEW nulle part )

    La machine est peut être compromise.

    Système - Réseau - Sécurité Open Source

  • # j'ai un warning qui fait peur

    Posté par . Évalué à 3.

    Warning: Found passwordless account in passwd file: +

    avec un serveur ssh qui tourne? C'est quel compte ?

    Il ne faut pas décorner les boeufs avant d'avoir semé le vent

    • [^] # Re: j'ai un warning qui fait peur

      Posté par (page perso) . Évalué à 3.

      Vu le nom du compte (+) c’est une entrée spéciale permettant d’utiliser des comptes utilisateurs déclarés dans un système NIS plutôt que directement dans /etc/passwd. Rien de méchant ou d’anormal a priori, sauf s’il n’était pas prévu d’utiliser NIS.

Suivre le flux des commentaires

Note : les commentaires appartiennent à ceux qui les ont postés. Nous n'en sommes pas responsables.