Spam Versand / SASLAUTH

RForum777
Posts: 10
Joined: 2012-05-09 07:05

Spam Versand / SASLAUTH

Post by RForum777 »

Hallo,

ich habe seit einigen Tagen das Problem, dass mein Server Spam versendet (Telekom-Spam).
Hinweis: Der Server ist zwar online, versendet aber kein einziges Spam-EMail mehr (amavis/fail2ban).


Habe ich zuerst auf ein kompromitiertes User-Konto getippt, sieht die Sache wie folgt aus:

Der Server läuft unter Debian Squeeze, Postfix + saslauthd, sämtliche Pakete sind aktuell.

Der Angreifer verbindet sich zu Postfix und schafft es *irgendwie*, die Authentifizierung zu umgehen. Einziger Hinweis bisher ist, dass vor der erfolgreichen SASL-Authentifizierung (PLAIN) eine Authentifizierung via CRAM-MD5 (nicht implementiert) erfolgt:

Logfile:
May 27 16:56:03 thunder postfix/smtpd[21846]: connect from 194-166-180-130.adsl.highway.telekom.at[194.166.180.130]
May 27 16:56:03 thunder postfix/smtpd[21846]: warning: 194-166-180-130.adsl.highway.telekom.at[194.166.180.130]: SASL CRAM-MD5 authentication failed: no mechanism available
May 27 16:56:03 thunder postfix/smtpd[21846]: C8AF213D0AE7: client=194-166-180-130.adsl.highway.telekom.at[194.166.180.130], sasl_method=PLAIN, sasl_username=web194p2
May 27 16:56:04 thunder postfix/smtpd[21846]: disconnect from 194-166-180-130.adsl.highway.telekom.at[194.166.180.130]


Danach kann er offenbar ungehindert Spam versenden., die Absender-Adresse ist dabei z.B. Telekom@mx.meinserver.com.


Meine Config:

Postfix
smtpd_sender_restrictions = hash:/etc/postfix/access
smtpd_client_restrictions = permit_sasl_authenticated
smtpd_helo_required = yes
smtpd_delay_reject = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,check_policy_service inet:127.0.0.1:60000
smtp_sasl_auth_enable = no
smtpd_sasl_auth_enable = yes
smtp_sasl_security_options = noplaintext, noanonymous
smtpd_sasl_authenticated_header = yes


SASL
/etc/postfix/sasl/smtpd.conf
saslauthd_path: /var/run/saslauthd/mux
pwcheck_method: saslauthd
mech_list: plain login


Auch ein mehrfaches Ändern des Passwortes des Mail-Users hat nichts gebracht - der Angreifer kann sich weiterhin identifizieren. Verbinde ich mich jedoch mit einem falschen Passwort, wird der Versand verweigert...


Irgendeine Idee, woran das liegen könnte ?

Vielen Dank im voraus !!!!!
Top

jan10001
Anbieter
Posts: 720
Joined: 2004-01-02 12:17

Re: Spam Versand / SASLAUTH

Post by jan10001 »

/etc/postfix/sasl/smtpd.conf
saslauthd_path: /var/run/saslauthd/mux
pwcheck_method: saslauthd
mech_list: plain login


Ich bin zwar kein Postfix Experte aber sollte es nicht "mech_list: DIGEST-MD5 CRAM-MD5 PLAIN LOGIN" heißen? Wie sieht eigentlich die ganze smtpd.conf aus? Da fehlt noch ein Teil.
Top

RForum777
Posts: 10
Joined: 2012-05-09 07:05

Re: Spam Versand / SASLAUTH

Post by RForum777 »

Danke für die Antwort !

Die Config /etc/postfix/sasl/smtpd.conf sollte eigentlich passen, da saslauthd keine anderen Mechanismen versteht...

Config ist analog zu: https://wiki.debian.org/PostfixAndSASL


:?
Top

User avatar
Joe User
Project Manager
Project Manager
Posts: 11518
Joined: 2003-02-27 01:00
Location: Hamburg

Re: Spam Versand / SASLAUTH

Post by Joe User »

Die smtpd.conf schaut auf den ersten Blick OK aus.
Deine main.cf enthält hingegen bereits in den paar geposteten Zeilen mehrere Fehler, so dass wir dort erstmal mit dem Aufräumen anfangen. Poste bitte die vollständige Ausgabe von

Code: Select all

postconf -n
PayPal.Me/JoeUserFreeBSD Remote Installation
Wings for LifeWings for Life World Run

„If there’s more than one possible outcome of a job or task, and one
of those outcomes will result in disaster or an undesirable consequence,
then somebody will do it that way.“ -- Edward Aloysius Murphy Jr.
Top

RForum777
Posts: 10
Joined: 2012-05-09 07:05

Re: Spam Versand / SASLAUTH

Post by RForum777 »

main.cf:

Code: Select all

alias_maps = hash:/etc/aliases
bounce_queue_lifetime = 1d
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/lib/postfix
debug_peer_level = 2
default_privs = nobody
disable_dns_lookups = no
home_mailbox = Maildir/
html_directory = no
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_size_limit = 1073741824
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_exceptions = root
maximal_queue_lifetime = 1d
message_size_limit = 26214400
myhostname = mx.meinserver.de
mynetworks = 127.0.0.0/8
mynetworks_style = host
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/packages/postfix/README_FILES
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /usr/share/doc/packages/postfix/samples
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp_sasl_auth_enable = no
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noplaintext, noanonymous
smtp_tls_CApath = /usr/share/ca-certificates
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtp_use_tls = no
smtpd_banner = Server ready.
smtpd_client_restrictions = permit_sasl_authenticated
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination,check_policy_service inet:127.0.0.1:60000
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sender_restrictions = hash:/etc/postfix/access
smtpd_tls_CAfile = /etc/httpd/ssl.crt/ca_rapidssl.crt
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/httpd/ssl.crt/mx.meinserver.de.crt
smtpd_tls_key_file = /etc/httpd/ssl.key/mx.meinserver.de.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = no
strict_rfc821_envelopes = no
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 450



Danke für die Hilfe !
Top

User avatar
Joe User
Project Manager
Project Manager
Posts: 11518
Joined: 2003-02-27 01:00
Location: Hamburg

Re: Spam Versand / SASLAUTH

Post by Joe User »

Deine neue main.cf (bitte Backup der alten main.cf anlegen):

Code: Select all

alias_maps = hash:/etc/aliases
allow_percent_hack = no
biff = no
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/lib/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
default_privs = nobody
disable_vrfy_command = yes
enable_long_queue_ids = yes
fast_flush_domains =
home_mailbox = Maildir/
html_directory = no
inet_protocols = all
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_size_limit = 0
#mailbox_size_limit = 1073741824
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_domains = $mydomain
masquerade_exceptions = root, mailer-daemon
message_size_limit = 0
#message_size_limit = 26214400
mydomain = example.org
myhostname = mx.$mydomain
mynetworks_style = host
newaliases_path = /usr/bin/newaliases
notify_classes = data, protocol, resource, software
postscreen_access_list = permit_mynetworks
postscreen_blacklist_action = ignore
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = ix.dnsbl.manitu.net cbl.abuseat.org zen.spamhaus.org
postscreen_greet_action = enforce
postscreen_non_smtp_command_enable = yes
postscreen_pipelining_enable = yes
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/packages/postfix/README_FILES
relocated_maps = hash:/etc/postfix/relocated
remote_header_rewrite_domain = domain.invalid
sample_directory = /usr/share/doc/packages/postfix/samples
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
show_user_unknown_table_name = no
smtp_tls_CApath = /usr/share/ca-certificates
smtp_tls_ciphers = medium
smtp_tls_exclude_ciphers = CAMELLIA, RC4, 3DES, IDEA, SEED, PSK, SRP, DSS, eNULL, aNULL
smtp_tls_loglevel = 1
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_exclude_ciphers = CAMELLIA, RC4, 3DES, IDEA, SEED, PSK, SRP, DSS, eNULL, aNULL
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = may
smtp_use_tls = yes
smtpd_client_port_logging = yes
smtpd_client_restrictions =
  sleep 1,
  reject_unknown_reverse_client_hostname,
  permit
smtpd_data_restrictions =
  reject_unauth_pipelining,
  permit
smtpd_etrn_restrictions =
  reject
smtpd_helo_required = yes
smtpd_helo_restrictions =
  reject_invalid_helo_hostname,
  reject_non_fqdn_helo_hostname,
  permit
smtpd_recipient_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_non_fqdn_recipient,
  reject_unknown_recipient_domain,
  reject_rbl_client zen.spamhaus.org,
  reject_rbl_client ix.dnsbl.manitu.net,
  reject_rbl_client cbl.abuseat.org,
  check_policy_service inet:127.0.0.1:60000
  permit
smtpd_relay_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_unauth_destination,
  permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sender_restrictions =
  reject_non_fqdn_sender,
  reject_unknown_sender_domain,
  permit
smtpd_tls_CAfile = /etc/httpd/ssl.crt/ca_rapidssl.crt
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/httpd/ssl.crt/mx.meinserver.de.crt
smtpd_tls_ciphers = high
smtpd_tls_dh1024_param_file = /etc/ssl/dh_params.pem
smtpd_tls_dh512_param_file = /etc/ssl/dh_params.pem
smtpd_tls_eecdh_grade = strong
smtpd_tls_exclude_ciphers = CAMELLIA, RC4, 3DES, IDEA, SEED, PSK, SRP, DSS, eNULL, aNULL
smtpd_tls_key_file = /etc/httpd/ssl.key/mx.meinserver.de.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = CAMELLIA, RC4, 3DES, IDEA, SEED, PSK, SRP, DSS, eNULL, aNULL
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
tls_daemon_random_bytes = 64
tls_preempt_cipherlist = yes
tls_random_bytes = 64
tls_random_source = dev:/dev/urandom
tls_ssl_options = NO_COMPRESSION
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 450

Bevor Du Postfix neu startest bitte noch folgendes ausführen:

Code: Select all

# OpenSSL 0.9.8
openssl dhparam -out /etc/ssl/dh_params.pem 4096
openssl ecparam -out /etc/ssl/ec_params.pem -name secp384r1

# OpenSSL 1.0.1
openssl genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_prime_len:4096 -out /etc/ssl/dh_params.pem
openssl genpkey -genparam -algorithm EC -pkeyopt ec_paramgen_curve:secp384r1 -out /etc/ssl/ec_params.pem
PayPal.Me/JoeUserFreeBSD Remote Installation
Wings for LifeWings for Life World Run

„If there’s more than one possible outcome of a job or task, and one
of those outcomes will result in disaster or an undesirable consequence,
then somebody will do it that way.“ -- Edward Aloysius Murphy Jr.
Top

RForum777
Posts: 10
Joined: 2012-05-09 07:05

Re: Spam Versand / SASLAUTH

Post by RForum777 »

Habe die neue Config getestet - Postfix startet dann aber nicht mehr:

Code: Select all

fatal: parameter "smtpd_recipient_restrictions": specify at least one working instance of: check_relay_domains, reject_unauth_destination, reject, defer or defer_if_permit
Top

ddm3ve
Moderator
Moderator
Posts: 1114
Joined: 2011-07-04 10:56

Re: Spam Versand / SASLAUTH

Post by ddm3ve »

130.adsl.highway.telekom.at[194.166.180.130], sasl_method=PLAIN, sasl_username=web194p2
May 27 16:56:04 thunder postfix/smtpd[21846]: disconnect from 194-166-180-130.adsl.highway.telekom.at[194.166.180.130]

Login war offensichtlich erfolgreich. Also hat da jemand sowohl Benutzername und Passwort.
Ein Kunde von uns hat vergangene Woche leider auch eine solcher Telekom Rechnung erhalten und geöffnet. Innerhalb weniger Minuten wurde Benutzername und Passwort verteilt und Missbraucht.
Eine Änderung des Passwortes, hat ebenfalls keine 5 Minuten gedauert, bis dieses bei den Botnetzen angekommen war.

Ich würde mal klären, ob Dein Kunde ggf. einen Trojaner Spyware geangelt hat. Leider prasseln bei uns auch massenhaft solcher Loginversuche ein.
Erschreckenderweise kommen die meisten der zielgerichteten Attacken von deutschsprachigen Europäischen Regionen. Also primär DACH.

Si scheint wohl das Botnetz dahinter nicht ganz dämlich zu sein. Da Sie schliesslich die Herkunft des "genutzten" Accounts berücksichtigen.
02:32:12 21.12.2012 und dann sind Deine Probleme alle unwichtig.
Top

User avatar
Joe User
Project Manager
Project Manager
Posts: 11518
Joined: 2003-02-27 01:00
Location: Hamburg

Re: Spam Versand / SASLAUTH

Post by Joe User »

Du hast noch eine alte Postfix-Version, dann bitte diese main.cf

Code: Select all

alias_maps = hash:/etc/aliases
allow_percent_hack = no
biff = no
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/lib/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
default_privs = nobody
disable_vrfy_command = yes
enable_long_queue_ids = yes
fast_flush_domains =
home_mailbox = Maildir/
html_directory = no
inet_protocols = all
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_size_limit = 0
#mailbox_size_limit = 1073741824
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_domains = $mydomain
masquerade_exceptions = root, mailer-daemon
message_size_limit = 0
#message_size_limit = 26214400
mydomain = example.org
myhostname = mx.$mydomain
mynetworks_style = host
newaliases_path = /usr/bin/newaliases
notify_classes = data, protocol, resource, software
postscreen_access_list = permit_mynetworks
postscreen_blacklist_action = ignore
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = ix.dnsbl.manitu.net cbl.abuseat.org zen.spamhaus.org
postscreen_greet_action = enforce
postscreen_non_smtp_command_enable = yes
postscreen_pipelining_enable = yes
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/packages/postfix/README_FILES
relocated_maps = hash:/etc/postfix/relocated
remote_header_rewrite_domain = domain.invalid
sample_directory = /usr/share/doc/packages/postfix/samples
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
show_user_unknown_table_name = no
smtp_tls_CApath = /usr/share/ca-certificates
smtp_tls_ciphers = medium
smtp_tls_exclude_ciphers = CAMELLIA, RC4, 3DES, IDEA, SEED, PSK, SRP, DSS, eNULL, aNULL
smtp_tls_loglevel = 1
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_exclude_ciphers = CAMELLIA, RC4, 3DES, IDEA, SEED, PSK, SRP, DSS, eNULL, aNULL
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = may
smtp_use_tls = yes
smtpd_client_port_logging = yes
smtpd_client_restrictions =
  sleep 1,
  reject_unknown_reverse_client_hostname,
  permit
smtpd_data_restrictions =
  reject_unauth_pipelining,
  permit
smtpd_etrn_restrictions =
  reject
smtpd_helo_required = yes
smtpd_helo_restrictions =
  reject_invalid_helo_hostname,
  reject_non_fqdn_helo_hostname,
  permit
smtpd_recipient_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_unauth_destination,
  reject_non_fqdn_recipient,
  reject_unknown_recipient_domain,
  reject_rbl_client zen.spamhaus.org,
  reject_rbl_client ix.dnsbl.manitu.net,
  reject_rbl_client cbl.abuseat.org,
  check_policy_service inet:127.0.0.1:60000
  permit
smtpd_relay_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_unauth_destination,
  permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sender_restrictions =
  reject_non_fqdn_sender,
  reject_unknown_sender_domain,
  permit
smtpd_tls_CAfile = /etc/httpd/ssl.crt/ca_rapidssl.crt
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/httpd/ssl.crt/mx.meinserver.de.crt
smtpd_tls_ciphers = high
smtpd_tls_dh1024_param_file = /etc/ssl/dh_params.pem
smtpd_tls_dh512_param_file = /etc/ssl/dh_params.pem
smtpd_tls_eecdh_grade = strong
smtpd_tls_exclude_ciphers = CAMELLIA, RC4, 3DES, IDEA, SEED, PSK, SRP, DSS, eNULL, aNULL
smtpd_tls_key_file = /etc/httpd/ssl.key/mx.meinserver.de.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = CAMELLIA, RC4, 3DES, IDEA, SEED, PSK, SRP, DSS, eNULL, aNULL
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
tls_daemon_random_bytes = 64
tls_preempt_cipherlist = yes
tls_random_bytes = 64
tls_random_source = dev:/dev/urandom
tls_ssl_options = NO_COMPRESSION
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 450
PayPal.Me/JoeUserFreeBSD Remote Installation
Wings for LifeWings for Life World Run

„If there’s more than one possible outcome of a job or task, and one
of those outcomes will result in disaster or an undesirable consequence,
then somebody will do it that way.“ -- Edward Aloysius Murphy Jr.
Top