Disable Postfix Open Relay – Valuable Tech Notes

For the past few weeks someone has been using my server/postfix as a relay mail server. I tried everything that was posted in the hundred of other posts on this topics, but they are able to do it again and again. I'm not sure what I've misconfigured. I tried multiple sites that test your server for open relays, and they also say I've closed all loopholes, but these people still get mails through.

Here is my /etc/postfix/main.cf

# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination


smtpd_tls_cert_file=/var/www/mydomain.com/ssl/fullchain.pem
smtpd_tls_key_file=/var/www/mydomain.com/ssl/privkey.pem
smtpd_use_tls=yes
smtpd_tls_auth_only = yes

#Enabling SMTP for authenticated users, and handing off authentication to Dovecot
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes

smtpd_recipient_restrictions =
    reject_non_fqdn_recipient,
    reject_unlisted_recipient
    permit_mynetworks,
    permit_sasl_authenticated, 
    reject_unauth_destination,
    reject_invalid_hostname,
    reject_unknown_sender_domain,
    reject_unknown_recipient_domain,
    reject_unauth_pipelining

smtpd_sender_restrictions =
        reject_sender_login_mismatch,
        reject_non_fqdn_sender,
        reject_unlisted_sender,
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination,
        reject_invalid_hostname,
        reject_unknown_sender_domain,
    reject_unauth_pipelining

smtp_host_lookup = native

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = mydomain.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $mydomain, localhost.$mydomain, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
virtual_alias_maps = mysql:/etc/postfix/mysql/virtual_alias_maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql/virtual_domains_maps.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf

I want only accounts from my own domain to send emails. All other sending and relaying not authenticated by one of my accounts should be blocked. Does anyone have an idea?

And here is a snippet from my mail.log containing some of the spam emails sent through my server

Jun 24 12:32:33 mydomain postfix/anvil[7463]: statistics: max connection rate 1/60s for (smtp:200.60.36.35) at Jun 24 12:29:12
Jun 24 12:32:33 mydomain postfix/anvil[7463]: statistics: max connection count 1 for (smtp:200.60.36.35) at Jun 24 12:29:12
Jun 24 12:32:33 mydomain postfix/anvil[7463]: statistics: max cache size 1 at Jun 24 12:29:12
Jun 24 12:32:34 mydomain postfix/smtpd[7684]: connect from unknown[37.49.224.134]
Jun 24 12:32:34 mydomain postfix/smtpd[7684]: disconnect from unknown[37.49.224.134] ehlo=1 quit=1 commands=2
Jun 24 12:35:14 mydomain postfix/smtpd[8020]: connect from unknown[201.187.101.222]
Jun 24 12:35:15 mydomain postfix/smtpd[8020]: disconnect from unknown[201.187.101.222] helo=1 auth=0/1 quit=1 commands=2/3
Jun 24 12:38:35 mydomain postfix/anvil[7686]: statistics: max connection rate 1/60s for (smtp:37.49.224.134) at Jun 24 12:32:34
Jun 24 12:38:35 mydomain postfix/anvil[7686]: statistics: max connection count 1 for (smtp:37.49.224.134) at Jun 24 12:32:34
Jun 24 12:38:35 mydomain postfix/anvil[7686]: statistics: max cache size 1 at Jun 24 12:32:34
Jun 24 12:40:59 mydomain postfix/smtpd[8289]: connect from fa137.63.fix-addr.vsi.ru[80.82.63.137]
Jun 24 12:40:59 mydomain postfix/smtpd[8289]: disconnect from fa137.63.fix-addr.vsi.ru[80.82.63.137] helo=1 auth=0/1 quit=1 commands=2/3
Jun 24 12:44:19 mydomain postfix/anvil[8291]: statistics: max connection rate 1/60s for (smtp:80.82.63.137) at Jun 24 12:40:59
Jun 24 12:44:19 mydomain postfix/anvil[8291]: statistics: max connection count 1 for (smtp:80.82.63.137) at Jun 24 12:40:59
Jun 24 12:44:19 mydomain postfix/anvil[8291]: statistics: max cache size 1 at Jun 24 12:40:59
Jun 24 12:46:14 mydomain postfix/pickup[4558]: 2B8C71321632: uid=0 from=<root>
Jun 24 12:46:14 mydomain postfix/cleanup[8529]: 2B8C71321632: message-id=<20180624124614.2B8C71321632@mydomain.com>
Jun 24 12:46:14 mydomain postfix/qmgr[15111]: 2B8C71321632: from=<root@mydomain.com>, size=590, nrcpt=1 (queue active)
Jun 24 12:46:14 mydomain postfix/trivial-rewrite[8530]: warning: do not list domain mydomain.com in BOTH virtual_mailbox_domains and relay_domains
Jun 24 12:46:14 mydomain postfix/lmtp[8531]: 2B8C71321632: to=<root@mydomain.com>, orig_to=<root>, relay=mydomain.com[private/dovecot-lmtp], delay=0.1, delays=0.05/0.01/0.03/0.02, dsn=2.0.0, status=sent (250 2.0.0 <root@mydomain.com> bTFmD5aSL1tUIQAARIBmVg Saved)
Jun 24 12:46:14 mydomain postfix/qmgr[15111]: 2B8C71321632: removed
Jun 24 12:46:37 mydomain postfix/smtpd[8548]: connect from unknown[82.214.127.122]
Jun 24 12:46:37 mydomain postfix/smtpd[8548]: disconnect from unknown[82.214.127.122] helo=1 auth=0/1 quit=1 commands=2/3
Jun 24 12:49:57 mydomain postfix/anvil[8550]: statistics: max connection rate 1/60s for (smtp:82.214.127.122) at Jun 24 12:46:37
Jun 24 12:49:57 mydomain postfix/anvil[8550]: statistics: max connection count 1 for (smtp:82.214.127.122) at Jun 24 12:46:37
Jun 24 12:49:57 mydomain postfix/anvil[8550]: statistics: max cache size 1 at Jun 24 12:46:37
Jun 24 12:52:45 mydomain postfix/smtpd[8782]: warning: hostname static-181-143-57-98.une.net.co does not resolve to address 181.143.57.98: Name or service not known
Jun 24 12:52:45 mydomain postfix/smtpd[8782]: connect from unknown[181.143.57.98]
Jun 24 12:52:45 mydomain postfix/smtpd[8782]: disconnect from unknown[181.143.57.98] helo=1 auth=0/1 quit=1 commands=2/3
Jun 24 12:56:05 mydomain postfix/anvil[8784]: statistics: max connection rate 1/60s for (smtp:181.143.57.98) at Jun 24 12:52:45
Jun 24 12:56:05 mydomain postfix/anvil[8784]: statistics: max connection count 1 for (smtp:181.143.57.98) at Jun 24 12:52:45
Jun 24 12:56:05 mydomain postfix/anvil[8784]: statistics: max cache size 1 at Jun 24 12:52:45
Jun 24 12:57:22 mydomain postfix/smtpd[8984]: connect from unknown[37.49.224.134]
Jun 24 12:57:22 mydomain postfix/smtpd[8984]: disconnect from unknown[37.49.224.134] ehlo=1 quit=1 commands=2
Jun 24 12:58:33 mydomain postfix/smtpd[8984]: connect from unknown[184.71.152.86]
Jun 24 12:58:33 mydomain postfix/smtpd[8984]: disconnect from unknown[184.71.152.86] helo=1 auth=0/1 quit=1 commands=2/3
Jun 24 13:01:13 mydomain postfix/pickup[8799]: E32A71321633: uid=0 from=<root>
Jun 24 13:01:13 mydomain postfix/cleanup[9206]: E32A71321633: message-id=<20180624130113.E32A71321633@mydomain.com>
Jun 24 13:01:13 mydomain postfix/qmgr[15111]: E32A71321633: from=<root@mydomain.com>, size=590, nrcpt=1 (queue active)
Jun 24 13:01:13 mydomain postfix/trivial-rewrite[9207]: warning: do not list domain mydomain.com in BOTH virtual_mailbox_domains and relay_domains
Jun 24 13:01:14 mydomain postfix/lmtp[9208]: E32A71321633: to=<root@mydomain.com>, orig_to=<root>, relay=mydomain.com[private/dovecot-lmtp], delay=0.12, delays=0.07/0.01/0.03/0.02, dsn=2.0.0, status=sent (250 2.0.0 <root@mydomain.com> doqtARqWL1v5IwAARIBmVg Saved)
Jun 24 13:01:14 mydomain postfix/qmgr[15111]: E32A71321633: removed

I've done an open relay test through AppRiver. Most test said that the server was protected against open relays, but a few tests failed:

Test #1
S: RSET
R: 250 2.0.0 Ok
S: MAIL FROM: <spamtest@appriver.com>
R: 250 2.1.0 Ok
S: RCPT TO: <relaytest@appriver.com>
R: 250 2.1.5 Ok
Relay Accepted

Test #3
S: RSET
R: 250 2.0.0 Ok
S: MAIL FROM: <>
R: 250 2.1.0 Ok
S: RCPT TO: <relaytest@appriver.com>
R: 250 2.1.5 Ok
Relay Accepted

Test #8
S: RSET
R: 250 2.0.0 Ok
S: MAIL FROM: <spamtest@appriver.com>
R: 250 2.1.0 Ok
S: RCPT TO: <relaytest%appriver.com@[88.201.58.183]>
R: 250 2.1.5 Ok
Relay Accepted

Best Answer

I would start with fixing:

Jun 24 13:01:13 mydomain postfix/trivial-rewrite[9207]: warning: do not list domain mydomain.com in BOTH virtual_mailbox_domains and relay_domains

And the setting "myhostname = mydomain.com" does not seem correct either; in that mail being sent from localhost will look like mail being relayed or received.

Best Answer

Related Solutions

Postfix – Fixing Mail Loops Back to Myself Issue

Ubuntu – postfix smtps issue

Related Topic