[Techtalk] Am I Running an Open Relay? Help!

Kagan MacTane kagan at mactane.org
Mon Dec 1 03:07:35 UTC 2014 

I'm running an Ubuntu 14.04.1 server with Postfix using SASL and TLS. 
The Postfix was originally installed many years ago, and has been 
upgraded and switched around so many times I can't keep anything 
straight in my config. Things used to be fine, but recently I've been 
getting back messages from Gmail saying my messages are rejected because 
there's too much spam coming from my IP address. Uh-oh!

I tried the open relay checker at http://www.mailradar.com/openrelay/ 
and it comes up clean. However, the one at 
http://www.spamhelp.org/shopenrelay/ says "*Testing 162.245.20.11 on 
port 25... **Error* - could not connect to server" (which is weird as 
hell, because the world can send me email just fine), and the one at 
http://checkor.com/ just comes up blank, apparently doing nothing.

But my mail queue is full of messages that are from and/or to other 
domains, with nothing to do with any of my users or people they 
communicate with. (I have a very small userbase, of people who I know 
personally, so I can see that none of this stuff has anything to do with 
them.) Seriously, it looks like I've got roughly 30,000 spam messages 
cluttering up my mail queue, trying and failing to be delivered to 
addresses at Gmail, Hotmail, and suchlike.

Also, my mail log is full of lines like these:

Nov 30 18:49:55 finrod postfix/smtpd[23941]: 0457921C727E: 
client=unknown[109.251.106.76], sasl_method=PLAIN, 
sasl_username=digitalsidhe at silmemar.org
Nov 30 18:49:55 finrod postfix/smtpd[23984]: 86C5021C7320: 
client=unknown[203.81.71.54], sasl_method=PLAIN, 
sasl_username=digitalsidhe at silmemar.org
Nov 30 18:50:06 finrod postfix/smtpd[23941]: AD50621C76EA: 
client=unknown[109.251.106.76], sasl_method=PLAIN, 
sasl_username=digitalsidhe at silmemar.org
Nov 30 18:50:07 finrod postfix/smtpd[24190]: 3754921C7776: 
client=unknown[123.22.39.19], sasl_method=PLAIN, 
sasl_username=digitalsidhe at silmemar.org
Nov 30 18:50:13 finrod postfix/smtpd[24217]: A9A0421C7A89: 
client=unknown[37.151.88.33], sasl_method=PLAIN, 
sasl_username=digitalsidhe at silmemar.org
Nov 30 18:50:31 finrod postfix/smtpd[23941]: 8367221C81E2: 
client=unknown[37.214.118.38], sasl_method=PLAIN, 
sasl_username=digitalsidhe at silmemar.org
Nov 30 18:50:35 finrod postfix/smtpd[23984]: 64BFC21C82B6: 
client=unknown[203.81.71.54], sasl_method=PLAIN, 
sasl_username=digitalsidhe at silmemar.org
Nov 30 18:50:47 finrod postfix/smtpd[24174]: C6ED621C85BE: 
client=unknown[178.172.155.61], sasl_method=PLAIN, 
sasl_username=digitalsidhe at silmemar.org
Nov 30 18:51:01 finrod postfix/smtpd[24174]: BCACC21C874C: 
client=unknown[178.172.155.61], sasl_method=PLAIN, 
sasl_username=digitalsidhe at silmemar.org

...where digitalsidhe at silmemar.org is a valid address on one of my 
domains. Has someone gotten this user's password and is using it to 
authenticate via SASL, and then send spam through my machine?

I've gone over my main.cf looking at my SASL and general restrictions 
areas, but I've been out of the mail-admin game so long, I can't make 
heads or tails of it. I *think* it's okay, but am not sure. I can post 
it if folks want, or I can just wrap up this cry for help before it 
becomes too long.

My profoundest thanks for any assistance anyone can provide.

-- 
Kagan MacTane

More information about the Techtalk mailing list