Hi,
my linode is on since more than 4 years without any problem.
Today it has been banned for spam.

Someone or something is sending spam using my linode and I'm not able to understand what is it.
I'm very sad, I'm 100% sure that no one logged into my vps using SSH, logs says no unauthorized login.
I'm 100% sure that apache is not sending email via scripts because today I have seen my vps sending spam with apache stopped.

This is my postconf, do you see some security hole in this?

postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
always_bcc = myname@mydomain.org
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = no
inet_interfaces = $myhostname, localhost
inet_protocols = all
mail_owner = postfix
mailbox_size_limit = 1024000000
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 102400000
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = mydomain.org
myhostname = mail.mydomain.org
mynetworks = 192.168.0.0/24, 127.0.0.0/8
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
recipient_bcc_maps = hash:/etc/postfix/bcc_maps
relay_domains =
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sender_bcc_maps = hash:/etc/postfix/bcc_maps
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_delay_reject = no
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,    permit_sasl_authenticated, permit
smtpd_recipient_restrictions = permit_mynetworks,   check_sender_access hash:/etc/postfix/sender_access,   permit_sasl_authenticated,   reject_unauth_destination,   reject_rbl_client zen.spamhaus.org,   permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks,    permit_sasl_authenticated,    permit
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/mail.mydomain.org.cert
smtpd_tls_key_file = /etc/pki/tls/private/mail.mydomain.org.key
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550

How they damn sending spam with my server?

I see dozens of msg like this:

: to=<momyassumsnip@emailfreepop2010.co.cc>, relay=emailfreepop2010.co.cc[199.2.137.140]:25, delay=275593, delays=275292/0.02/300/0, dsn=4.4.2, status=deferred (conversation with emailfreepop2010.co.cc[199.2.137.140] timed out while receiving the initial server greeting)
Oct  3 20:22:20 netstar postfix/smtp[1257]: 471CB5651: to=<adres@yrus.co.cc>, relay=yrus.co.cc[199.2.137.140]:25, delay=337708, delays=337407/0.03/300/0, dsn=4.4.2, status=deferred (conversation with yrus.co.cc[199.2.137.140] timed out while receiving the initial server greeting)
Oct  3 20:22:20 netstar postfix/smtp[1264]: 9E5BB568D: to=<vikij@43gosi.co.cc>, relay=43gosi.co.cc[199.2.137.140]:25, delay=336340, delays=336040/0.02/300/0, dsn=4.4.2, status=deferred (conversation with 43gosi.co.cc[199.2.137.140] timed out while receiving the initial server greeting)
Oct  3 20:22:20 netstar postfix/smtp[1278]: 3032656A7: to=<order-viagra@fgjfjfjfyjryjf.co.cc>, relay=fgjfjfjfyjryjf.co.cc[199.2.137.140]:25, delay=336715, delays=336414/0.01/300/0, dsn=4.4.2, status=deferred (conversation with fgjfjfjfyjryjf.co.cc[199.2.137.140] timed out while receiving the initial server greeting)
Oct  3 20:22:20 netstar postfix/smtp[1281]: 15B6A5B5E: to=<aslik@anded.co.cc>, relay=anded.co.cc[199.2.137.140]:25, delay=280508, delays=280207/0.03/300/0, dsn=4.4.2, status=deferred (conversation with anded.co.cc[199.2.137.140] timed out while receiving the initial server greeting)
Oct  3 20:22:24 netstar postfix/smtp[1279]: 5C78386659: to=<info@bmsw.de>, relay=mail.bmsw.de[94.102.209.215]:25, delay=92138, delays=91834/0.04/304/0, dsn=4.4.2, status=deferred (conversation with mail.bmsw.de[94.102.209.215] timed out while receiving the initial server greeting)
Oct  3 20:22:24 netstar postfix/smtp[1284]: B541B866F6: to=<info@gbap.de>, relay=mail.gbap.de[94.102.209.215]:25, delay=89731, delays=89428/0.03/304/0, dsn=4.4.2, status=deferred (conversation with mail.gbap.de[94.102.209.215] timed out while receiving the initial server greeting)

is this my server that is trying to send spam?

I recently installed pidgeonhole (managesieve plugin) and enabled lmtp sieve
do you think that this can be the root cause?

The problem lies in your /etc/postfix/main.cf configuration file, or, more precisely, this:

smtpd_sender_restrictions = permit_mynetworks,    permit_sasl_authenticated,    permit

You basically allowed anyone with access to the Internet to be able to send unlimited amounts of mails completely unauthenticated, that is, without any username or password, therefore making your mail server an open relay.

Change it to this:

smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, permit

There are additional options that you can add, but you can begin with this one (reject_unauth_destination). That option will stop anyone from sending any email using your server without authenticating, effectively stopping anyone who doesn't have an account on your server from sending email.

Keep us posted if you encounter additional problems.

I love you for your answer! I really missed that damn settings but why every "open relay" test passed without that settings also?
There are dozens of open relay test on the net, sites that tries more than 20 different tests, my linode passed every test always, how this can be possible?

another question, do you think that lmtp and sieve opened on my dovecot.conf can have caused this problem?
I'm really warried about reopening the lmtp and sieve on that linode.

Well, I don't realle have enough experience with lmtp so I can't really comment on it, but you can always enable it and then watch if it changes your config file. It might be a little bit risky, but that's your safest approach. If it does turn out that lmtp changes your config file, which is in my opinion unlikely, you'll know what causes the problem and you'll know more about how you might solve it.

[code]
[root@netstar ~]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
always_bcc = myname@mydomain.org
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = no
inet_interfaces = $myhostname, localhost
inet_protocols = all
mail_owner = postfix
mailbox_size_limit = 1024000000
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 102400000
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = mydomain.org
myhostname = mail.mydomain.org
mynetworks = 192.168.0.0/24, 127.0.0.0/8
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
recipient_bcc_maps = hash:/etc/postfix/bcc_maps
relay_domains =
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sender_bcc_maps = hash:/etc/postfix/bcc_maps
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_delay_reject = yes
smtpd_helo_required = no
smtpd_helo_restrictions = permit_mynetworks,    permit_sasl_authenticated,    permit
smtpd_recipient_restrictions = permit_mynetworks,   check_sender_access hash:/etc/postfix/sender_access,   permit_sasl_authenticated,   reject_unauth_destination,   reject_rbl_client zen.spamhaus.org,   permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks,    permit_sasl_authenticated,    reject_non_fqdn_sender,    reject_unknown_sender_domain,    reject_unauth_destination,    permit
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/mail.mydomain.org.cert
smtpd_tls_key_file = /etc/pki/tls/private/mail.mydomain.org.key
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
[/code]

I updated my main.cf like this, is it better now?
Thanks!!!

I updated my main.cf like this, is it better now?
Thanks!!!

It looks pretty good now, you shouldn't have any spam issues with those settings. Your config file pretty much resembles my own config file, so you should be OK now. Keep me posted if you encounter any additional issues, I'll be glad to help.

Thank you very much for your help, you helped me more than what Linode Customer Service does,
I will open a thread on this matter, but this is another story.

I'm quite worried on reopen 4190 telnet for lmtp and sieve.
I will try tomorrow while monitoring the maillog day and night.

Unless you're paying for managed services, then any help you get from Linode customer support on issues like this (ie your mistake on your OS instance) is more than you should expect. I no more expect Linode to configure my mail server than I'd expect Verizon to set up my answer machine (without paying extra).

If you are paying for managed services then it'll depend on what the actual agreement is.

_________________
Rgds
Stephen
(Linux user since kernel version 0.11)

this is not the thread where to talk about this, I will talk of this when I will open a thread for this.
now please don't continue here on this matter, the problem on this thread is another

I will link here the thread for the customer service talking when I will open it.

Linode Customer Service is First Class and has always helped me fast and efficiently.

This is not the thread for this.

Wow, you run this forum now? Neat!

Hint: you bitch about something and people _will_ respond where you bitch.

_________________
Rgds

Stephen

(Linux user since kernel version 0.11)

It is, now!

_________________
Rgds

Stephen

(Linux user since kernel version 0.11)