OVH Community, votre nouvel espace communautaire.

Problème de Spam avec Postfix : utilisation de mon NDD


kevin78
14/09/2016, 10h18
Citation Envoyé par buddy
Bonjour,

Un site pas à jour qui a pu être la cible d'une attaque et de là tout le serveur a été infecté...

- - - Mise à jour - - -

Tu fais bien les mises à jour du serveur ?
Quel distributions ?
Idem pour tes sites, quels CMS ?
Ils sont à jour ?
Oui tous les sites sont à jour.
J'utilise wordpress et prestashop.
J'ai réussi à bloquer toutes les tentatives avec

utilisateur-inextisant@mon-hostname.com
Pendant 2-3 jours, c'était sans problème, je n'avais plus de spam.
Depuis hier, j'ai des spams avec utilisateur-inextisant@mon-hostname.fr


Exemple dans la log

Sep 14 10:02:15 auth-worker(10943): Info: sql(della_hall@mon.hostname.fr.fr): unknown user
Sep 14 10:02:17 auth-worker(10943): Info: sql(joshua_spence@mon.hostname.fr.fr): unknown user
Sep 14 10:02:18 auth-worker(10943): Info: sql(geraldine_fleming@mon.hostname.fr.fr): unknown user
Sep 14 10:02:20 auth-worker(10943): Info: sql(genevieve_garcia@mon.hostname.fr.fr): unknown user
Sep 14 10:02:20 auth-worker(10943): Info: sql(molly_munoz@mon.hostname.fr.fr): unknown user
Sep 14 10:02:20 auth-worker(11073): Info: sql(jeanne_rhodes@mon.hostname.fr.fr): unknown user
Sep 14 10:02:20 auth-worker(10943): Info: sql(samuel_barlow@mon.hostname.fr.fr): unknown user
Sep 14 10:02:22 auth-worker(10943): Info: sql(julie_perez@mon.hostname.fr.fr): unknown user
Sep 14 10:03:28 auth-worker(10943): Info: sql(dana_brewer@mon.hostname.fr.fr): unknown user
Sep 14 10:03:29 auth-worker(10943): Info: sql(dana_brewer@mon.hostname.fr.fr): unknown user
Sep 14 10:03:30 auth-worker(10943): Info: sql(dana_brewer@mon.hostname.fr.fr): unknown user
Sep 14 10:03:31 auth-worker(10943): Info: sql(luz_newman@mon.hostname.fr.fr): unknown user
Sep 14 10:03:33 auth-worker(10943): Info: sql(luz_newman@mon.hostname.fr.fr): unknown user
Sep 14 10:05:01 auth-worker(11736): Info: sql(marian_mccormick@mon.hostname.fr.fr): unknown user
Sep 14 10:05:01 auth-worker(11736): Info: sql(marian_mccormick@mon.hostname.fr.fr): unknown user
Sep 14 10:05:03 auth-worker(11736): Info: sql(emma_welch@mon.hostname.fr.fr): unknown user
Sep 14 10:05:03 auth-worker(11736): Info: sql(emma_welch@mon.hostname.fr.fr): unknown user
Sep 14 10:06:51 auth-worker(11736): Info: sql(jennie_wheeler@mon.hostname.fr.fr): unknown user
Sep 14 10:06:51 auth-worker(11736): Info: sql(samantha_porter@mon.hostname.fr.fr): unknown user
Sep 14 10:06:51 auth-worker(11736): Info: sql(jennie_wheeler@mon.hostname.fr.fr): unknown user
Sep 14 10:10:15 auth-worker(12510): Info: sql(lynda_little@mon.hostname.fr.fr): unknown user
Sep 14 10:10:17 auth-worker(12510): Info: sql(deanna_salazar@mon.hostname.fr.fr): unknown user
Sep 14 10:10:18 auth-worker(12510): Info: sql(deanna_salazar@mon.hostname.fr.fr): unknown user
Sep 14 10:12:54 auth-worker(12871): Info: sql(candace_neal@mon.hostname.fr.fr): unknown user
Sep 14 10:12:54 auth-worker(12871): Info: sql(suzanne_rodriguez@mon.hostname.fr.fr): unknown user
Sep 14 10:12:54 auth-worker(12871): Info: sql(suzanne_rodriguez@mon.hostname.fr.fr): unknown user
Sep 14 10:13:10 auth-worker(12871): Info: sql(suzanne_rodriguez@mon.hostname.fr.fr): unknown user
Sep 14 10:13:19 auth-worker(12871): Info: sql(marsha_harris@mon.hostname.fr.fr): unknown user
Sep 14 10:13:21 auth-worker(12871): Info: sql(marsha_harris@mon.hostname.fr.fr): unknown user
Sep 14 10:13:21 auth-worker(12871): Info: sql(marsha_harris@mon.hostname.fr.fr): unknown user
Sep 14 10:13:22 auth-worker(12871): Info: sql(marsha_harris@mon.hostname.fr.fr): unknown user
Sep 14 10:13:26 auth-worker(12871): Info: sql(lorraine_bryant@mon.hostname.fr.fr): unknown user
Sep 14 10:13:29 auth-worker(12871): Info: sql(lorraine_bryant@mon.hostname.fr.fr): unknown user
Sep 14 10:13:29 auth-worker(12871): Info: sql(lorraine_bryant@mon.hostname.fr.fr): unknown user
Sep 14 10:13:31 auth-worker(12871): Info: sql(gloria_mckinney@mon.hostname.fr.fr): unknown user
Sep 14 10:14:32 auth-worker(13283): Info: sql(daniel_pickett@mon.hostname.fr.fr): unknown user
Sep 14 10:14:32 auth-worker(13283): Info: sql(daniel_pickett@mon.hostname.fr.fr): unknown user
Sep 14 10:14:33 auth-worker(13283): Info: sql(daniel_pickett@mon.hostname.fr.fr): unknown user

Pour arrêter les spams de "utilisateur-inextisant@mon-hostname.com", j'avais rajouté ces lignes dans mon config postfix (main.cf) :


invalid_hostname_reject_code = 554
multi_recipient_bounce_reject_code = 554
non_fqdn_reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_sender_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554


smtpd_recipient_restrictions =
#check_sender_access hash:/etc/postfix/rejected-recipient
reject_invalid_hostname,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_recipient,
reject_unauth_destination,
reject_unknown_recipient_domain,
reject_rbl_client zen.spamhaus.org
#reject_rbl_client multi.uribl.com,
reject_rbl_client dsn.rfc-ignorant.org,
reject_rbl_client dul.dnsbl.sorbs.net,
reject_rbl_client list.dsbl.org,
reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client ix.dnsbl.manitu.net,
reject_rbl_client combined.rbl.msrbl.net,
reject_rbl_client rabl.nuclearelephant.com,
permit

Cela a fonctionné pour les adresses *.com

buddy
11/09/2016, 10h21
Bonjour,

Un site pas à jour qui a pu être la cible d'une attaque et de là tout le serveur a été infecté...

- - - Mise à jour - - -

Tu fais bien les mises à jour du serveur ?
Quel distributions ?
Idem pour tes sites, quels CMS ?
Ils sont à jour ?

kevin78
10/09/2016, 19h20
Salut tout le monde,

Cela va faire 48h que je bloque sur un problème de spam sur mon serveur dédié.
J'ai postfix d'installer et configurer.
Il marche très bien (enfin marchait).

Depuis plusieurs jours, j'ai plein d'adresses mails XXXXXX@monsite.com qui n'existent pas, mais qui envoient des mails vers d'autres adresses aol, gmail, etc. !

J'ai essayé de bloquer le domain entier avec la création de blacklist, etc.
http://serverfault.com/questions/517...ain-in-postfix

Cela bloque bien l'envoi des mails lorsque je tente manuellement un envoi à partir d'une adresse existante prenom@monsite.com
Mais XXXXXXX@monsite.com continue à pouvoir envoyer des mails en multitude (plus de 20 mails toutes les 5 minutes...)

Dans ma log de dovecot, j'ai bien cela :
Code:
Sep 10 18:51:04 auth-worker(27351): Info: sql(paula_thomas@monsite.com): unknown user
toutes les 4-5 minutes


Extrait de la log des mail :

Sep 10 18:54:23 sd-83906 postfix/qmgr[26436]: 1754037021E2: from=, size=1251, nrcpt=1 (queue active)
Sep 10 18:54:23 sd-83906 postfix/lmtp[27584]: 028053701ECE: to=, relay=mon.hostname.fr[private/dovecot-lmtp], delay=0.15, delays=0.09/0/0/0.07, dsn=5.1.1, status=bounced (host mon.hostname.fr[private/dovecot-lmtp] said: 550 5.1.1 User doesn't exist: audrey_lane@monsite.com (in reply to RCPT TO command))
Sep 10 18:54:23 sd-83906 postfix/pickup[27034]: 27DC83701E50: uid=5010 from=
Sep 10 18:54:23 sd-83906 postfix/cleanup[27220]: 27DC83701E50: message-id=
Sep 10 18:54:23 sd-83906 postfix/qmgr[26436]: 27DC83701E50: from=, size=1220, nrcpt=1 (queue active)
Sep 10 18:54:23 sd-83906 postfix/pickup[27034]: 3BC733701DBD: uid=5010 from=
Sep 10 18:54:23 sd-83906 postfix/cleanup[27259]: 3BC733701DBD: message-id=<67ee6823a83f3bb73e5f5717c2905be5@monsite.fr>
Sep 10 18:54:23 sd-83906 postfix/qmgr[26436]: 3BC733701DBD: from=, size=1238, nrcpt=1 (queue active)
Sep 10 18:54:23 sd-83906 postfix/pickup[27034]: 577763701DC6: uid=5010 from=
Sep 10 18:54:23 sd-83906 postfix/cleanup[27220]: 577763701DC6: message-id=
Sep 10 18:54:23 sd-83906 postfix/qmgr[26436]: 577763701DC6: from=, size=1239, nrcpt=1 (queue active)
Sep 10 18:54:23 sd-83906 postfix/pickup[27034]: 6A1B7370229E: uid=5010 from=
Sep 10 18:54:23 sd-83906 postfix/cleanup[27259]: 6A1B7370229E: message-id=
Sep 10 18:54:23 sd-83906 postfix/qmgr[26436]: 6A1B7370229E: from=, size=1219, nrcpt=1 (queue active)
Sep 10 18:54:23 sd-83906 postfix/pickup[27034]: 746EA3701D7C: uid=5010 from=
Sep 10 18:54:23 sd-83906 postfix/cleanup[27220]: 746EA3701D7C: message-id=
Sep 10 18:54:23 sd-83906 postfix/qmgr[26436]: 746EA3701D7C: from=, size=1237, nrcpt=1 (queue active)
Sep 10 18:54:23 sd-83906 postfix/smtp[27253]: 847553701DD2: to=, relay=mx3.hotmail.com[65.55.33.135]:25, delay=2.7, delays=0.68/0/1.4/0.53, dsn=2.0.0, status=sent (250 Queued mail for delivery)
Sep 10 18:54:23 sd-83906 postfix/lmtp[27291]: 99B0C3701DD2: to=, relay=mon.hostname.fr[private/dovecot-lmtp], delay=0.15, delays=0.06/0/0/0.09, dsn=5.1.1, status=bounced (host mon.hostname.fr[private/dovecot-lmtp] said: 550 5.1.1 User doesn't exist: grace_mcdonald@monsite.com (in reply to RCPT TO command))
Sep 10 18:54:23 sd-83906 postfix/lmtp[27584]: A85D537022BB: to=, relay=mon.hostname.fr[private/dovecot-lmtp], delay=0.14, delays=0.09/0/0/0.04, dsn=5.1.1, status=bounced (host mon.hostname.fr[private/dovecot-lmtp] said: 550 5.1.1 User doesn't exist: grace_mcdonald@monsite.com (in reply to RCPT TO command))
Sep 10 18:54:23 sd-83906 postfix/lmtp[27291]: D86373701D29: to=, relay=mon.hostname.fr[private/dovecot-lmtp], delay=0.06, delays=0.03/0/0/0.03, dsn=5.1.1, status=bounced (host mon.hostname.fr[private/dovecot-lmtp] said: 550 5.1.1 User doesn't exist: grace_mcdonald@monsite.com (in reply to RCPT TO command))
Sep 10 18:54:24 sd-83906 postfix/lmtp[27584]: 255483701DD2: to=, relay=mon.hostname.fr[private/dovecot-lmtp], delay=0.07, delays=0.03/0/0/0.03, dsn=5.1.1, status=bounced (host mon.hostname.fr[private/dovecot-lmtp] said: 550 5.1.1 User doesn't exist: audrey_lane@monsite.com (in reply to RCPT TO command))
Sep 10 18:54:24 sd-83906 postfix/smtp[27246]: 72DF63702308: to=, relay=mx1.hotmail.com[65.55.92.136]:25, delay=2.3, delays=0.54/0/1.4/0.41, dsn=2.0.0, status=sent (250 Queued mail for delivery)
Sep 10 18:54:24 sd-83906 postfix/smtp[27280]: B31E43701E88: to=, relay=mx4.hotmail.com[65.55.92.168]:25, delay=2.3, delays=0.79/0/1.1/0.41, dsn=2.0.0, status=sent (250 Queued mail for delivery)
Sep 10 18:54:24 sd-83906 postfix/smtp[27711]: 949E0370231B: to=, relay=mx1.hotmail.com[65.54.188.94]:25, delay=2.4, delays=0.47/0/1.4/0.52, dsn=2.0.0, status=sent (250 <66f45a301693aaffd963970cf505ad0b@monsite.fr> Queued mail for delivery)
Sep 10 18:54:25 sd-83906 postfix/smtp[27253]: 746EA3701D7C: to=, relay=mx3.hotmail.com[207.46.8.199]:25, delay=3, delays=1.1/0.01/1.3/0.51, dsn=2.0.0, status=sent (250 Queued mail for delivery)
Sep 10 18:54:25 sd-83906 postfix/smtp[27300]: 577763701DC6: to=, relay=mx1.hotmail.com[65.55.33.135]:25, delay=3, delays=0.93/0/1.4/0.62, dsn=2.0.0, status=sent (250 Queued mail for delivery)

Le contenu de ces mails sont bien des spams (lien, poker, porno, etc.)

Voici le contenu de mon fichier de config /etc/postfix/main.cf



Code:
#######################
## GENERALS SETTINGS ##
#######################

smtpd_banner         = $myhostname ESMTP $mail_name (Debian/GNU)
biff                 = no
append_dot_mydomain  = no
readme_directory     = no
delay_warning_time   = 4h
mailbox_command      = procmail -a "$EXTENSION"
recipient_delimiter  = +
disable_vrfy_command = yes
message_size_limit   = 502400000
mailbox_size_limit   = 1024000000

inet_interfaces = all
inet_protocols = ipv4

myhostname    = mon.domaine.fr
myorigin      = mon.domaine.fr
mydestination = localhost localhost.$mydomain
mynetworks    = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
relayhost     =

alias_maps     = hash:/etc/aliases
alias_database = hash:/etc/aliases

####################
## TLS PARAMETERS ##
####################
# Smtp ( OUTGOING / Client )
smtp_tls_loglevel            = 1
smtp_tls_security_level      = may
#smtp_tls_CAfile              = /etc/ssl/certs/ca.cert.pem
smtp_tls_protocols           = !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_ciphers   = high
smtp_tls_exclude_ciphers     = aNULL, eNULL, EXPORT, DES, 3DES, RC2, RC4, MD5, PSK, SRP, DSS, AECDH, ADH
smtp_tls_note_starttls_offer = yes

# ---------------------------------------------------------------------------------------------------

# Smtpd ( INCOMING / Server )
smtpd_tls_loglevel            = 1
#smtpd_tls_auth_only           = yes
smtpd_tls_security_level      = may
smtpd_tls_received_header     = yes
smtpd_tls_protocols           = !SSLv2, !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_ciphers   = medium

# Infos (voir : postconf -d)
# Medium cipherlist = aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH
# High cipherlist   = aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH

# smtpd_tls_exclude_ciphers   = NE PAS modifier cette directive pour des raisons de compatibilité
#                               avec les autres serveurs de mail afin d'éviter une erreur du type
#                               "no shared cipher" ou "no cipher overlap" puis un fallback en
#                               plain/text...
# smtpd_tls_cipherlist        = Ne pas modifier non plus !

#smtpd_tls_CAfile              = $smtp_tls_CAfile
#smtpd_tls_cert_file           = /etc/ssl/certs/mailserver.crt
#smtpd_tls_key_file            = /etc/ssl/private/mailserver.key
smtp_tls_CAfile                 = /etc/letsencrypt/live/mon.hostname.fr/chain.pem
smtpd_tls_cert_file             = /etc/letsencrypt/live/mon.hostname.fr/cert.pem
smtpd_tls_key_file              = /etc/letsencrypt/live/mon.hostname.fr/privkey.pem
smtpd_tls_dh1024_param_file   = $config_directory/dh2048.pem
smtpd_tls_dh512_param_file    = $config_directory/dh512.pem

tls_preempt_cipherlist = yes
tls_random_source      = dev:/dev/urandom

smtp_tls_session_cache_database  = btree:${data_directory}/smtp_scache
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
lmtp_tls_session_cache_database  = btree:${data_directory}/lmtp_scache

# ----------------------------------------------------------------------

#####################
## SASL PARAMETERS ##
#####################

smtpd_sasl_auth_enable          = yes
#smtp_sasl_auth_enable          = yes
smtpd_sasl_type                 = dovecot
smtpd_sasl_path                 = private/auth
smtpd_sasl_security_options     = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_local_domain         = $mydomain
smtpd_sasl_authenticated_header = yes

broken_sasl_auth_clients = yes

##############################
## VIRTUALS MAPS PARAMETERS ##
##############################

virtual_uid_maps        = static:5000
virtual_gid_maps        = static:5000
virtual_minimum_uid     = 5000
virtual_mailbox_base    = /var/mail
virtual_transport       = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps    = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps      = mysql:/etc/postfix/mysql-virtual-alias-maps.cf

######################
## ERRORS REPORTING ##
######################
######################

# notify_classes = bounce, delay, resource, software
notify_classes = resource, software

error_notice_recipient     = monmail@gmail.com
# delay_notice_recipient   = admin@domain.tld
# bounce_notice_recipient  = admin@domain.tld
# 2bounce_notice_recipient = admin@domain.tld

##################
## RESTRICTIONS ##
##################

smtpd_recipient_restrictions =
     check_sender_access hash:/etc/postfix/rejected-recipient,
     reject_invalid_hostname,
     reject_unauth_pipelining,
     # permit_mynetworks,
     permit_sasl_authenticated,
     reject_non_fqdn_recipient,
     reject_unauth_destination,
     reject_unknown_recipient_domain,
     reject_rbl_client zen.spamhaus.org

smtpd_helo_restrictions =
     permit_mynetworks,
     permit_sasl_authenticated,
     reject_invalid_helo_hostname,
     reject_non_fqdn_helo_hostname
     # reject_unknown_helo_hostname

smtpd_client_restrictions =
     permit_mynetworks,
     permit_inet_interfaces,
     permit_sasl_authenticated,
     # reject_plaintext_session,
     # reject_unauth_pipelining

smtpd_sender_restrictions =
     check_sender_access hash:/etc/postfix/rejected-recipient,
     reject_non_fqdn_sender,
     reject_unknown_sender_domain
     #reject_sender_login_mismatch

smtpd_milters = unix:/opendkim/opendkim.sock, unix:/opendmarc/opendmarc.sock, unix:/clamav/clamav-milter.ctl
mime_header_checks = regexp:/etc/postfix/header_checks
header_checks = regexp:/etc/postfix/header_checks



Avez-vous une piste ?