Page 1 of 2
Sending emails from non registered hosts
Posted: Wed Oct 09, 2019 10:22 am
by rodrigoferra
Hello,
First of all, thanks for the help.
Currently, I installed a relay system to get better management from my sent emails. One thing I notice is that my zimbra is sending from hosts that are not registered, is there any solution to avoid it?
For example, Host test.com is sending email but is not registered as a domain on my panel.
Best regard´s
Rodrigo.
Re: Sending emails from non registered hosts
Posted: Wed Oct 09, 2019 10:36 am
by phoenix
I don't really understand what you're describing, it sounds like you're allowing another server to relay through your server - is that correct? If it is then it sounds like you have an open relay, you can check that via one of the (many) sites on the internet that provide this service - I'd suggest you do that first.
Re: Sending emails from non registered hosts
Posted: Wed Oct 09, 2019 12:06 pm
by rodrigoferra
phoenix wrote:I don't really understand what you're describing, it sounds like you're allowing another server to relay through your server - is that correct? If it is then it sounds like you have an open relay, you can check that via one of the (many) sites on the internet that provide this service - I'd suggest you do that first.
Sorry for the lack of information.
I checked against open relay and it's disabled, currently, I hired the mailjet.net service to relay my emails, it's working nicely, but I notice a lot of emails being sent from domains that I don't have registered at my Zimbra. I attached some pictures.
I would like to know who is sending these emails, I tried to stack trace the message but had no success.
Best regard´s
Rodrigo.
Re: Sending emails from non registered hosts
Posted: Wed Oct 09, 2019 12:13 pm
by phoenix
Let's go back a step, you should always give the version of ZCS that's in use by posting the full output of the following command:
Re: Sending emails from non registered hosts
Posted: Wed Oct 09, 2019 12:45 pm
by rodrigoferra
phoenix wrote:Let's go back a step, you should always give the version of ZCS that's in use by posting the full output of the following command:
Ok, my version is:
Code: Select all
Release 8.8.12.GA.3794.UBUNTU14.64 UBUNTU14_64 FOSS edition, Patch 8.8.12_P1 proxy.
I had that problem with the exploit´s one or two months ago.
Re: Sending emails from non registered hosts
Posted: Wed Oct 09, 2019 2:16 pm
by phoenix
Have you had a look in the Zimbra log to see if any of these addresses appear there? Is it possible you have any compromised accounts? Does your ZimbraMtaMyNetworks contain the correct settings for your installation and nothing extraneous in there?
Re: Sending emails from non registered hosts
Posted: Wed Oct 09, 2019 3:04 pm
by rodrigoferra
phoenix wrote:Have you had a look in the Zimbra log to see if any of these addresses appear there? Is it possible you have any compromised accounts? Does your ZimbraMtaMyNetworks contain the correct settings for your installation and nothing extraneous in there?
Hello,
In my zimbra.log I don't have anything about it, but at my mail.log I have:
Code: Select all
Oct 8 15:30:14 mecmail postfix/cleanup[27520]: A45A269D07: message-id=<40a4de9faedfe8aa3a043a89d367f8d1-29-info@sysfinance.es>
Oct 8 15:30:17 mecmail postfix/cleanup[27520]: 65B7769D56: message-id=<40a4de9faedfe8aa3a043a89d367f8d1-29-info@sysfinance.es>
Oct 8 15:30:18 mecmail postfix/cleanup[27520]: 73FB969D07: message-id=<b982e5d7eddd34ee713be354f3bde8db-29-info@sysfinance.es>
Oct 8 15:30:19 mecmail postfix/cleanup[27520]: 5259369D56: message-id=<b982e5d7eddd34ee713be354f3bde8db-29-info@sysfinance.es>
It may occur that my postfix is compromised but my Zimbra configuration is ok, is that possible?
Thanks.
Re: Sending emails from non registered hosts
Posted: Wed Oct 09, 2019 4:09 pm
by phoenix
rodrigoferra wrote:In my zimbra.log I don't have anything about it, but at my mail.log I have:
Code: Select all
Oct 8 15:30:14 mecmail postfix/cleanup[27520]: A45A269D07: message-id=<40a4de9faedfe8aa3a043a89d367f8d1-29-info@sysfinance.es>
Oct 8 15:30:17 mecmail postfix/cleanup[27520]: 65B7769D56: message-id=<40a4de9faedfe8aa3a043a89d367f8d1-29-info@sysfinance.es>
Oct 8 15:30:18 mecmail postfix/cleanup[27520]: 73FB969D07: message-id=<b982e5d7eddd34ee713be354f3bde8db-29-info@sysfinance.es>
Oct 8 15:30:19 mecmail postfix/cleanup[27520]: 5259369D56: message-id=<b982e5d7eddd34ee713be354f3bde8db-29-info@sysfinance.es>
It may occur that my postfix is compromised but my Zimbra configuration is ok, is that possible?
Thanks.
The log file "mail.log" that you've mentioned does not exist in a ZCS install, do you men /var/log/zimbra.log? That would have all the details of mail going through your server.
If you look for postfix that's running you should see something like this:
Code: Select all
ps aux | grep postfix
postfix 4737 0.0 0.0 49892 4856 ? S 15:43 0:00 pickup -l -t unix -u
postfix 4738 0.0 0.0 50072 5048 ? S 15:43 0:00 qmgr -l -t unix -u
postfix 6382 0.0 0.0 49900 5200 ? S 15:43 0:00 tlsmgr -l -t unix -u
postfix 6433 0.0 0.0 49896 5080 ? S 15:43 0:00 showq -t unix -u
root 20651 0.0 0.0 112728 2380 pts/0 S+ 16:04 0:00 grep --color=auto postfix
Is that how your server looks? Are there any unknown (to you) processes running your server?
Re: Sending emails from non registered hosts
Posted: Wed Oct 09, 2019 4:24 pm
by rodrigoferra
Ops, so I think I have a huge problem:
Code: Select all
root@mecmail:/var/log# ps aux | grep postfix
postfix 9115 0.0 0.0 142636 8432 ? S 15:27 0:00 smtpd -t pass -u -o stress= -o smtpd_tls_security_level=may -o content_filter=scan:[127.0.0.1]:10030
postfix 11422 0.0 0.0 142516 8468 ? S 15:34 0:00 smtpd -t pass -u -o stress= -o smtpd_tls_security_level=may -o content_filter=scan:[127.0.0.1]:10030
postfix 12760 0.0 0.0 142512 8244 ? S 15:38 0:00 smtpd -n 465 -t inet -u -o stress= -o content_filter=scan:[127.0.0.1]:10030 -o smtpd_sasl_auth_enable=yes -o smtpd_tls_wrappermode=yes -o smtpd_client_restrictions= -o smtpd_data_restrictions= -o smtpd_helo_restrictions= -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o syslog_name=postfix/smtps -o milter_macro_daemon_name=ORIGINATING
postfix 12761 0.0 0.0 142512 8316 ? S 15:38 0:00 smtpd -n 465 -t inet -u -o stress= -o content_filter=scan:[127.0.0.1]:10030 -o smtpd_sasl_auth_enable=yes -o smtpd_tls_wrappermode=yes -o smtpd_client_restrictions= -o smtpd_data_restrictions= -o smtpd_helo_restrictions= -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o syslog_name=postfix/smtps -o milter_macro_daemon_name=ORIGINATING
postfix 12762 0.0 0.0 142512 8228 ? S 15:38 0:00 smtpd -n 465 -t inet -u -o stress= -o content_filter=scan:[127.0.0.1]:10030 -o smtpd_sasl_auth_enable=yes -o smtpd_tls_wrappermode=yes -o smtpd_client_restrictions= -o smtpd_data_restrictions= -o smtpd_helo_restrictions= -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o syslog_name=postfix/smtps -o milter_macro_daemon_name=ORIGINATING
postfix 14248 0.0 0.0 142512 8240 ? S 15:43 0:00 smtpd -n 465 -t inet -u -o stress= -o content_filter=scan:[127.0.0.1]:10030 -o smtpd_sasl_auth_enable=yes -o smtpd_tls_wrappermode=yes -o smtpd_client_restrictions= -o smtpd_data_restrictions= -o smtpd_helo_restrictions= -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o syslog_name=postfix/smtps -o milter_macro_daemon_name=ORIGINATING
postfix 17071 0.0 0.0 142512 8348 ? S 15:51 0:00 smtpd -n 465 -t inet -u -o stress= -o content_filter=scan:[127.0.0.1]:10030 -o smtpd_sasl_auth_enable=yes -o smtpd_tls_wrappermode=yes -o smtpd_client_restrictions= -o smtpd_data_restrictions= -o smtpd_helo_restrictions= -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o syslog_name=postfix/smtps -o milter_macro_daemon_name=ORIGINATING
postfix 17072 0.0 0.0 142512 8332 ? S 15:51 0:00 smtpd -n 465 -t inet -u -o stress= -o content_filter=scan:[127.0.0.1]:10030 -o smtpd_sasl_auth_enable=yes -o smtpd_tls_wrappermode=yes -o smtpd_client_restrictions= -o smtpd_data_restrictions= -o smtpd_helo_restrictions= -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o syslog_name=postfix/smtps -o milter_macro_daemon_name=ORIGINATING
postfix 17079 0.0 0.0 142512 8336 ? S 15:51 0:00 smtpd -n 465 -t inet -u -o stress= -o content_filter=scan:[127.0.0.1]:10030 -o smtpd_sasl_auth_enable=yes -o smtpd_tls_wrappermode=yes -o smtpd_client_restrictions= -o smtpd_data_restrictions= -o smtpd_helo_restrictions= -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o syslog_name=postfix/smtps -o milter_macro_daemon_name=ORIGINATING
postfix 17081 0.0 0.0 142512 8260 ? S 15:51 0:00 smtpd -n 465 -t inet -u -o stress= -o content_filter=scan:[127.0.0.1]:10030 -o smtpd_sasl_auth_enable=yes -o smtpd_tls_wrappermode=yes -o smtpd_client_restrictions= -o smtpd_data_restrictions= -o smtpd_helo_restrictions= -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o syslog_name=postfix/smtps -o milter_macro_daemon_name=ORIGINATING
postfix 20919 0.0 0.0 46716 4364 ? S 09:43 0:00 qmgr -l -t unix -u
postfix 20969 0.0 0.0 46664 4720 ? S 09:43 0:01 tlsmgr -l -t unix -u
postfix 20970 0.0 0.0 46656 4396 ? S 09:43 0:02 anvil -l -t unix -u
postfix 21420 0.0 0.0 90688 6240 ? S 16:03 0:00 proxymap -t unix -u
postfix 21429 0.0 0.0 46536 4320 ? S 16:03 0:00 trivial-rewrite -n rewrite -t unix -u
postfix 21819 0.0 0.0 46668 4388 ? S 16:05 0:00 showq -t unix -u
postfix 24592 0.0 0.0 47052 6628 ? S 16:13 0:00 lmtp -t unix -u
postfix 26193 0.0 0.0 46880 5964 ? S 16:18 0:00 lmtp -t unix -u
postfix 26620 0.0 0.0 142384 7940 ? S 16:19 0:00 smtpd -t pass -u -o stress= -o smtpd_tls_security_level=may -o content_filter=scan:[127.0.0.1]:10030
postfix 26621 0.5 0.0 142384 8032 ? S 16:19 0:00 smtpd -t pass -u -o stress= -o smtpd_tls_security_level=may -o content_filter=scan:[127.0.0.1]:10030
root 26641 0.0 0.0 10484 2152 pts/2 S+ 16:19 0:00 grep --color=auto postfix
postfix 26742 0.0 0.0 46536 4292 ? S 14:43 0:00 pickup -l -t unix -u
postfix 32266 0.0 0.0 66036 4536 ? Ss 11:47 0:01 postscreen -l -n smtp -t inet -u
Many connections and others stuffs, my MTA is configured like this:
Code: Select all
127.0.0.0/8 [::1]/128 [fe80::]/64 10.142.0.0/20 XX.XXX.X.XX/32
I think this MTA is making something really bad too.
Thanks again.
Re: Sending emails from non registered hosts
Posted: Wed Oct 09, 2019 4:44 pm
by phoenix
It's quite possible you don't have a problem. My apologies for that info I posted about postfix, I can't really understand where I got it - it must be my advancing years and your output is what the command should show.
Can you explain in a bit more detail what the mynetworks entry is showing, are they all your IP addresses?