--Quanah
SPAM relay help, SASL auth'ing
SPAM relay help, SASL auth'ing
My response was to edelvall, not you.
--Quanah
--Quanah
--
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
SPAM relay help, SASL auth'ing
[quote user="quanah"]Your comment makes no sense. IMAP is used to check mail. There is no way to send mail via IMAP.
--Quanah[/QUOTE]
Good morning,
to start let me paste the content of my original support ticket:
[QUOTE]Problem:
We have noticed lots of connections from external IPs:
May 6 12:32:31 mail postfix/smtps/smtpd[24771]: 48A221D432CB: client=76.sub-174-241-96.myvzw.com[174.241.96.76], sasl_method=LOGIN, sasl_username=srengiff@amersol.edu.pe
May 6 12:32:38 mail postfix/smtps/smtpd[27584]: E5B791D432CB: client=76.sub-174-241-96.myvzw.com[174.241.96.76], sasl_method=LOGIN, sasl_username=srengiff@amersol.edu.pe
They are sending email using this and other accounts causing us to be blocked on external blacklists and rendering our email system unusable.
Below a source of one of those emails:
############################################################
Return-Path: validuseraccount@mail.domain.tdl
Received: from mail.domain.tdl (LHLO mail.domain.tdl) (w.x.y.z)
by mail.fdrnet.edu with LMTP; Mon, 6 May 2013 12:31:22 -0500 (PET)
Received: from localhost (localhost [127.0.0.1])
by mail.domain.tdl (Postfix) with ESMTP id 2A0141D432DE
for ; Mon, 6 May 2013 12:31:22 -0500 (PET)
X-Spam-Flag: NO
X-Spam-Score: -6.774
X-Spam-Level:
X-Spam-Status: No, score=-6.774 tagged_above=-10 required=4 tests=[AM.WBL=-10,
ALL_TRUSTED=-1, BAYES_50=0.8, DATE_IN_PAST_96_XX=3.405,
TVD_SPACE_RATIO=0.001, T_KHOP_NO_FULL_NAME=0.01,
T_UNKNOWN_ORIGIN=0.01] autolearn=no
Received: from mail.domain.tdl ([127.0.0.1])
by localhost (mail.domain.tdl [127.0.0.1]) (amavisd-new, port 10032)
with ESMTP id 0q2bfv-kI5An for ;
Mon, 6 May 2013 12:31:21 -0500 (PET)
Received: from localhost (localhost [127.0.0.1])
by mail.domain.tdl (Postfix) with ESMTP id CD6611D432E0
for ; Mon, 6 May 2013 12:31:21 -0500 (PET)
X-Virus-Scanned: amavisd-new at mail.domain.tdl
Received: from mail.domain.tdl ([127.0.0.1])
by localhost (mail.domain.tdl [127.0.0.1]) (amavisd-new, port 10026)
with ESMTP id 5vDpw-f050f5 for ;
Mon, 6 May 2013 12:31:21 -0500 (PET)
Received: from localhost (76.sub-174-241-96.myvzw.com [174.241.96.76])
by mail.domain.tdl (Postfix) with ESMTPSA id 8E2C61D432DE
for ; Mon, 6 May 2013 12:31:20 -0500 (PET)
Date: Tue, 9 Apr 2013 17:28:32 +0100
From: IMAP4rev1 ACL
To: Patsy La Torre
Subject: FW:
Content-Type: text/plain;
Message-Id:
http://mkdesign.sakura.ne.jp/iarkva.php
############################################################
Action:
$ zmcontrol -v
Release 8.0.3.GA.5664.UBUNTU10.64 UBUNTU10_64 NETWORK edition.
We have disabled access to imap(s) from the outside using our firewall and that seems to have stopped them.
[/QUOTE]
Now that we are in the same context, let me focus on this line:
[QUOTE]From: IMAP4rev1 ACL [/QUOTE]
Connections were authenticated using that account, password was changed but they still had access to use the account to send email.
We closed IMAP access on the firewall and we noticed that it stopped. It only happened when IMAP was available.
These are facts, not judgements. Do you have an idea about why is this happening? In the comments you will find other people that are having similar issues. Help us gather proper data rather than tell me "what I saying makes no sense". Give us hints on how to gather information that will help you and your experts narrow down the issue to a cause and be able to provide a solution.
This is happening, not just to, me but to other people.
Thank you.
--Quanah[/QUOTE]
Good morning,
to start let me paste the content of my original support ticket:
[QUOTE]Problem:
We have noticed lots of connections from external IPs:
May 6 12:32:31 mail postfix/smtps/smtpd[24771]: 48A221D432CB: client=76.sub-174-241-96.myvzw.com[174.241.96.76], sasl_method=LOGIN, sasl_username=srengiff@amersol.edu.pe
May 6 12:32:38 mail postfix/smtps/smtpd[27584]: E5B791D432CB: client=76.sub-174-241-96.myvzw.com[174.241.96.76], sasl_method=LOGIN, sasl_username=srengiff@amersol.edu.pe
They are sending email using this and other accounts causing us to be blocked on external blacklists and rendering our email system unusable.
Below a source of one of those emails:
############################################################
Return-Path: validuseraccount@mail.domain.tdl
Received: from mail.domain.tdl (LHLO mail.domain.tdl) (w.x.y.z)
by mail.fdrnet.edu with LMTP; Mon, 6 May 2013 12:31:22 -0500 (PET)
Received: from localhost (localhost [127.0.0.1])
by mail.domain.tdl (Postfix) with ESMTP id 2A0141D432DE
for ; Mon, 6 May 2013 12:31:22 -0500 (PET)
X-Spam-Flag: NO
X-Spam-Score: -6.774
X-Spam-Level:
X-Spam-Status: No, score=-6.774 tagged_above=-10 required=4 tests=[AM.WBL=-10,
ALL_TRUSTED=-1, BAYES_50=0.8, DATE_IN_PAST_96_XX=3.405,
TVD_SPACE_RATIO=0.001, T_KHOP_NO_FULL_NAME=0.01,
T_UNKNOWN_ORIGIN=0.01] autolearn=no
Received: from mail.domain.tdl ([127.0.0.1])
by localhost (mail.domain.tdl [127.0.0.1]) (amavisd-new, port 10032)
with ESMTP id 0q2bfv-kI5An for ;
Mon, 6 May 2013 12:31:21 -0500 (PET)
Received: from localhost (localhost [127.0.0.1])
by mail.domain.tdl (Postfix) with ESMTP id CD6611D432E0
for ; Mon, 6 May 2013 12:31:21 -0500 (PET)
X-Virus-Scanned: amavisd-new at mail.domain.tdl
Received: from mail.domain.tdl ([127.0.0.1])
by localhost (mail.domain.tdl [127.0.0.1]) (amavisd-new, port 10026)
with ESMTP id 5vDpw-f050f5 for ;
Mon, 6 May 2013 12:31:21 -0500 (PET)
Received: from localhost (76.sub-174-241-96.myvzw.com [174.241.96.76])
by mail.domain.tdl (Postfix) with ESMTPSA id 8E2C61D432DE
for ; Mon, 6 May 2013 12:31:20 -0500 (PET)
Date: Tue, 9 Apr 2013 17:28:32 +0100
From: IMAP4rev1 ACL
To: Patsy La Torre
Subject: FW:
Content-Type: text/plain;
Message-Id:
http://mkdesign.sakura.ne.jp/iarkva.php
############################################################
Action:
$ zmcontrol -v
Release 8.0.3.GA.5664.UBUNTU10.64 UBUNTU10_64 NETWORK edition.
We have disabled access to imap(s) from the outside using our firewall and that seems to have stopped them.
[/QUOTE]
Now that we are in the same context, let me focus on this line:
[QUOTE]From: IMAP4rev1 ACL [/QUOTE]
Connections were authenticated using that account, password was changed but they still had access to use the account to send email.
We closed IMAP access on the firewall and we noticed that it stopped. It only happened when IMAP was available.
These are facts, not judgements. Do you have an idea about why is this happening? In the comments you will find other people that are having similar issues. Help us gather proper data rather than tell me "what I saying makes no sense". Give us hints on how to gather information that will help you and your experts narrow down the issue to a cause and be able to provide a solution.
This is happening, not just to, me but to other people.
Thank you.
SPAM relay help, SASL auth'ing
iptables could be a great asset to you my friend...
SPAM relay help, SASL auth'ing
1) A person can put *anything* in a "From" field. Just because it says "IMAP4rev1" is meaningless. I could but "George Washington", "moon beam", or whatever else I wanted in that part of the From: header.
2) "May 6 12:32:38 mail postfix/smtps/smtpd[27584]: E5B791D432CB: client=76.sub-174-241-96.myvzw.com[174.241.96.76], sasl_method=LOGIN, sasl_username=srengiff@amersol.edu.pe" shows they are connected to Postfix. Postfix *only* supports port 25/587/465 (The SMTP/SMTPS/SUBMISSION ports). It has ZERO support for IMAP. It also *clearly* shows that they authenticated successfully to your Postfix service at some point. Most spammers I've seen use a *persistent* connection. I.e., all they have to do is auth once, and keep the connection open, sending many thousands of emails. The only way to close off that connection is to change the user's password and then restart postfix. If you have external AD Auth enabled AND you have local fallback enabled, changing the password in AD may have ZERO effect if the LOCAL fallback password is the same as the old password.
Again, this has ZERO to do with IMAP. Whatever you did about the IMAP port was unrelated to their stopping of sending spam.
2) "May 6 12:32:38 mail postfix/smtps/smtpd[27584]: E5B791D432CB: client=76.sub-174-241-96.myvzw.com[174.241.96.76], sasl_method=LOGIN, sasl_username=srengiff@amersol.edu.pe" shows they are connected to Postfix. Postfix *only* supports port 25/587/465 (The SMTP/SMTPS/SUBMISSION ports). It has ZERO support for IMAP. It also *clearly* shows that they authenticated successfully to your Postfix service at some point. Most spammers I've seen use a *persistent* connection. I.e., all they have to do is auth once, and keep the connection open, sending many thousands of emails. The only way to close off that connection is to change the user's password and then restart postfix. If you have external AD Auth enabled AND you have local fallback enabled, changing the password in AD may have ZERO effect if the LOCAL fallback password is the same as the old password.
Again, this has ZERO to do with IMAP. Whatever you did about the IMAP port was unrelated to their stopping of sending spam.
--
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
SPAM relay help, SASL auth'ing
[quote user="quanah"]1) A person can put *anything* in a "From" field. Just because it says "IMAP4rev1" is meaningless. I could but "George Washington", "moon beam", or whatever else I wanted in that part of the From: header.
2) "May 6 12:32:38 mail postfix/smtps/smtpd[27584]: E5B791D432CB: client=76.sub-174-241-96.myvzw.com[174.241.96.76], sasl_method=LOGIN, sasl_username=srengiff@amersol.edu.pe" shows they are connected to Postfix. Postfix *only* supports port 25/587/465 (The SMTP/SMTPS/SUBMISSION ports). It has ZERO support for IMAP. It also *clearly* shows that they authenticated successfully to your Postfix service at some point. Most spammers I've seen use a *persistent* connection. I.e., all they have to do is auth once, and keep the connection open, sending many thousands of emails. The only way to close off that connection is to change the user's password and then restart postfix. If you have external AD Auth enabled AND you have local fallback enabled, changing the password in AD may have ZERO effect if the LOCAL fallback password is the same as the old password.
Again, this has ZERO to do with IMAP. Whatever you did about the IMAP port was unrelated to their stopping of sending spam.[/QUOTE]
Yes, agreed that the FROM field is easy to forge.
If point 2 it so "obvious", why the support person that replied to my ticked said to tweak the "AV Score" to prevent less spam to come in? I totally follow you on the postfix path and concur.
few questions arise:
first: what is the "LOCAL fallback password"? and were it is setup? these are AD accounts, do they still have a password inside zimbra?
second: "postfix reload" will kill the sessions? or needs to be "postfix restart", or even a "zmcontrol restart"?
third: is there a way to limit the amount of email per second that an account can send? (cbpolicyd I guess?)
fourth: why in the world I was not lucky enough to get you to help me with my ticket at the beginning!! LOL
Thanks,
2) "May 6 12:32:38 mail postfix/smtps/smtpd[27584]: E5B791D432CB: client=76.sub-174-241-96.myvzw.com[174.241.96.76], sasl_method=LOGIN, sasl_username=srengiff@amersol.edu.pe" shows they are connected to Postfix. Postfix *only* supports port 25/587/465 (The SMTP/SMTPS/SUBMISSION ports). It has ZERO support for IMAP. It also *clearly* shows that they authenticated successfully to your Postfix service at some point. Most spammers I've seen use a *persistent* connection. I.e., all they have to do is auth once, and keep the connection open, sending many thousands of emails. The only way to close off that connection is to change the user's password and then restart postfix. If you have external AD Auth enabled AND you have local fallback enabled, changing the password in AD may have ZERO effect if the LOCAL fallback password is the same as the old password.
Again, this has ZERO to do with IMAP. Whatever you did about the IMAP port was unrelated to their stopping of sending spam.[/QUOTE]
Yes, agreed that the FROM field is easy to forge.
If point 2 it so "obvious", why the support person that replied to my ticked said to tweak the "AV Score" to prevent less spam to come in? I totally follow you on the postfix path and concur.
few questions arise:
first: what is the "LOCAL fallback password"? and were it is setup? these are AD accounts, do they still have a password inside zimbra?
second: "postfix reload" will kill the sessions? or needs to be "postfix restart", or even a "zmcontrol restart"?
third: is there a way to limit the amount of email per second that an account can send? (cbpolicyd I guess?)
fourth: why in the world I was not lucky enough to get you to help me with my ticket at the beginning!! LOL
Thanks,
SPAM relay help, SASL auth'ing
[quote user="edelvall"]Yes, agreed that the FROM field is easy to forge.
If point 2 it so "obvious", why the support person that replied to my ticked said to tweak the "AV Score" to prevent less spam to come in? I totally follow you on the postfix path and concur.
few questions arise:
first: what is the "LOCAL fallback password"? and were it is setup? these are AD accounts, do they still have a password inside zimbra?
second: "postfix reload" will kill the sessions? or needs to be "postfix restart", or even a "zmcontrol restart"?
third: is there a way to limit the amount of email per second that an account can send? (cbpolicyd I guess?)
fourth: why in the world I was not lucky enough to get you to help me with my ticket at the beginning!! LOL
Thanks,[/QUOTE]
1) It can fallback to the OpenLDAP instance that ships with Zimbra, particularly if the user ever tried to "change" their password via the Zimbra interface:
LDAP Authentication - Zimbra :: Wiki
2) For postfix, I would personally do "postfix stop" followed by "postfix start" to ensure it is stopped/started.
3) Yes, it should be possible to configure via cbpolicyd.
4) I am not a member of the support team. I'm one of the lead engineers.
--Quanah
If point 2 it so "obvious", why the support person that replied to my ticked said to tweak the "AV Score" to prevent less spam to come in? I totally follow you on the postfix path and concur.
few questions arise:
first: what is the "LOCAL fallback password"? and were it is setup? these are AD accounts, do they still have a password inside zimbra?
second: "postfix reload" will kill the sessions? or needs to be "postfix restart", or even a "zmcontrol restart"?
third: is there a way to limit the amount of email per second that an account can send? (cbpolicyd I guess?)
fourth: why in the world I was not lucky enough to get you to help me with my ticket at the beginning!! LOL
Thanks,[/QUOTE]
1) It can fallback to the OpenLDAP instance that ships with Zimbra, particularly if the user ever tried to "change" their password via the Zimbra interface:
LDAP Authentication - Zimbra :: Wiki
2) For postfix, I would personally do "postfix stop" followed by "postfix start" to ensure it is stopped/started.
3) Yes, it should be possible to configure via cbpolicyd.
4) I am not a member of the support team. I'm one of the lead engineers.
--Quanah
--
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/