Debian 服务器收到垃圾邮件

Debian 服务器收到垃圾邮件

该服务器已上线多年,但最近受到垃圾邮件的攻击。

我无法堵住他们利用的漏洞。看来垃圾邮件正在使用 sasl_username=clamav。

我的 postfix 配置是:

主文件:

smtpd_banner = $myhostname ESMTP $mail_name
biff = no
append_dot_mydomain = no
readme_directory = no
compatibility_level = 2
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.xxx.yyy.zzz/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.xxx.yyy.zzz/privkey.pem
smtpd_tls_security_level = may
smtpd_tls_received_header = yes
smtpd_tls_auth_only = no 
smtpd_tls_protocols = TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtpd_tls_ciphers = high
smtpd_tls_mandatory_protocols = TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
tls_preempt_cipherlist = yes
smtp_sasl_auth_enable = no
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_protocols = TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_ciphers = high
smtp_tls_mandatory_protocols = TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtp_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
mydomain = xxx
myhostname = mail.xxx.yyy.zzz
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $mydomain, $myhostname, localhost.localdomain, localhost
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
mynetworks_style = subnet
message_size_limit = 30720000
virtual_mailbox_limit = 0
inet_interfaces = all
inet_protocols = all
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf,mysql:/etc/postfix/mysql-virtual-email2email.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp
smtpd_reject_unlisted_recipient = yes
smptd_reject_unlisted_sender = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain = xxx.yyy.zzz
smtpd_sasl_tls_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sender_login_maps = mysql:/etc/postfix/mysql-virtual-email2email.cf
smtpd_restriction_classes = mua_sender_restrictions, mua_client_restrictions, mua_helo_restrictions
mua_client_restrictions = permit_sasl_authenticated, reject
mua_sender_restrictions = permit_sasl_authenticated, reject
mua_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname, permit

smtpd_sender_restrictions = 
    reject_unauth_destination,
    reject_non_fqdn_sender,
    reject_unknown_sender_domain,
    reject_unverified_sender,
    reject_unknown_reverse_client_hostname,
    reject_unknown_client_hostname,
    check_sender_access hash:/etc/postfix/restrict_senders,
    check_sender_access hash:/etc/postfix/sender_checks,
    permit_sasl_authenticated,
    permit_mynetworks
smtpd_recipient_restrictions = 
    reject_unauth_pipelining,
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    reject_unauth_destination,
    check_sender_access hash:/etc/postfix/sender_checks,
    check_client_access hash:/etc/postfix/rbl_override,
    reject_invalid_hostname,
    reject_unknown_sender_domain,
    reject_unknown_recipient_domain,
    reject_unlisted_recipient,
    reject_unverified_recipient,
    check_policy_service unix:private/policyd-spf,
    permit_sasl_authenticated,
    permit_mynetworks,
    permit
smtpd_relay_restrictions = 
     reject_unlisted_sender,
     reject_unauth_destination,
     check_sender_access hash:/etc/postfix/sender_checks
     permit_sasl_authenticated,
     permit_mynetworks
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = no
smtpd_helo_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_non_fqdn_helo_hostname,
    reject_invalid_helo_hostname,
    reject_unknown_helo_hostname,
    check_helo_access hash:/etc/postfix/helo_access,
    permit
mime_header_checks = regexp:/etc/postfix/mime_header_checks
milter_default_action = accept
smtpd_milters = unix:opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters
queue_directory = /var/spool/postfix
meta_directory = /etc/postfix
setgid_group = postdrop
command_directory = /usr/sbin
sample_directory = /etc/postfix
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
sendmail_path = /usr/sbin/sendmail
mail_owner = postfix
daemon_directory = /usr/lib/postfix/sbin
manpage_directory = /usr/share/man
html_directory = /usr/share/doc/postfix/html
data_directory = /var/lib/postfix
shlib_directory = /usr/lib/postfix
disable_vrfy_command = yes
policyd-spf_time_limit = 3600
smtp_destination_recipient_limit = 10
default_destination_recipient_limit = 10
smtp_tls_note_starttls_offer = yes 
smtpd_tls_session_cache_timeout = 3600s 
---
master.cf
------
smtp      inet  n       -       y       -       -       smtpd
submission inet n       -       y       -       -       smtpd
  -o content_filter=spamassassin
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_tls_wrappermode=no
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=yes
  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_client_restrictions=$mua_client_restrictions
  -o smtpd_sender_restrictions=$mua_sender_restrictions
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject_unauth_destination
  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject 
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject_unauth_destination
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_client_restrictions=$mua_client_restrictions
  -o smtpd_sender_restrictions=$mua_sender_restrictions
  -o milter_macro_daemon_name=ORIGINATING
pickup    unix  n       -       y       60      1       pickup
cleanup   unix  n       -       y       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       y       1000?   1       tlsmgr
rewrite   unix  -       -       y       -       -       trivial-rewrite
bounce    unix  -       -       y       -       0       bounce
defer     unix  -       -       y       -       0       bounce
trace     unix  -       -       y       -       0       bounce
verify    unix  -       -       y       -       1       verify
flush     unix  n       -       y       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       y       -       -       smtp
relay     unix  -       -       y       -       -       smtp
  -o syslog_name=postfix/$service_name
showq     unix  n       -       y       -       -       showq
error     unix  -       -       y       -       -       error
retry     unix  -       -       y       -       -       error
discard   unix  -       -       y       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       y       -       -       lmtp
anvil     unix  -       -       y       -       1       anvil
scache    unix  -       -       y       -       1       scache
postlog   unix-dgram n  -       n       -       1       postlogd
maildrop  unix  -       n       n       -       -       pipe
  flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
spamassassin unix -     n       n       -       -       pipe
  flags=R
  user=spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}
127.0.0.1:10025 inet n   -       y       -       -       smtpd
smtp-amavis   unix   -   -   n   -   2   smtp
    -o syslog_name=postfix/amavis
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20
    -o smtp_tls_security_level=none
autoresponder unix - n n - - pipe
        flags=Fq user=autoresponse argv=/usr/local/sbin/autoresponse -s ${sender} -r ${recipient} -S ${sasl_username} -C ${client_address}
policyd-spf  unix  -       n       n       -       -       spawn
    user=nobody argv=/usr/bin/policyd-spf
---
nmap -T4 -A -p 25 xxx.yyy.zzz
Starting Nmap 7.80 ( https://nmap.org ) at 2023-01-31 11:26
Nmap scan report for xxx.yyy.zzz (xxx.yyy.zzz)
Host is up (0.00012s latency).

PORT   STATE SERVICE VERSION
25/tcp open  smtp    Postfix smtpd
|_smtp-commands: mail.xxx.yyy.zzz, PIPELINING, SIZE 30720000, ETRN, STARTTLS, AUTH PLAIN LOGIN, AUTH=PLAIN LOGIN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING, 
| ssl-cert: Subject: commonName=xxx.yyy.zzz
| Subject Alternative Name: DNS:mail.xxx.yyy.zzz, DNS:xxx.yyy.zzz
| Not valid before: 2022-12-14T22:36:23
|_Not valid after:  2023-03-14T22:36:22
|_ssl-date: TLS randomness does not represent time
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6.32
OS details: Linux 2.6.32
Network Distance: 0 hops
Service Info: Host:  mail.xxx.yyy.zzz

我已经禁用直升机限制,因为包括政府服务器在内的太多服务器未通过测试!

任何帮助,将不胜感激。

相关内容