本週二上班有人反應公司郵箱無法外發郵件,後來登錄到服務器查看原因,不看不知道,一看嚇一跳,服務器日誌瘋狂滾動!一看全是被其它郵件服務器拒絕的信息!由於這臺服務器以前不是我管,連配置文件都find了好久,最終從十多個main.cf中找到了真正的配置文件......下面開始分析問題與解決問題!
分析
localhost# find / -name main.cf
.......
/usr/local/etc/postfix/main.cf
/usr/opt/software/postfix-2.8.9/conf/main.cf
/etc/postfix/main.cf
這麼多配置文件也不知道具體是哪個,但根據常理,最有可能的便是/etc/postfix/main.cf了。
打開/etc/postfix/main.cf來看看。
localhost# cat /etc/postfix/main.cf | grep -v # | grep -v ^$
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
myhostname = mail.example.com
mydomain = example.com
myorigin = $mydomain
unknown_local_recipient_reject_code = 550
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = maildrop
html_directory = no
manpage_directory = /usr/local/man
sample_directory = /etc/postfix
message_size_limit = 512000000
virtual_mailbox_limit = 1024000000
readme_directory = /usr/local/share/doc/postfix
virtual_mailbox_base = /usr/opt/home/domains
virtual_uid_maps = static:1000
virtual_gid_maps = static:1000
virtual_alias_maps = $alias_maps, mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
dspam_destination_recipient_limit = 1
mydestination =
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access
smtpd_client_restrictions =
reject_rbl_client cblless.anti-spam.org.cn,
reject_rbl_client cdl.anti-spam.org.cn,
reject_rbl_client opm.blitzed.org,
reject_rbl_client bl.spamcop.net
localhost# vi /etc/postfix/sender_access
[email protected] REJECT
[email protected] REJECT
[email protected] REJECT
........
由以上配置文件可以看到,我們對發信者的檢測僅限於sender_access。僅僅只是拒絕了sender_access中拒絕的用戶。而沒有其它任何限制。限制條件很寬鬆。
截取部分日誌分析
localhost# tail /var/log/maillog
Oct 22 16:36:01 localhost postfix/error[18675]: 42263221CA: to=<[email protected]>, relay=none, delay=111421, delays=105070/6348/0/2.6, dsn=4.0.0, status=deferred (delivery temporarily suspended: host relay.verizon.net[206.46.232.11] refused to talk to me: 571 Email from 124.172.224.76 is currently blocked by Verizon Online's anti-spam system. The email sender or Email Service Provider may visit http://www.verizon.net/whitelist and request removal of the block. 121022)
Oct 22 16:36:01 localhost postfix/qmgr[32357]: 184F627BF64: from=<[email protected]>, size=2338, nrcpt=50 (queue active)
Oct 22 16:36:01 localhost postfix/smtp[18300]: 1C34F26235C: to=<[email protected]>, relay=mail2.honeywell.com[199.61.24.28]:25, delay=110287, delays=110274/11/2.4/0, dsn=4.0.0, status=deferred (host mail2.honeywell.com[199.61.24.28] refused to talk to me: 554 mail2.honeywell.com)
Oct 22 16:36:01 localhost postfix/smtp[18288]: connect to news-daily.com.inbound15.mxlogicmx.net[208.65.144.12]:25: Connection refused
發現全是一些被defferred的信息。其它郵件服務器已經拒絕我們投遞。
那麼再用mailq命令來查看一下隊列文件。
結果發現mailq刷屏刷得沒完沒了了。太多緩存的郵件!
localhost# mailq
-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
5D1477C0D* 2333 Mon Oct 22 18:36:47 [email protected]
(delivery temporarily suspended: host mx.west.cox.net[68.6.19.3] refused to talk to me: 554 fed1rmimpi210 cox 124.172.224.76 blocked. Error Code: IPBL0100 - Refer to Error Codes section at http://postmaster.cox.net/confluence/display/postmaster/Error+Codes for more information.)
截取其中一個例子來分析,可分爲五部分來看。
1,5D1477C0D* 是指緩存郵件的ID
2,2333 是指郵件的大小。
3,[email protected] 是指發件人。
4,(delivery temporarily suspended: host mx.west.cox.net[68.6.19.3] refused to talk to me: 554 fed1rmimpi210 cox 124.172.224.76 blocked. Error Code: IPBL0100 - Refer to Error Codes section at http://postmaster.cox.net/confluence/display/postmaster/Error+Codes for more information.)
通過第4段信息我們可以得到如下信息:
delivery temporarily suspended告訴我們郵件投遞被延遲。
host mx.west.cox.net[68.6.19.3] refused to talk to me 告訴我們投遞給mx.west.cox.net[68.6.19.3] 的郵件服務器拒收我們的信件。
124.172.224.76 我們郵件服務器的Ip地址。
Error Code: IPBL0100 - Refer to Error Codes section at http://postmaster.cox.net/confluence/display/postmaster/Error+Codes for more information.)
通過http://postmaster.cox.net/confluence/display/postmaster/Error+Codes 上查看更多拒收的原因。
5,[email protected] 收件人地址!
由上面的日誌我們可以知道
1,我們的郵件服務器的發件人地址被僞造了!
2,我們郵件服務器已經被很多其它郵件服務器列入了黑名單
3,收件人並非我們認識的人
結論,這個郵件服務器很可能被***,且被當作垃圾郵件的中繼者。
那麼,誰會是這個***者呢?倒底是什麼漏洞導致的?
下面來讓找到事件的源頭。
首先,根據上面的分析,我們知道發件人和收件人都不是郵件服務器所在域的成員。那麼我們就得考慮我們的郵件服務器是不是一個開放的中繼(open relay)。
驗證:
[root@mail ~]# telnet mail.example.com 25
Trying 124.172.224.76...
Connected to mail.example.com (124.172.224.76).
Escape character is '^]'.
220 mail.example.com ESMTP Postfix
helo [email protected]
250 mail.example.com
mail from:[email protected]
250 2.1.0 Ok
rcpt to:[email protected]
554 5.7.1 <[email protected]>: Relay access denied
可以看到,我們不經過認證發送郵件給qq郵箱並沒有成功。所以,這並不是一個open relay的服務器!既然如此,那別人想用我的郵件服務器外發郵件,那麼就必需要通過認證纔可以。那麼讓我們用認證的方式登錄並償試僞造發信人地址外發郵件!
先將用戶名和密碼經過base64編碼。
[root@mail ~]# perl -MMIME::Base64 -e "print encode_base64('123456');"
MTIzNDU2
[root@mail ~]# perl -MMIME::Base64 -e "print encode_base64('[email protected]');"
dGVzdDFAZXhhbXBsZS5jb20=
驗證:
[root@mail ~]# telnet mail.example.com 25
Trying 124.172.224.76...
Connected to mail.example.com (124.172.224.76).
Escape character is '^]'.
220 mail.example.com ESMTP Postfix
auth login
334 VXNlcm5hbWU6
dGVzdDFAZXhhbXBsZS5jb20=
334 UGFzc3dvcmQ6
MTIzNDU2
235 2.7.0 Authentication successful
mail from:[email protected]
250 2.1.0 Ok
rcpt to:[email protected]
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
hello inveracious test!
.
250 2.0.0 Ok: queued as 99F4C23F008
quit
221 2.0.0 Bye
Connection closed by foreign host.
上面我用認證用戶[email protected]登錄後,僞造成[email protected]來發信。結果顯示成功!我們再回到服務器端看看有什麼日誌產生!
localhost# tail /var/log/maillog
Oct 26 02:54:27 localhost postfix/qmgr[40723]: 99F4C23F008: from=<[email protected]>, size=197, nrcpt=1 (queue active)
Oct 26 02:54:27 localhost postfix/smtp[41094]: 99F4C23F008: to=<[email protected]>, relay=mx3.qq.com[119.147.192.199]:25, delay=110, delays=109/0/0.04/0.1, dsn=5.0.0, status=bounced (host mx3.qq.com[119.147.192.199] said: 550 Mail content denied. http://service.mail.qq.com/cgi-bin/help?subtype=1&&id=20022&&no=1000726 (in reply to end of DATA command))
Oct 26 02:54:27 localhost postfix/cleanup[41089]: 69EA423F027: message-id=<[email protected]>
Oct 26 02:54:27 localhost postfix/bounce[41095]: 99F4C23F008: sender non-delivery notification: 69EA423F027
Oct 26 02:54:27 localhost postfix/qmgr[40723]: 69EA423F027: from=<>, size=2203, nrcpt=1 (queue active)
Oct 26 02:54:27 localhost postfix/qmgr[40723]: 99F4C23F008: removed
日誌顯示郵件ID爲99F4C23F008的郵件,發件人是[email protected]。接收服務器是mx3.qq.com的25端口。狀態是被退回。通過http://service.mail.qq.com/cgi-bin/help?subtype=1&&id=20022&&no=1000726 可以查看到拒絕原因。
經過認證登錄後的用戶,可以僞造發件人隨意外發郵件!
由以上信息我們可以推斷,很可能是由於別人盜用了我們的賬號,然後利用我們的賬號僞造其它發信人,瘋狂外發郵件!那麼,我們現在需要從三方面着手。
1,找出真正的發件人是哪個合法用戶並馬上修改密碼。
2,阻止郵件繼續瘋狂外發。
3,禁止認證用戶僞造發件人外發郵件。
解決
1,找出可能被盜號的用戶!
通過maillog雖然看不到被拒絕郵件到底是誰發出的,但可以看到被拒絕投遞的郵件ID.就比如下面兩封郵件的ID分別爲45C4E130CB 4728312BBA。這時候,我們可以查找到一些收信地址比較可疑的郵件來分析。
localhost# tail /var/log/maillog
Oct 22 16:41:38 localhost postfix/error[18801]: 45C4E130CB: to=<[email protected]>, relay=none, delay=101364, delays=95002/6357/0/5.3, dsn=4.0.0, status=deferred (delivery temporarily suspended: host gateway-f1.isp.att.net[204.127.217.16] refused to talk to me: 550-124.172.224.76 blocked by ldap:ou=rblmx,dc=att,dc=net 550 Error - Blocked for abuse. See http://att.net/blocks)
Oct 22 16:41:38 localhost postfix/error[18103]: 4728312BBA: to=<[email protected]>, relay=none, delay=102971, delays=96576/6386/0/9.8, dsn=4.7.1, status=deferred (delivery temporarily suspended: host mta5.am0.yahoodns.net[66.94.237.139] refused to talk to me: 421 4.7.1 [TS03] All messages from 124.172.224.76 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html)
.....
我們可以通過postcat -q命令來查看指定ID郵件的詳細內容。比如我覺得ID爲2FDF423FA50的郵件很可疑,那麼讓我們詳細看看郵件:
localhost# postcat -q 2FDF423FA50
*** ENVELOPE RECORDS deferred/2/2FDF423FA50 ***
message_size: 2428 4714 50 0 2428
message_arrival_time: Wed Oct 24 06:18:07 2012
create_time: Wed Oct 24 06:18:08 2012
named_attribute: log_ident=2FDF423FA50
named_attribute: rewrite_context=remote
named_attribute: sasl_method=LOGIN <-----sasl認證通過
named_attribute: [email protected] <-------認證用戶名
sender: [email protected] <-----僞造的發信者
named_attribute: log_client_name=unknown
named_attribute: log_client_address=68.167.29.196 <----登錄客戶端的ip
named_attribute: log_client_port=1464
named_attribute: log_message_origin=unknown[68.167.29.196]
named_attribute: log_helo_name=User
named_attribute: log_protocol_name=ESMTP
named_attribute: client_name=unknown
named_attribute: reverse_client_name=h-68-167-29-196.mclnva23.static.covad.net
named_attribute: client_address=68.167.29.196
named_attribute: client_port=1464
named_attribute: helo_name=User
named_attribute: protocol_name=ESMTP
named_attribute: client_address_type=2
named_attribute: dsn_orig_rcpt=rfc822;[email protected]
original_recipient: [email protected]
recipient: [email protected] <------收件人1
named_attribute: dsn_orig_rcpt=rfc822;[email protected]
original_recipient: [email protected] <------收件人2
recipient: [email protected]
named_attribute: dsn_orig_rcpt=rfc822;[email protected]
original_recipient: [email protected] <------收件人3
recipient: [email protected]
.........
通過上面的這封郵件,我們可以知道,這封郵件是由[email protected].這個用戶來認證登錄的。登錄者IP 68.167.29.196。該用戶將發信人僞造成:[email protected]。並且同時發送很多封郵件出去!如果真存在[email protected]這個用戶的話,那這個用戶信箱估計也被塞滿了無數退信郵件.
很顯然,上面這封郵件並不是一封正常郵件!通過這封郵件很快就可以確定這個用戶的密碼很可能是被別人破解了!或者郵件系統有其它漏洞,***者親自建立了該用戶用來羣發郵件。
搜索/var/spool/postfix/defrred目錄下面的ip 68.167.29.196,發現有5600郵件被阻塞着。而且還在不斷增加。且用戶均爲[email protected]。可以確定,IP 68.167.29.196爲***者。
localhost# cd /var/spool/postfix/defrred
localhost# find . -exec grep "68.167.29.196" {} \; | wc -l
5625
登錄數據庫查看[email protected]這個用戶的創建情況。這個在webman管理後臺上面是看不到的。
localhost# /usr/opt/local/mysql-5.1.47/bin/mysql -uextmail -pextmail
mysql> select * from mailbox where username='[email protected]'\G;
*************************** 1. row ***************************
username: [email protected]
uid: info
password: $1$RpyMEokE$CK31uufL9uNk6PjqSorXa1
clearpwd:
name:
mailhost:
maildir: example.com/info/Maildir/
homedir: example.com/info
quota: 524288000S
netdiskquota: 524288000S
domain: example.com
uidnumber: 1000
gidnumber: 1000
createdate: 2012-04-25 15:35:54 <-----創建日期
expiredate: 0000-00-00
active: 1
disablepwdchange: 0
disablesmtpd: 0
disablesmtp: 0
disablewebmail: 0
disablenetdisk: 0
disableimap: 1
disablepop3: 0
question:
answer:
1 row in set (0.00 sec)
mysql> select * from manager;
+------------------+------------------------------------+-------+------+------------+-------------+-----------+------------------+---------------------+------------+--------+
| username | password | type | uid | name | question | answer | disablepwdchange | createdate | expiredate | active |
+------------------+------------------------------------+-------+------+------------+-------------+-----------+------------------+---------------------+------------+--------+
| [email protected] | $1$ZwYBBBz1$mh.Uwro5vqXMwYum0eprq/ | admin | root | Super User | my question | my answer | 0 | 2007-02-14 15:10:04 | 2010-11-08 | 1 |
+------------------+------------------------------------+-------+------+------------+-------------+-----------+------------------+---------------------+------------+--------+
管理員賬號只有一個,[email protected]也不是新建的。那應該是[email protected]的用戶密碼被破解了。
來看看[email protected]這個用戶的登錄日誌。發現全是由68.167.29.196的主機登錄的。
localhost# cat /var/log/maillog | grep [email protected]
Oct 24 00:32:10 localhost postfix/smtpd[4202]: 8F005249014: client=unknown[68.167.29.196], sasl_method=LOGIN, [email protected]
Oct 24 00:32:16 localhost postfix/smtpd[5029]: 11044249024: client=unknown[68.167.29.196], sasl_method=LOGIN, [email protected]
Oct 24 00:32:17 localhost postfix/smtpd[4626]: 930FB249028: client=unknown[68.167.29.196], sasl_method=LOGIN, [email protected]
Oct 24 00:32:17 localhost postfix/smtpd[4765]: A890624902B: client=unknown[68.167.29.196], sasl_method=LOGIN, [email protected]
登錄extman,將[email protected]這個用戶的密碼改掉。
我們登錄[email protected]來看看用戶情況。結果發現有一萬多封退信信息,由於這個賬號沒人用,所以一直未發現這個問題。
2,清除所有緩存垃圾郵件,阻止郵件服務器繼續償試外發!
清除defer和deferred目錄下的緩存郵件
我們來瞧瞧郵件緩存目錄
localhost# du -sh /var/spool/postfix/*
2.1G /var/spool/postfix/defer
2.7G /var/spool/postfix/deferred
可以看到,被延遲發送的郵件佔用了5個g的空間!
清除郵件中的所有隊列
localhost# postsuper -d ALL
postsuper: Deleted: 292551 messages
共清除了將近30萬封緩存的郵件。
如果緩存郵件裏面有重要郵件,不能刪除所有郵件,那麼也可以寫一個腳本,只清除所有屬於68.167.29.196的緩存郵件。
localhost# vi deldefer.sh
#刪除defferred中的緩存
cd /var/spool/postfix/deferred/
find . -exec grep 68.167.29.196 {} \; | awk '{print $3}' | cut -d/ -f3 >/tmp/del.txt
for i in `cat /tmp/del.txt`
do
postsuper -d "$i"
done
rm -rf /tmp/del.txt
#刪除deffer中的緩存
cd /var/spool/postfix/defer
for i in `find .|cut -d/ -f3`
do
postcat -q $i |grep 68.167.29.196
if [ $? -eq 0 ];
then
echo $i >> /tmp/defer.txt
postsuper -d $i
fi
done
rm -rf /tmp/defer.txt
腳本說明:
在刪除deffer和defferred下面的緩存郵件的腳本是不同的。由於defer下的緩存郵件用cat直接查看是看不到發件人及登錄ip等詳細信息的,需要用postcat來查看才能顯示出詳細的信息。所以deffer目錄裏的清除腳本寫法和上面defferred的有些不同。注意:在刪除了deferred下面的緩存後,如果不刪除defer的緩存,defer下的郵件仍然會被不停的投遞出去,直到最後變爲deferred之後纔會放棄。所以,如果只刪除deferred下面的郵件而不刪除defer下面的郵件的話,過不了多久,deferred下面又會出現大量郵件,而這個郵件是由defer目錄下的緩存引起的。
-------------------------------------------------------
再次查看緩存目錄,容量終於恢復正常值。
localhost# du -sh /var/spool/postfix/*
162K /var/spool/postfix/defer
46K /var/spool/postfix/deferred
刪除[email protected]用戶郵箱的退信郵件
下面該刪除[email protected]用戶的所有退信郵件了.通過查看郵件發現所有的垃圾郵件均是今天一天生成的。到服務器端查找並刪除今天的所有郵件。
進入到info用戶的郵件目錄
localhost# cd /usr/opt/home/domains/example.com/info/Maildir/
可以看到有12779封郵件。
localhost# ls -l cur/ |wc -l
12779
查找今天生成的郵件,共11589封
localhost# find cur/ -ctime -1 | wc -l
11589
刪除所有今天的郵件
localhost# find cur/ -ctime -1 -exec rm -f {} \;
刪除完畢!
注意find cur/ -ctime -1 -exec rm -f {} \; 中是rm -f !不要寫成了rm -rf。否則一執行就把cur目錄給刪掉了。那麼用戶以前的郵件也全帶着一起刪除了!
至此,郵件服務器終於恢復了正常運行。再次用tail -f 來查看日誌,不會再出現那恐怖的瘋狂刷屏日誌了!瘋狂的服務器終於恢復了原來的悠閒狀態!
3,禁止認證用戶假冒發信人外發
修改main.cf配置文件,增加發信人限制功能!
localhost# vi main.cf
mynetworks = 127.0.0.0/8
smtpd_sender_restrictions =
permit_mynetworks,
reject_sender_login_mismatch,
reject_non_fqdn_sender,
reject_authenticated_sender_login_mismatch,
reject_unauthenticated_sender_login_mismatch,
reject_non_fqdn_recipient,
reject_invalid_hostname,
reject_unknown_sender_domain,
check_sender_access hash:/etc/postfix/sender_access
smtpd_sender_login_maps =
mysql:/etc/postfix/mysql_virtual_sender_maps.cf,
mysql:/etc/postfix/mysql_virtual_alias_maps.cf
localhost# postfix reload
在客戶端測試效果:
客戶端僞造發信人測試,[email protected]僞造成發件人[email protected]未成功!
[root@mail ~]# perl -MMIME::Base64 -e "print encode_base64('123456');"
MTIzNDU2
[root@mail ~]# perl -MMIME::Base64 -e "print encode_base64('[email protected]');"
dGVzdDFAZXhhbXBsZS5jb20=
[root@mail ~]# telnet mail.example.com 25
Trying 124.172.224.76...
Connected to mail.example.com (124.172.224.76).
Escape character is '^]'.
auth login
220 mail.example.com ESMTP Postfix
334 VXNlcm5hbWU6
dGVzdDFAZXhhbXBsZS5jb20=
334 UGFzc3dvcmQ6
MTIzNDU2
235 2.7.0 Authentication successful
mail from:[email protected]
250 2.1.0 Ok
rcpt to:[email protected]
553 5.7.1 <[email protected]>: Sender address rejected: not owned by user [email protected]
客戶端用真實的地址發信測試成功
[root@mail ~]# telnet mail.example.com 25
Trying 124.172.224.76...
auConnected to mail.example.com (124.172.224.76).
Escape character is '^]'. 220 mail.example.com ESMTP Postfix
auth login
334 VXNlcm5hbWU6
dGVzdDFAZXhhbXBsZS5jb20=
334 UGFzc3dvcmQ6
MTIzNDU2
235 2.7.0 Authentication successful
mail from:[email protected]
250 2.1.0 Ok
rcpt to:[email protected]
250 2.1.5 Ok
Ok,測試成功!
關於郵件服務器被yahoo,gmail,hotmail等郵件服務器列入黑名單問題,這個最好是換個ip地址吧。一個個申訴太麻煩了!