Discussion :

[tetzispa]

Bonsoir à tous !

depuis quelques jours je me fais violenter mon serveur mail (postfix/dovecot avec authentification LDAP)

à ce que je vois, il essaye de s'en servir comme relai, mais vu que c'est bloqué rien de grave, cependant , mon fichier de log (/var/log/mail.log) augmente de plus en plus (350mo à ce jour)

autre conséquence : le serveur (même avec ses caractéristiques) pédale un peu dans la semoule pour traiter tout le flux et je ne trouve pas de solutions (encore) pour bloquer les tentatives comme je me prends

en dessous mon fichier de conf de postfix, et quelques éléments du fichier de log /var/log/mail.log

il va s'en dire que j'ai ban quelques IP que je voyais revenir mais sans que les choses changent

merci à vous par avance pour une aide !

fichier de conf de postfix :

Code :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
# Nul besoin de définir myorigin puisque nous travaillons sur un serveur multidomaines
#myorigin = /etc/postfix/mailname
#Le message de bienvenue envoyé par POSTFIX lors de la connexion d’un client
 
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
 
# Activer la notification en cas de réception de nouveaux e-mails dans la console (yes / no).biff = no
# Initialise ou non la réécriture des adresses
# en ajoutant à ces adresses:
# – en provenance locale: .$mydomain aux adresses qui ne contiendraient pas
# de composantes « domaine ».
# – en provenance extérieure: @$remote_header_rewrite_domain
 
append_dot_mydomain = no
 
# Uncomment the next line to generate « delayed mail » warnings
 
delay_warning_time = 4h
 
# Emplacement des fichiers de postfix décrivant la manière de compiler
 
readme_directory = no
 
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
# Nom d’hôte du serveur SMTP
 
myhostname = pa-errard.com
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
mydestination = localhost.localdomain, localhost
 
# Si l’on utilise un serveur SMTP externe pour le relai des messages, configurer ce parametre
 
relayhost =
mynetworks = 127.0.0.0/8 10.0.0.0/24
 
# Parametre inutile puisque nous utiliserons les quotas de maildrop
 
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
 
# Parametres pour la connexion LDAP
# Fichier de config ldap pour gestion des domaines
 
virtual_mailbox_domains = ldap:/etc/postfix/ldap-domains.cf
 
# le repertoire /var/vmail stockera les boites mail des utilisateurs
 
virtual_mailbox_base = /var/vmail
 
#la directive suivante correspond à liste des utilisateurs déaré
 
virtual_mailbox_maps = ldap:/etc/postfix/ldap-accounts.cf
 
# valeur minimum que l’agent de livraison Virtual accepte comme résultat de la recherche dans les tables $virtual_uid_maps
# les valeurs retournées sont rejetées | nous utiliserons Maildrop à la place de virtual.
 
virtual_minimum_uid = 100
 
# Table des correspondances entre destinataires et identifiants de groupe pour la libraison vers les boites virtuelles
 
virtual_uid_maps = static:500
virtual_gid_maps = static:500
unknown_local_recipient_reject_code = 550
 
 
#la directive suivante correspond à liste des alias (redirections).
 
virtual_alias_maps = ldap:/etc/postfix/ldap-aliases.cf
 
dovecot_destination_recipient_limit = 1
virtual_transport = dovecot 
 
 
# securité du serveur postfix
 
#SSL
 
#smtpd_tls_cafile=/etc/ssl/mail/mail.srsi.fr.chain
#smtpd_tls_cert_file=/etc/ssl/mail/mail.srsi.fr.cert
#smtpd_tls_key_file=/etc/ssl/mail/mail.srsi.fr.key
#smtpd_use_tls=yes
#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
#smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 
# SMTPD auth avec dovecot :
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
 
 
# OPENRELAY
 
# Wait until the RCPT TO command before evaluating restrictions 
smtpd_delay_reject = yes 
 
# Basics Restrictions 
smtpd_helo_required = yes 
strict_rfc821_envelopes = yes 
 
# Requirements for the connecting server 
smtpd_client_restrictions = 
    permit_mynetworks, 
    permit_sasl_authenticated, 
    reject_rbl_client bl.spamcop.net, 
    reject_rbl_client dnsbl.njabl.org, 
    reject_rbl_client cbl.abuseat.org, 
    reject_rbl_client sbl-xbl.spamhaus.org, 
    permit 
 
# Requirements for the HELO statement 
smtpd_helo_restrictions = 
    permit_mynetworks, 
    permit_sasl_authenticated, 
    reject_non_fqdn_hostname, 
    reject_invalid_hostname, 
    permit 
 
# Requirements for the sender address 
smtpd_sender_restrictions = 
    permit_mynetworks, 
    permit_sasl_authenticated, 
    reject_non_fqdn_sender, 
    reject_unknown_sender_domain, 
    permit 
 
# Requirement for the recipient address 
smtpd_recipient_restrictions = 
    permit_mynetworks, 
    permit_sasl_authenticated, 
    reject_non_fqdn_recipient, 
    reject_unknown_recipient_domain, 
    reject_unauth_destination, 
    permit

fichier de log /var/log/mail.log :

Code :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
5
6
7
8
9
Aug 10 19:04:18 pa-errard postfix/qmgr[25094]: 6CAFAC12ED: from=<customerservice@wells.com>, size=9149, nrcpt=20 (queue active)
Aug 10 19:04:18 pa-errard postfix/qmgr[25094]: 6A6EEC31C3: from=<customerservice@wells.com>, size=9149, nrcpt=20 (queue active)
Aug 10 19:04:18 pa-errard postfix/qmgr[25094]: 620E1C62BF: from=<>, size=13544, nrcpt=1 (queue active)
Aug 10 19:04:18 pa-errard postfix/qmgr[25094]: 64260C32ED: from=<customerservice@wells.com>, size=9149, nrcpt=20 (queue active)
Aug 10 19:04:18 pa-errard postfix/qmgr[25094]: 67FD9C2FF0: from=<customerservice@wells.com>, size=9149, nrcpt=20 (queue active)
Aug 10 19:04:18 pa-errard postfix/qmgr[25094]: 69D62C2569: from=<>, size=13367, nrcpt=1 (queue active)
Aug 10 19:04:18 pa-errard postfix/qmgr[25094]: 6E6E7C311A: from=<customerservice@wells.com>, size=9149, nrcpt=20 (queue active)
Aug 10 19:04:18 pa-errard postfix/smtp[7437]: 15230C12F1: host mta5.am0.yahoodns.net[98.136.216.25] refused to talk to me: 421 4.7.0 [TS01] Messages from 5.135.161.16 temporarily deferred - 4.16.55.1; see http://postmaster.yahoo.com/errors/421-ts01.html
Aug 10 19:04:18 pa-errard postfix/qmgr[25094]: 6C72BC336A: from=<customerservice@wells.com>, size=9149, nrcpt=20 (queue active)

Code :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Aug 10 19:04:18 pa-errard postfix/error[7578]: 8AF25C31AE: to=<1moreparty@sbcglobal.net>, relay=none, delay=8918, delays=8917/0.4/0/0.19, dsn=4.7.0, status=deferred (delivery temporarily suspended: host mx2.sbcglobal.am0.yahoodns.net[98.136.217.192] refused to talk to me: 421 4.7.0 [TS01] Messages from 5.135.161.16 temporarily deferred - 4.16.55.1; see http://postmaster.yahoo.com/errors/421-ts01.html)
Aug 10 19:04:18 pa-errard postfix/error[7474]: E6935C3128: to=<jwilson011@woh.rr.com>, relay=none, delay=8938, delays=8938/0.02/0/0.19, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with hrndva-smtpin02.mail.rr.com[71.74.56.244] while sending RCPT TO)
Aug 10 19:04:18 pa-errard postfix/error[7573]: 8A89FC1F80: to=<cottagebell.apts@sbcglobal.net>, relay=none, delay=8997, delays=8996/0.41/0/0.19, dsn=4.7.0, status=deferred (delivery temporarily suspended: host mx2.sbcglobal.am0.yahoodns.net[98.136.217.192] refused to talk to me: 421 4.7.0 [TS01] Messages from 5.135.161.16 temporarily deferred - 4.16.55.1; see http://postmaster.yahoo.com/errors/421-ts01.html)
Aug 10 19:04:18 pa-errard postfix/error[7371]: D6558C368D: to=<jparcari@comcast.net>, relay=none, delay=8754, delays=8753/0.07/0/1.4, dsn=4.0.0, status=deferred (delivery temporarily suspended: host mx1.comcast.net[68.87.26.147] refused to talk to me: 421 imta37.westchester.pa.mail.comcast.net comcast Try again later)
Aug 10 19:04:18 pa-errard postfix/smtp[7461]: 176B6C228C: to=<nabbb@bright.net>, relay=none, delay=9418, delays=9417/0.16/0.98/0, dsn=4.4.1, status=deferred (connect to inbound4.bright.net[209.143.0.26]:25: Connection refused)
Aug 10 19:04:18 pa-errard postfix/error[7517]: E34AEC3122: to=<marywitk@cox.net>, relay=none, delay=8939, delays=8939/0/0/0.17, dsn=4.0.0, status=deferred (delivery temporarily suspended: host mx.east.cox.net[68.1.17.3] refused to talk to me: 554 eastrmimpi312 cox 5.135.161.16 blocked.  Error Code: IPBL0100 - Refer to Error Codes section at http://postmaster.cox.net/confluence/display/postmaster/Error+Codes for more information.)
Aug 10 19:04:18 pa-errard postfix/error[7584]: F2A0CC331F: to=<lindag@tampabay.rr.com>, relay=none, delay=8867, delays=8867/0.18/0/0.19, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with hrndva-smtpin02.mail.rr.com[71.74.56.244] while sending RCPT TO)
Aug 10 19:04:18 pa-errard postfix/error[7406]: E237EC30C1: to=<renco66@cox.net>, relay=none, delay=8949, delays=8949/0/0/0.12, dsn=4.0.0, status=deferred (delivery temporarily suspended: host mx.east.cox.net[68.1.17.3] refused to talk to me: 554 eastrmimpi312 cox 5.135.161.16 blocked.  Error Code: IPBL0100 - Refer to Error Codes section at http://postmaster.cox.net/confluence/display/postmaster/Error+Codes for more information.)
Aug 10 19:04:18 pa-errard postfix/error[7479]: E7725C3208: to=<jlane8275@cox.net>, relay=none, delay=8904, delays=8904/0/0/0.15, dsn=4.0.0, status=deferred (delivery temporarily suspended: host mx.east.cox.net[68.1.17.3] refused to talk to me: 554 eastrmimpi312 cox 5.135.161.16 blocked.  Error Code: IPBL0100 - Refer to Error Codes section at http://postmaster.cox.net/confluence/display/postmaster/Error+Codes for more information.)
Aug 10 19:04:18 pa-errard postfix/error[7482]: EFA49C64FB: to=<drekar@cox.net>, relay=none, delay=7056, delays=7056/0/0/0.13, dsn=4.0.0, status=deferred (delivery temporarily suspended: host mx.east.cox.net[68.1.17.3] refused to talk to me: 554 eastrmimpi312 cox 5.135.161.16 blocked.  Error Code: IPBL0100 - Refer to Error Codes section at http://postmaster.cox.net/confluence/display/postmaster/Error+Codes for more information.)
Aug 10 19:04:18 pa-errard postfix/error[7336]: D0210C650C: to=<jolinesullivan@yahoo.com>, relay=none, delay=7053, delays=7052/0.05/0/1.4, dsn=4.7.0, status=deferred (delivery temporarily suspended: host mta5.am0.yahoodns.net[66.196.118.35] refused to talk to me: 421 4.7.0 [TS01] Messages from 5.135.161.16 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
Aug 10 19:04:18 pa-errard postfix/error[7331]: DDF68C30FB: to=<burt0591@yahoo.com>, relay=none, delay=8945, delays=8944/0.95/0/0.5, dsn=4.7.0, status=deferred (delivery temporarily suspended: host mta5.am0.yahoodns.net[66.196.118.35] refused to talk to me: 421 4.7.0 [TS01] Messages from 5.135.161.16 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
Aug 10 19:04:18 pa-errard postfix/error[7348]: D57EEC3226: to=<velvetw2002@yahoo.com>, relay=none, delay=8900, delays=8899/0.06/0/1.4, dsn=4.7.0, status=deferred (delivery temporarily suspended: host mta5.am0.yahoodns.net[66.196.118.35] refused to talk to me: 421 4.7.0 [TS01] Messages from 5.135.161.16 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
Aug 10 19:04:18 pa-errard postfix/error[7577]: ED5B8C3141: to=<ricknroni@cox.net>, relay=none, delay=8934, delays=8934/0.01/0/0.19, dsn=4.0.0, status=deferred (delivery temporarily suspended: host mx.east.cox.net[68.1.17.3] refused to talk to me: 554 eastrmimpi312 cox 5.135.161.16 blocked.  Error Code: IPBL0100 - Refer to Error Codes section at http://postmaster.cox.net/confluence/display/postmaster/Error+Codes for more information.)
Aug 10 19:04:18 pa-errard postfix/error[7514]: F00B8C330C: to=<markhibbert@cox.net>, relay=none, delay=8869, delays=8869/0.17/0/0.19, dsn=4.0.0, status=deferred (delivery temporarily suspended: host mx.east.cox.net[68.1.17.3] refused to talk to me: 554 eastrmimpi312 cox 5.135.161.16 blocked.  Error Code: IPBL0100 - Refer to Error Codes section at http://postmaster.cox.net/confluence/display/postmaster/Error+Codes for more information.)
Aug 10 19:04:18 pa-errard postfix/error[7580]: D78FBC62F5: to=<jaimetrek@yahoo.com>, relay=none, delay=7136, delays=7135/0.95/0/0.5, dsn=4.7.0, status=deferred (delivery temporarily suspended: host mta5.am0.yahoodns.net[66.196.118.35] refused to talk to me: 421 4.7.0 [TS01] Messages from 5.135.161.16 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
Aug 10 19:04:18 pa-errard postfix/error[7600]: F244DC3117: to=<deeona3@cox.net>, relay=none, delay=8941, delays=8941/0.05/0/0.19, dsn=4.0.0, status=deferred (delivery temporarily suspended: host mx.east.cox.net[68.1.17.3] refused to talk to me: 554 eastrmimpi312 cox 5.135.161.16 blocked.  Error Code: IPBL0100 - Refer to Error Codes section at http://postmaster.cox.net/confluence/display/postmaster/Error+Codes for more information.)
Aug 10 19:04:18 pa-errard postfix/error[7570]: E09C4C2E44: to=<mk.ruffing@roadrunner.com>, relay=none, delay=9031, delays=9031/0/0/0.15, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with cdptpa-smtpin02.mail.rr.com[75.180.132.244] while sending RCPT TO)
Aug 10 19:04:18 pa-errard postfix/qmgr[25094]: 677A9C253B: from=<>, size=13705, nrcpt=1 (queue active)

[Senaku-seishin]

Regarde du côté de fail2ban

[tetzispa]

j'aurai du préciser, j'ai mis fail2ban, ça change rien

[tetzispa]

personne n'a donc eu de problème avec postfix en se faisant flood et n'a trouver de réponse pour contrer ça ? je trouve ça étonnant quand même -_-

[tetzispa]

bon bah j'ai trouvé tout seul par hasard

faille bidon XSS via une page php toute bête ...

coupure du serveur apache : plus de spam

suppression des mails en queue :

postsuper -d ALL
postsuper: Deleted: 28469 messages

problème réglé avec correction de la faille XSS ...