Mail Server allow sending spam to hosted mailboxes
I got an issue on both of my servers (Postfix + Dovecot and one on Zimbra)
My issue is some robots send spam without login to our hosted mailboxes using the same FROM/RCPT.
It seems Google got the same issue too :
https://www.theverge.com/2018/4/22/17268740/gmail-spam-email-spoofed-header-google
So it means our mailboxes are getting spam emails from theirself. But these spammer can't send from external mailboxes (who is not hosted by our server).
These spammers don't use a remote SMTP to send email, if they do this, our SPF policy will block them.
These spammer use our SMTP to send on our local mailboxes with the same FROM and RCPT
The server is not open-relay.
Example, we host these mailboxes :
- test@example.com
- boby@example.com
Robot sends spam from:
test@example.com to test@example.com by using our SMTP
But this work also :
test@example.com на boby@example.com , используя наш SMTP
без пароля.
Как я могу предотвратить это?
Мой main. ср https://pastebin.com/V1KYuKTk
My telnet test :
Connection: opening to mail2test.domain.tld:25, timeout=300, options=array ()
Connection: opened
SERVER -> CLIENT: 220 mail2test.domain.tld ESMTP Postfix (Debian/GNU)
CLIENT -> SERVER: EHLO tools.test.com
SERVER -> CLIENT: 250-mail2test.domain.tld
250-PIPELINING
250-SIZE 50240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
CLIENT -> SERVER: STARTTLS
SERVER -> CLIENT: 220 2.0.0 Ready to start TLS
CLIENT -> SERVER: EHLO tools.test.com
SERVER -> CLIENT: 250-mail2test.domain.tld
250-PIPELINING
250-SIZE 50240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
CLIENT -> SERVER: MAIL FROM: <test@mail2test.domain.tld>
SERVER -> CLIENT: 250 2.1.0 Ok
CLIENT -> SERVER: RCPT TO: <test@mail2test.domain.tld>
SERVER -> CLIENT: 250 2.1.5 Ok
CLIENT -> SERVER: DATA
SERVER -> CLIENT: 354 End data with .
CLIENT -> SERVER: Date: Thu, 19 Apr 2018 15:13:20 +0000
CLIENT -> SERVER: To: test@mail2test.domain.tld
CLIENT -> SERVER: From: Test SMTP Test
CLIENT -> SERVER: Subject: Test SMTP Test Message
CLIENT -> SERVER: Message-ID: <4a50b5853919acdfe9237d71982be37b@blog.test.com>
CLIENT -> SERVER: MIME-Version: 1.0
CLIENT -> SERVER: Content-Type: text/plain; charset=iso-8859-1
CLIENT -> SERVER:
CLIENT -> SERVER: This message was sent using the Test SMTP testing tool by this user:
CLIENT -> SERVER: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.124 Safari/537.36
CLIENT -> SERVER: xxx.xxx.xxx.xxx
CLIENT -> SERVER:
CLIENT -> SERVER: .
SERVER -> CLIENT: 250 2.0.0 Ok: queued as A86F61383C
CLIENT -> SERVER: QUIT
SERVER -> CLIENT: 221 2.0.0 Bye
Connection: closed
My mail.log
Apr 19 17:13:21 mail2 postfix/smtpd[26584]: A86F61383C: client=tools.test.com[96.126.113.160]
Apr 19 17:13:22 mail2 postfix/cleanup[26589]: A86F61383C: message-id=<4a50b5853919acdfe9237d71982be37b@blog.test.com>
Apr 19 17:13:22 mail2 postfix/qmgr[26511]: A86F61383C: from=<test@mail2test.domain.tld>, size=795, nrcpt=1 (queue active)
Apr 19 17:13:25 mail2 postfix/smtp[26591]: A86F61383C: to=<test@mail2test.domain.tld>, relay=127.0.0.1[127.0.0.1]:10024, delay=3.5, delays=0.49/0.01/0.01/3, dsn=2.6.0, status=sent (250 2.6.0 Ok, id=02360-01, from MTA: 250 2.0.0 Ok: queued as ED1FF1383D)
Apr 19 17:13:25 mail2 postfix/qmgr[26511]: A86F61383C: removed
My current SPF :
mail2test.domain.tld. 299 IN TXT "v=spf1 a mx -all"
A or MX are not pointing to 96.126.113.160
The email I got :
Return-Path: <test@mail2test.domain.tld>
Delivered-To: test@mail2test.domain.tld
Received: from localhost (localhost [127.0.0.1])
by mail2test.domain.tld (Postfix) with ESMTP id 1421713802
for <test@mail2test.domain.tld>; Thu, 19 Apr 2018 17:13:45 +0200 (CEST)
Received: from mail2test.domain.tld ([xxx.xxx.xxx.xxx])
by localhost (mail2test.domain.tld [127.0.0.1]) (amavisd-maia, port 10024)
with ESMTP id 02355-01 for <test@mail2test.domain.tld>;
Thu, 19 Apr 2018 17:13:25 +0200 (CEST)
Received: from tools.test.com (tools.test.com [96.126.113.160])
by mail2test.domain.tld (Postfix) with ESMTP id A86F61383C
for <test@mail2test.domain.tld>; Thu, 19 Apr 2018 17:13:25 +0200 (CEST)
Date: Thu, 19 Apr 2018 15:13:23 +0000
To: test@mail2test.domain.tld
From: Wormly SMTP Test <test@mail2test.domain.tld>
Subject: Wormly SMTP Test Message
Message-ID: <4a50b5853919acdfe9237d71982be37b@blog.test.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
X-Virus-Scanned: Test Mail 0.1
This message was sent using the Wormly SMTP testing tool by this user:
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.124 Safari/537.36
xxx.xxx.xxx.xxx
Проблема, которая у вас, скорее всего, заключается в том, что адрес для совпадает, поэтому электронное письмо принято - это не проблема ретрансляции, и это очень распространенная установка.
Один из способов - возможно, Самый простой и лучший способ в зависимости от вашего варианта использования - убедиться, что ваши почтовые серверы соблюдают настройки записи SPF и устанавливают записи SPF для ваших доменов. Это означает, что люди, которые якобы отправляют электронное письмо без аутентификации с IP-адреса, который не является вашим почтовым сервером, будут отклонены.