Resolved Sending mails without authentication?

[kojot]

Hello,
recently I had malware on some wordpress site, and that malware was send too many mails...
Somehow I fix, found scripts, and there is no problem anymore...

But, next thing is so strange for me.
I created one mailbox (same domain like cleaned WP) and when I add it to Outlook for example, I don't need to check "My outgoing server (SMTP) requires authentification - Use same settings as my incoming mail server".
So, My Outlook can send mails without authentification?
In Plesk Panel I set that authorization is required like you can see...




Now, I added that mailbox to new profile in outlook, and I purposely made a mistake, type wrong password, and I got this...



So Outlook successes to send test e-mail...

What could be a problem.
Is my Server open relay?

Also, I telnet from my PC on server and I got "Relay access denied"



Is there some Plesk script which can help me to reconfigure mail settings to default?

 

[UFHH01]

Hi CoyoteKG,

Is my Server open relay?

http://mxtoolbox.com/domain/africka-sljiva.ex4.info/

=>

blacklist mail.ex4.info Blacklisted by FABELSOURCES
blacklist mail.ex4.info Blacklisted by SORBS SPAM
blacklist ex4.info Blacklisted by FABELSOURCES
blacklist ex4.info Blacklisted by SORBS SPAM

... but "NO", your server is currently not an open relay.​

Is there some Plesk script which can help me to reconfigure mail settings to default?

Plesk 12.5 offers the "repair utility", with automatic diagnose and repair funtionality.

Plesk Repair Utility ( Plesk 12.5. online documentation )​

To investigate issues/problems/errors, it is always wise to include log - files, or depending log - file - entries - it reduces guessing and digging in the dark for people willing to help you. In addition, it might be as well a good idea to include informations about te current operating system, the Plesk version ( incl. MU! ) and it is never wrong to include configuration files, so that investigations are far easier.

Plesk for Linux services logs and configuration files ( KB - article: 111 283 )​

Sometimes, it is as well a good idea to change the log - level, to get more informations in psa - log - files:

How to enable/disable debug logging in Plesk 11.5 and up? ( KB - article 120 101 )​

 

[kojot]

Hi @UFHH01
Thank you for your replay.
Unfortunately I'm not very well with linux and administration like this. So my every try to solving problem is, like you said, "digging in the dark".
But you helped me...

I totally forgot that I listen advice from your colleague, how to catch malware... He gave to me this link before few months. And I checked that /var/tmp/mail.send file, and it was empty. I totally forgot to do next steps, to back everything.

# rm -f /usr/sbin/sendmail.postfix
# mv /usr/sbin/sendmail.postfix-bin /usr/sbin/sendmail.postfix

But I did that now.

Also, In first message I said that Outlook succeed to send test mail, but after that i tried to send one mail to mail-tester... And immediately I got next respond

Your message did not reach some or all of the intended recipients.
Subject: test
Sent: 6/29/2016 9:09 PM
The following recipient(s) cannot be reached:
'web-38Of7y@mail-tester.com' on 6/29/2016 9:09 PM
Server error: '454 4.7.1 <web-38Of7y@mail-tester.com>: Relay access denied'

So, definitely my mail server is not open relay .

So...
My Operating system is: Debian 8.2
Plesk version: v12.5.30_build1205150826.19 #38
mail logs, and master.cf and main.cf files are attached.

For now I have not questions, but if you find a time, please look those files, and if you have some suggestion, I will gladly receive it

Thanks.

 

[UFHH01]

Hi CoyoteKG,

the first thing I noticed, were some common intruders, as you can see here:

Jun 29 20:54:55 africka-sljiva plesk_saslauthd[25670]: No such user 'john@ex4.info' in mail authorization database
Jun 29 20:54:55 africka-sljiva plesk_saslauthd[25670]: failed mail authenticatication attempt for user 'john@ex4.info' (password len=5)
Jun 29 20:54:55 africka-sljiva postfix/smtpd[25667]: warning: 173-164-154-100-SFBA.hfc.comcastbusiness.net[173.164.154.100]: SASL LOGIN authentication failed: authentication failure
Jun 29 20:54:56 africka-sljiva plesk_saslauthd[25670]: No such user 'john@ex4.info' in mail authorization database
Jun 29 20:54:56 africka-sljiva plesk_saslauthd[25670]: failed mail authenticatication attempt for user 'john@ex4.info' (password len=9)
Jun 29 20:54:56 africka-sljiva postfix/smtpd[25667]: warning: 173-164-154-100-SFBA.hfc.comcastbusiness.net[173.164.154.100]: SASL LOGIN authentication failed: authentication failure
Jun 29 20:54:57 africka-sljiva plesk_saslauthd[25670]: No such user 'john@ex4.info' in mail authorization database
Jun 29 20:54:57 africka-sljiva plesk_saslauthd[25670]: failed mail authenticatication attempt for user 'john@ex4.info' (password len=7)
Jun 29 20:54:57 africka-sljiva postfix/smtpd[25667]: warning: 173-164-154-100-SFBA.hfc.comcastbusiness.net[173.164.154.100]: SASL LOGIN authentication failed: authentication failure
Jun 29 20:54:57 africka-sljiva plesk_saslauthd[25670]: No such user 'john@ex4.info' in mail authorization database
Jun 29 20:54:57 africka-sljiva plesk_saslauthd[25670]: failed mail authenticatication attempt for user 'john@ex4.info' (password len=8)
Jun 29 20:54:57 africka-sljiva postfix/smtpd[25667]: warning: 173-164-154-100-SFBA.hfc.comcastbusiness.net[173.164.154.100]: SASL LOGIN authentication failed: authentication failure
Jun 29 20:54:58 africka-sljiva plesk_saslauthd[25670]: No such user 'john@ex4.info' in mail authorization database
Jun 29 20:54:58 africka-sljiva plesk_saslauthd[25670]: failed mail authenticatication attempt for user 'john@ex4.info' (password len=4)
Jun 29 20:54:58 africka-sljiva postfix/smtpd[25667]: warning: 173-164-154-100-SFBA.hfc.comcastbusiness.net[173.164.154.100]: SASL LOGIN authentication failed: authentication failure
Jun 29 20:54:59 africka-sljiva plesk_saslauthd[25670]: No such user 'john@ex4.info' in mail authorization database
Jun 29 20:54:59 africka-sljiva plesk_saslauthd[25670]: failed mail authenticatication attempt for user 'john@ex4.info' (password len=10)
Jun 29 20:54:59 africka-sljiva postfix/smtpd[25667]: warning: 173-164-154-100-SFBA.hfc.comcastbusiness.net[173.164.154.100]: SASL LOGIN authentication failed: authentication failure
Jun 29 20:55:00 africka-sljiva plesk_saslauthd[25670]: No such user 'john@ex4.info' in mail authorization database
Jun 29 20:55:00 africka-sljiva plesk_saslauthd[25670]: failed mail authenticatication attempt for user 'john@ex4.info' (password len=6)
Jun 29 20:55:00 africka-sljiva postfix/smtpd[25667]: warning: 173-164-154-100-SFBA.hfc.comcastbusiness.net[173.164.154.100]: SASL LOGIN authentication failed: authentication failure
Jun 29 20:55:00 africka-sljiva plesk_saslauthd[25670]: No such user 'john@ex4.info' in mail authorization database
Jun 29 20:55:00 africka-sljiva plesk_saslauthd[25670]: failed mail authenticatication attempt for user 'john@ex4.info' (password len=5)
Jun 29 20:55:00 africka-sljiva postfix/smtpd[25667]: warning: 173-164-154-100-SFBA.hfc.comcastbusiness.net[173.164.154.100]: SASL LOGIN authentication failed: authentication failure
Jun 29 20:55:01 africka-sljiva plesk_saslauthd[25670]: No such user 'john@ex4.info' in mail authorization database
Jun 29 20:55:01 africka-sljiva plesk_saslauthd[25670]: failed mail authenticatication attempt for user 'john@ex4.info' (password len=9)
Jun 29 20:55:01 africka-sljiva postfix/smtpd[25667]: warning: 173-164-154-100-SFBA.hfc.comcastbusiness.net[173.164.154.100]: SASL LOGIN authentication failed: authentication failure
Jun 29 20:55:02 africka-sljiva plesk_saslauthd[25670]: No such user 'john@ex4.info' in mail authorization database
Jun 29 20:55:02 africka-sljiva plesk_saslauthd[25670]: failed mail authenticatication attempt for user 'john@ex4.info' (password len=6)
Jun 29 20:55:02 africka-sljiva postfix/smtpd[25667]: warning: 173-164-154-100-SFBA.hfc.comcastbusiness.net[173.164.154.100]: SASL LOGIN authentication failed: authentication failure
Jun 29 20:55:06 africka-sljiva plesk_saslauthd[25670]: No such user 'john@ex4.info' in mail authorization database
Jun 29 20:55:06 africka-sljiva plesk_saslauthd[25670]: failed mail authenticatication attempt for user 'john@ex4.info' (password len=9)
Jun 29 20:55:06 africka-sljiva postfix/smtpd[25667]: warning: 173-164-154-100-SFBA.hfc.comcastbusiness.net[173.164.154.100]: SASL LOGIN authentication failed: authentication failure
Jun 29 20:55:10 africka-sljiva plesk_saslauthd[25670]: No such user 'john@ex4.info' in mail authorization database
Jun 29 20:55:10 africka-sljiva plesk_saslauthd[25670]: failed mail authenticatication attempt for user 'john@ex4.info' (password len=1)
Jun 29 20:55:10 africka-sljiva postfix/smtpd[25667]: warning: 173-164-154-100-SFBA.hfc.comcastbusiness.net[173.164.154.100]: SASL LOGIN authentication failed: authentication failure
Jun 29 20:55:13 africka-sljiva postfix/smtpd[25667]: disconnect from 173-164-154-100-SFBA.hfc.comcastbusiness.net[173.164.154.100]

Pls. consider to use Fail2Ban ( jail = "[plesk-postfix]" / filter = "postfix-sasl" ) for such intruders :

# Fail2Ban filter for postfix authentication failures
#

[INCLUDES]

before = common.conf

[Definition]

_daemon = postfix(-\w+)?/(submission/)?smtp(d|s)

failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/:]*={0,2})?\s*$

ignoreregex = authentication failed: Connection lost to authentication server$

[Init]

journalmatch = _SYSTEMD_UNIT=postfix.service


# Author: Yaroslav Halchenko

... and don't forget to use the "recidive" - jail as well, so that returning intruders will get banned faster and for a longer time.


Second I saw in your mail.log

Jun 29 20:43:54 africka-sljiva postfix/qmgr[24600]: 0651B26819D4: from=<noreply@dmarc.yahoo.com>, size=3269, nrcpt=1 (queue active)

"Normally", there is nothing wrong to configure DMARC - records as :

v=DMARC1; p=reject; rua=mailtoostmaster@ceman.info, mailto:dmarc@ceman.info
​

... but this will lead to a huge amount of spam from domains, who thinks that it is necessary to inform you about eMails they received from spammers, with your spoofed - domain-name. Often enough, the receiving mail - server doesn't really check the eMail - headers correctly and the result is, that spam - mails start as well the process to inform the configured eMail at your DMARC - record about an undelivered eMail. This is really a bad habbit from receiving mail - servers, which can be pretty annoying after a while and as you may have noticed, even yahoo, hotmail, or other big freemailer does it. Consider to use an eMail - adress, which you don't monitor, or consider a cronjob to delete these useless information - eMails.



Third, let's have a look at your "main.cf".
You have set

smtpd_sasl_auth_enable = yes

... but you are missing additional security as for example:

smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous

and instead of

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

... I recommend to use:

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unlisted_recipient, reject_unlisted_sender

Fourth, ( for your "master.cf" ), I recommend to have a look at: => #11 ( Plesk - Forum - link )

 

[kojot]

Hello UFHH01

firstly, thank you for very detailed helping!!!!

(first thing)
I installed fail2ban before few months, and just activated jails... But I did not know that I need to configure it and how to do that.


Can I just paste that code there instead iptables-multiport[name="plesk-postfix", port="smtp,smtps,submission"] ?
And what Action to Select? Is it wise to block on all ports or that is not need...


(Second)
This server we did not use for mails, and that DMARC was my practice to set it because mxtoolbox and mail-tester recomended it to set...... Maybe is easier to delete it from records... dkim and spf is good enough I think...


(Third)
I don't remember when I set it, but I will listen your advice and I will set like you recommended. Thanks!


(Fourth)
Thank you again, I'll read it now and try to understand and set.


Once more, I'm very grateful for your time!

 

[IgorG]

Once more, I'm very grateful for your time!

JFYI:

 

[kojot]

I liked id already, and choose like "Best answer"

 

[kojot]

I installed fail2ban before few months, and just activated jails... But I did not know that I need to configure it and how to do that.

Can I just paste that code there instead iptables-multiport[name="plesk-postfix", port="smtp,smtps,submission"] ?
And what Action to Select? Is it wise to block on all ports or that is not need...


Once more, I'm very grateful for your time!

I found great guide here for wordpress jail, and I see how to use fail2ban...
Thx