Resolved SMTP SASL Unknown User sending spam?

[ScottGoddard]

It seems I have a problem with SMTP authorisation and my server is sending out spam from a user that does not seem to exist. The logfile below has been anonimised and show one of the spam emails sent.

As far as I can see there is no user called 'barry' within Plesk although it does form part of other usernames such as 'barry.smith@mydomain.co.uk' or 'barry@myotherdomain.co.uk'

Any ideas how to resolve this? How do I find and delete/change password for this user?

Jun 14 11:36:59 myservername postfix/smtpd[7267]: D6FED6C2BD: client=unknown[106.76.218.41], sasl_method=PLAIN, sasl_username=barry
Jun 14 11:37:01 myservername postfix/cleanup[7198]: D6FED6C2BD: message-id=<403DB68E-E8DB-4E38-822F-2E293FB8370B@mydomain.co.uk>
Jun 14 11:37:01 myservername postfix/qmgr[8066]: D6FED6C2BD: from=<petermharrison@mydomain.co.uk>, size=720, nrcpt=1 (queue active)
Jun 14 11:37:03 myservername postfix/smtp[7173]: D6FED6C2BD: to=<trevor.pathak@targetdomain.co.uk>, relay=targetdomain-co-uk.mail.protection.outlook.com[213.199.180.170]:25, delay=3.9, delays=2/0/0.47/1.4, dsn=2.6.0, status=sent (250 2.6.0 <403DB68E-E8DB-4E38-822F-2E293FB8370B@mydomain.co.uk> [InternalId=131322920045177, Hostname=DBXPR07MB431.eurprd07.prod.outlook.com] 8268 bytes in 0.172, 46.939 KB/sec Queued mail for delivery)
Jun 14 11:37:03 myservername postfix/qmgr[8066]: D6FED6C2BD: removed

 

[UFHH01]

Hi ScottGoddard,

As far as I can see there is no user called 'barry' within Plesk although it does form part of other usernames such as 'barry.smith@mydomain.co.uk' or 'barry@myotherdomain.co.uk'

If you desire help from the Plesk Community, it is essential, that you provide your current configuration files, so that we are able to investigate your root cause of your issue, together with you. At the moment, we can only guess, that you missed to configure postfix correctly.

 

[ScottGoddard]

Postfix has been completely configured by Plesk. I have not edited anything manually.

OS: CentOS 6.9 (Final)‬
Product: Plesk Onyx - Version 17.5.3 Update #9, last updated on June 13, 2017 06:23 PM

The server originally started out as Plesk 10 (I think) and has been updated/upgraded over the years.

I have included main.cf and master.cf (changed to .txt for upload). Unfortunately you do not say which configuration files you require so please let me know what else you need.

 

[UFHH01]

Hi ScottGoddard,

your current configuration

...
smtpd_tls_security_level = may
smtpd_use_tls = yes
smtp_tls_security_level = may
smtp_use_tls = no
...
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated
...
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
...
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client b.barracudacentral.org
...

misses for example:

...
smtp_tls_security_level = may
smtp_use_tls = no

smtpd_tls_security_level = may
smtpd_use_tls = yes

smtpd_sasl_auth_enable = yes
smtpd_tls_auth_only = no

...

smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
...

Furthermore, I recommend to use:

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination

smtpd_tls_received_header = yes
smtpd_tls_ask_ccert = yes
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1

 

[ScottGoddard]

I have added in the extra lines and reloaded Postfix but it is still allowing the spam to send

Should I have deleted any of the other lines or just add in the ones that were not there?

 

[UFHH01]

Hi ScottGoddard,

Should I have deleted any of the other lines or just add in the ones that were not there?

You are able to check double entries in your configuration file, by using the SEARCH - option of your used software. Pls. be informed, that later double entries replace the former ones in your postfix configuration files.

Pls. check as well your Plesk settings at:

=> HOME > Tools & Settings > Mail - Server Settings > Relaying

... where you have the option to CLOSE relaying or to setup "authorization is required" with the additional option "SMTP"​

If you updated/upgraded Plesk from previous versions, it can be as well a good idea to change postfix to qmail and backwards to qmail again, so that completely fresh and recommended configuration files are being installed and configured, instead of adding/uncommenting settings in your current configuration files.
The same suggestion is as well applicable for dovecot / courier-imap.


If you made any changes to your configuration files and STILL experiences issues, pls. keep in mind, that you now have to add the NEW configuration files, in order to give people willing to help you the chance to investigate the NEW configuration files.
The very same for your statement:

but it is still allowing the spam to send

Pls. provide the NEW corresponding entries from your mail.log, so that people willing to help you are able to investigate the issue.

Another usefull information is certainly the IP and the FQDN, because people willing to help you are then able to investigate far more, then what you actually provide as informations.

 

[ScottGoddard]

I have switched over to Qmail and that is rejecting the spam as 'Invalid mail address' so it looks as though that has resolved the problem for now. I would prefer to switch back to Postfix eventually but it remains to be seen if the problem will reoccur.

It seems to me that that SASL had an errant (possibly a legacy from past version?) user named 'barry' that did not appear in Plesk but was still active in SASL. Is this possible? If I understand it correctly, the SASL usernames and information is stored in DB files located at /var/spool/postfix/plesk? Is there any way to verify their contents?

 

[UFHH01]

Hi ScottGoddard,

in earlier times, the command:

/usr/local/psa/admin/sbin/mchk --with-spam

could have solved your issues, because this should re-create the SASL db and it's keys, getting the configured and allowed eMail - accounts from your Plesk database.
With Plesk Onyx ( and since Plesk 12 ), you should now use the "Plesk Repair Utility" ( => Plesk Repair Utility ) with the option:

plesk repair mail -v

or

plesk repair mail -y -v

It seems to me that that SASL had an errant (possibly a legacy from past version?) user named 'barry' that did not appear in Plesk but was still active in SASL. Is this possible?

Could be, but could as well be some Plesk database inconsistencies, or possible previous misconfigurations.

Is there any way to verify their contents?

As mentioned before, you have the option to use the "Plesk Repair Utility".

I would prefer to switch back to Postfix eventually but it remains to be seen if the problem will reoccur.

During the process to switch the mail software, a re-creation of the SASL - db and it's keys is included.

 

[ScottGoddard]

Thanks for your help. It certainly seems to working OK at the moment.