From 8ef4eed8bd39ad4cd72ee48818a774aeebd485e1 Mon Sep 17 00:00:00 2001 From: Andreas Baumann Date: Fri, 29 Mar 2019 14:36:48 +0100 Subject: published mail blog entry --- content/blog/mail-disaster.md | 46 ++++++++++++++++++++++++++----------------- 1 file changed, 28 insertions(+), 18 deletions(-) diff --git a/content/blog/mail-disaster.md b/content/blog/mail-disaster.md index ea18bbe..d7c3545 100644 --- a/content/blog/mail-disaster.md +++ b/content/blog/mail-disaster.md @@ -3,7 +3,6 @@ title = "Mail Problems" categories = [ "Mail", "Linux", "Security" ] date = "2019-03-29T12:58:31+01:00" thumbnail = "/images/blog/mail-disaster/mail-disaster.png" -draft = true +++ ## History @@ -29,17 +28,20 @@ went to sleep. Of course this was not the case: I had a weak password in one account of my mailserver (which allowed any legitimate Linux user to send -emails). So, my thinking went along the lines: well, some weeks ago +emails). This caused all those DNS lookups for my domain on the +BuddNS DNS servers. + +So, my thinking went along the lines: well, some weeks ago I replaced the SD card, because the old one was worn out, I cannot remember whether I replaced all standard passwords. My suspicion got -confirmed when I saw the maillog sending from the email address: +confirmed when I saw the following line in the my mail log: ``` From: "George" ``` -Swearing big times about my own stupidity (the default password is - well - -weak) I started cleaning up the mess. +Swearing big times about my own stupidity (the default password for the +'alarm' account is - well - weak) I started cleaning up the mess. Checking my mail server logs I found that all attacks went via one single IP (185.228.80.18). So just blocking the firewall was the fastest way to @@ -48,7 +50,7 @@ fix the tousands of spam email being sent via my now-defacto-open mail relay. ## Checking status There are various helpfull tools to check about the status of your mail -server. I picked the https://mxtoolbox.com/. This is what I got: +server. I picked https://mxtoolbox.com/. This is what I got: ``` dmarc andreasbaumann.cc DNS Record not found @@ -62,9 +64,7 @@ server. I picked the https://mxtoolbox.com/. This is what I got: mx andreasbaumann.cc DMARC Quarantine/Reject policy not enabled ``` -I also like the results from - -http://zy0.de/q/83.150.2.48 +I also like the results from http://zy0.de/q/83.150.2.48: {{< figure src="/images/blog/mail-disaster/zy0_de.png" alt="zy0_de check resulst for 83.150.2.48" >}} @@ -203,7 +203,7 @@ Record removed. The published list is updated hourly, so changes may not show im https://www.spamcop.net/w3m?action=checkblock&ip=83.150.2.48 -I filed in the provided form. +I filled in the provided form. ### IBM DNS @@ -227,7 +227,8 @@ https://support.google.com/mail/contact/msgdelivery The postmaster tools are not a big help, really, I registered nonetheless. I got reject till March 28th, as far as I can tell the domain reputation below -is one of the worst ones you can get and the only option is to wait: +is one of the worst ones you can get and the only option is to wait some weeks +after filling in the forms: ``` Our system has detected that this message @@ -235,20 +236,29 @@ is 550-5.7.1 likely suspicious due to the very low reputation of the sending 550-5.7.1 domain ``` -## Course of Action for better mail service +## Course of Action for a better mail service I made sure, I have some security standards in place, so that -at least faking the domain is not so simple: -[SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework), -[DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) and -[DMARC](https://en.wikipedia.org/wiki/DMARC). +at least faking the domain in the 'From:' field is not so simple: + +* [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework): Sender Policy Framework +* [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail): Domain Keys Identified Mail +* [DMARC](https://en.wikipedia.org/wiki/DMARC): Domain-based Message Authentication, Reporting and Conformance Those things don't help against a broken account on the mail server, as in my case, but they provide positive rating for emails being judged in the future, and they are simple to implement. -And of course, I deleted the 'alarm' account on the machine. :-) +I also added a list of accounts/emails to the postfix configuration. +Only those accounts are allowed to send emails from the host. +Even if this means you have to generate the entry in '/etc/passwd' +and another one in that postfix list. This makes sure, +no "rogue" Linux account can be abused for sending emails, when +compromised. +I added myself to the [DNSWL](https://www.dnswl.org) white list too. + +And of course, I deleted the 'alarm' account on the machine. :-) ## References @@ -256,4 +266,4 @@ And of course, I deleted the 'alarm' account on the machine. :-) * http://zy0.de/ * https://en.wikipedia.org/wiki/Sender_Policy_Framework * https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail - +* https://en.wikipedia.org/wiki/DMARC -- cgit v1.2.3-54-g00ecf