Solved [Solved] [Postfix] SASL authentication with bogus username

Today I recieved an abuse notice from my ISP. Apparently, spam was send from my IP-address. I asked for some extra info and started digging through the logfiles. And to my astonishment, someone was connection to my mailserver, authenticating with a bogus username agains SASL and sending emails through my server.

How is this even possible?

Here is a snippet from the logs

Code:
Apr  1 10:39:23 mail postfix/smtpd[29028]: warning: hostname static-198-124.softronics.ch does not resolve to address 94.242.198.124: Name or service not known
Apr  1 10:39:23 mail postfix/smtpd[29028]: connect from unknown[94.242.198.124]
Apr  1 10:39:23 mail postfix/smtpd[29028]: 709CC41E259: client=unknown[94.242.198.124], sasl_method=LOGIN, sasl_username=fax@mydomain.com
Apr  1 10:39:23 mail postfix/cleanup[29170]: 709CC41E259: message-id=<eb03a1f320b5a7b250080622b32f3901@mydomain.com>
Apr  1 10:39:24 mail postfix/qmgr[29581]: 709CC41E259: from=<fax@mydomain.com>, size=5040, nrcpt=1 (queue active)
Apr  1 10:39:24 mail postfix/smtpd[29028]: disconnect from unknown[94.242.198.124]
Apr  1 10:39:25 mail postfix/smtpd[29055]: connect from mail.mydomain.com[127.0.0.1]
Apr  1 10:39:25 mail postfix/smtpd[29055]: 6CBE141E599: client=mail.mydomain.com[127.0.0.1]
Apr  1 10:39:25 mail postfix/cleanup[28957]: 6CBE141E599: message-id=<eb03a1f320b5a7b250080622b32f3901@mydomain.com>
Apr  1 10:39:25 mail postfix/smtpd[29055]: disconnect from mail.mydomain.com[127.0.0.1]
Apr  1 10:39:25 mail postfix/qmgr[29581]: 6CBE141E599: from=<fax@mydomain.com>, size=5509, nrcpt=1 (queue active)
Apr  1 10:39:25 mail postfix/smtp[28574]: 709CC41E259: to=<mrincodex2003@yahoo.co.uk>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.2, delays=0.8/0/0/1.4, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 6CBE141E599)
Apr  1 10:39:25 mail postfix/qmgr[29581]: 709CC41E259: removed
Apr  1 10:39:26 mail postfix/smtp[28710]: 6CBE141E599: to=<mrincodex2003@yahoo.co.uk>, relay=mx-eu.mail.am0.yahoodns.net[188.125.69.79]:25, delay=0.92, delays=0.2/0/0.1/0.63, dsn=2.0.0, status=sent (250 ok dirdel)
Apr  1 10:39:26 mail postfix/qmgr[29581]: 6CBE141E599: removed

* We do not use the full email-address to authenticate, only the username.
* The user fax, or the email-address fax@mydomain.com, doesn't even exist.
* How could someone authenticate himself as fax@mydomain.com, succeed at this and start sending emails?
 
Re: [Postfix] SASL authentication with bogus username

I figured it out, I hope. this thread explained what was going on. After checking again, it turned out the user fax did in fact exist. Somehow I missed that. I think the account didn't have a password, thus allowing easy acces. Since I didn't use it anymore, I deleted it.

Anyway, a lesson learned. In a few weeks we get a new mailserver. I already decided I was going to use virtual users this time. This experience only confirmed that is probably the best way to deal with email-accounts.
 
Back
Top